diff options
Diffstat (limited to 'man/eurephia-variables.7')
-rw-r--r-- | man/eurephia-variables.7 | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/man/eurephia-variables.7 b/man/eurephia-variables.7 new file mode 100644 index 0000000..e882543 --- /dev/null +++ b/man/eurephia-variables.7 @@ -0,0 +1,59 @@ +.TH "eurephia-variables" "7" "July 2010" "David Sommerseth" "" +.SH "NAME" +Overview over all eurephia configuration variables. These variables are stored in the database and can be modified by the \fBeurephiadm config\fR command. +.SH "PASSWORD HASH" +These variables are related to the password hash configuration. All of them must be set, but they can be changed over time without affecting the functionality of the already stored passwords. +.TP +These parameters are the first to be set when \fBeurephia_init\fR is run. The minimum and maximum hash rounds are bechmarked for you with this tool to find more suitable numbers for the hardware eurephia will be running on. +.TP +.B passwordhash_salt_length +Sets number of bytes to use for the password hash salt. +.TP +.B passwordhash_rounds_min +Sets the minimum number of hashing rounds to perform when calculating new password hashes. +.TP +.B passwordhash_rounds_max +Sets the maximum number of hashing rounds to perform when calculating new password hashes +.SH "ATTEMPTS SETTINGS" +eurephia can blacklist user names, certificates and IP addresses based on number of failed attempts. The following parameters defines the limits of how many attempts you are willing to allow before blacklisting them. +.TP +.B allow_cert_attempts +Defines the number of attempts of failed login attempts you allow before you will blacklist the OpenVPN clients cerrtificate. This number should normally be higher than \fBallow_username_attempts\fR. Default is 5. +.TP +.B allow_username_attempts +Defines the number of failed ttempts for a user name can be tried before you will blacklist the user name from further attempts. Default is 3. +.TP +.B allow_ipaddr_attempts +Defines the number of failed attempts for an IP address to be used before you will blacklist the IP address from further attempts. This one should be the least strictest limit. You also need to consider if your clients will log in via a proxy or NATed network and how many of your clients will do so. If you experience many users failing to log on and more of them are behind the same proxy or NAT gateway, this may blacklist the IP address quicker than intended. But if among many failing attempts a valid authentication happens, the attempts counter will be reset again, so this limit do not need to be too forgiving. Default is 10. +.SH "FIREWALL INTEGRATION" +If you are running the OpenVPN server with eurephia on a Linux server, it is possible to let eurephia interact with the firewall as well. These settings will enable the firewall integration and tell eurephia how to interact with the firewall. These parameters are very \fBiptables\fR oriented. The \fBiptables\fR firewall module must be enabled at compile time and be installed to work. +.TP +.B firewall_interface +This is the variable which enables firewall integration. This variable must point at the firewall driver, which is a shared object file which eurephia will load dynamically. These drivers are prefixed \fBefw\fR and will be found in the same \fBlib\fR or \fBlib64\fR directory as the \fBeurephia\-auth\fR and \fBedb\-sqlite\fR modules. The variable must contain the full path to the driver module. +.TP +.B firewall_command +This defines the binary the firewall module will execute to help update the firewall. For \fBiptables\fR this defaults to \fB/sbin/iptables\fR. +.TP +.B firewall_destination +Defines which predefined firewall rule to use when updating the firewall. The default value is \fBvpn_users\fR. +.TP +.B firewall_blacklist_destination +This activates firewall based IP address blacklisting in addition to the internal blacklist in eurephia. This variable defines which firewall rule to use when wanting to blacklist an IP address. +.TP +.B firewall_blacklist_send_to +This is an optional parameter. Normally when eurephia blacklists an IP address it will default to drop the network packets from that client. You can use this variable to send it to a different firewall target. This is useful if you to, for example, log the incident to the system log before dropping the packets. +.SH "EUREPHIA UTILITIES" +These settings are used by the eurephia administration utility, \fBeurephiadm\fR. +.TP +.B eurephiadmin_autologout +This defines how long a eurephia administration utility may have an open session before it is considered inactive. When exceeding this limit, the administrator user will be out automatically. The unit for this setting is minutes and the default value is 10. +.TP +.B eurephiadm_xslt_path +The \fBeurephiadm\fR utility uses XSLT templates for generating the output to the screen. This variable gives you the possibility to have your own set of templates in a different directory instead of using the system wide XSLT templates installed by default. This variable is not set by default. +.SH "SEE ALSO" +\fBeurephiadm\-config\fR(7), +\fBeurephia_init\fR(7), +.br +Administrators Tutorial and Manual +.SH "AUTHOR" +Copyright (C) 2008\-2010 David Sommerseth <dazo@users.sourceforge.net> |