eurephia-variables - eurephia configuration variables
Overview over all eurephia configuration variables. These
variables are stored in the database and can be modified by the
eurephiadm config command.
eurephia can blacklist user names, certificates and IP addresses
based on number of failed attempts. The following parameters defines the
limits of how many attempts you are willing to allow before blacklisting
them.
- allow_cert_attempts
- Defines the number of attempts of failed login attempts you allow before
you will blacklist the OpenVPN clients cerrtificate. This number should
normally be higher than allow_username_attempts. Default is 5.
- allow_username_attempts
- Defines the number of failed ttempts for a user name can be tried before
you will blacklist the user name from further attempts. Default is 3.
- allow_ipaddr_attempts
- Defines the number of failed attempts for an IP address to be used before
you will blacklist the IP address from further attempts. This one should
be the least strictest limit. You also need to consider if your clients
will log in via a proxy or NATed network and how many of your clients will
do so. If you experience many users failing to log on and more of them are
behind the same proxy or NAT gateway, this may blacklist the IP address
quicker than intended. But if among many failing attempts a valid
authentication happens, the attempts counter will be reset again, so this
limit do not need to be too forgiving. Default is 10.
If you are running the OpenVPN server with eurephia on a Linux
server, it is possible to let eurephia interact with the firewall as well.
These settings will enable the firewall integration and tell eurephia how to
interact with the firewall. These parameters are very iptables
oriented. The iptables firewall module must be enabled at compile
time and be installed to work.
- firewall_interface
- This is the variable which enables firewall integration. This variable
must point at the firewall driver, which is a shared object file which
eurephia will load dynamically. These drivers are prefixed efw and
will be found in the same lib or lib64 directory as the
eurephia-auth and edb-sqlite modules. The variable must
contain the full path to the driver module.
- firewall_command
- This defines the binary the firewall module will execute to help update
the firewall. For iptables this defaults to
/sbin/iptables.
- firewall_destination
- Defines which predefined firewall rule to use when updating the firewall.
The default value is vpn_users.
- firewall_blacklist_destination
- This activates firewall based IP address blacklisting in addition to the
internal blacklist in eurephia. This variable defines which firewall rule
to use when wanting to blacklist an IP address.
- firewall_blacklist_send_to
- This is an optional parameter. Normally when eurephia blacklists an IP
address it will default to drop the network packets from that client. You
can use this variable to send it to a different firewall target. This is
useful if you to, for example, log the incident to the system log before
dropping the packets.
These settings are used by the eurephia administration utility,
eurephiadm.
- eurephiadmin_autologout
- This defines how long a eurephia administration utility may have an open
session before it is considered inactive. When exceeding this limit, the
administrator user will be out automatically. The unit for this setting is
minutes and the default value is 10.
- eurephiadm_xslt_path
- The eurephiadm utility uses XSLT templates for generating the
output to the screen. This variable gives you the possibility to have your
own set of templates in a different directory instead of using the system
wide XSLT templates installed by default. This variable is not set by
default.
- openvpn_devtype
- The eurephia-auth plug-in will try to auto-detect the device type,
which must be either tun or tap. If this auto-detection fails, this
configuration variable needs to be set to tun or tap. This
value must correspond to the OpenVPN configuration.
Copyright (C) 2008-2012 David Sommerseth
<dazo@users.sourceforge.net>