-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.ini
39 lines (37 loc) · 1.18 KB
/
config.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[general]
[local]
# What named set gets used for local bans?
set-name = inet filter localban
# What file gets watched for auth failures?
file = /var/log/auth.log
# Which redis db number should be used?
db = 2
# How long after a failed attempt is an IP tracked/banned?
timeout = 90909
# How many failures before an IP is banned?
limit = 5
[net]
# What named set gets used for net bans?
set-name = inet filter netban
# Where is the Elasticsearch instance?
elastic-host = 10.0.0.25:9200
# What index pattern do we query in Elastic?
elastic-index = syslog-*
# Across how many days are the top networks aggregated? (In Elasticsearch timespan format.)
distance = 7d
# How many different IPs before a network is banned?
limit = 10
# What field aggregates a network?
aggregate = asn.asn
# What field do we count?
cardinality = asn.ip
# What terms field contains the value to filter for?
filter-field = ssh_action
# What value in the filter-field indicates a failure?
filter-term = Failed
# How many buckets do we pull from Elastic?
buckets = 10
# How often do we refresh the list of nets from Elastic? (seconds)
interval = 3600
# If the Elastic query fails, how long before we try again? (seconds)
retry-interval = 600