#
# antidos beta 0.6 [antidos@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Main Configuration]
##
# Installation base path of apf
APF_BASE="/etc/apf"
# Config file path for apf
APF_CNF="$APF_BASE/conf.apf"
# Installation path
INSTALL_PATH="$APF_BASE/ad"
# Log file for antidos
ANTILOG="/var/log/apfados_log"
# Max load; do not allow antidos to run passed this load level
MLOAD="30"
##
# [Attack Triggers & Routines]
##
# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"
# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="1"
# Kernel log file
KLOG="/var/log/messages"
# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"
LN="200"
# Trigger value before we drop an event SRC
TRIG="24"
# Trigger value before we drop syn-floods for SRC
SF_TRIG="20"
#
# Trigger ports for syn-flood; null for all
SF_TRIG_PORTS="80,443"
#
# Trigger connection types for syn-flood
SF_TY="SYN_RECV,TIME_WAIT"
##
# [Attack Filtering]
##
# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"
# Drop destination interface [0=off,1=on]
DROP_IF="0"
#
# Do not drop interface for events matching these ports;
# line seperated strings.
NCRIT_PORTS="$INSTALL_PATH/noncrit.ports"
# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
#
# Were to write iptable rules too
BLOCKR="$INSTALL_PATH/ad.rules"
# Parse logs and match accesses from attackers same IP block and ban them
# [0=off,1=on]
NETBLOCK=0
#
# Match based on a /16 or /24 mask
NETBLOCK_MASK=24
##
# [E-Mail Alerts]
##
# Topic for warning emails
ARTOPIC="Urgent: Administrative issue enclosed, please read."
# Max number of emails to send
MAX_MNUM="200"
# Organization name to display on outgoing alert emails
CONAME="Web for host"
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="1"
#
# User for alerts to be mailed to
USR="email@mydomain-name.tld"
# Send out ip-whois abuse alerts upon attack [0=off,1=on]
ARIN_ALERT="0"
#
# Whois server for default queries
IPW_SRV="whois.arin.net"
#
# Return path for email alerts (reply address)
RETUSR="$USR"
##
# [Misc]
##
# Arin attack warning file
WARIN="$INSTALL_PATH/arin.msg"
# User attack warning file
WUSR="$INSTALL_PATH/usr.msg"
# Ignore file, for ignoring hosts/specific patterns
IGNORE="$INSTALL_PATH/ignore"
IGNORE_HOSTS="$INSTALL_PATH/ignore.hosts"
# Data file to track amount of emails sent
MNUM_F="$INSTALL_PATH/.mnum"
# Firewall chains keyword file
FWCHAINS="$INSTALL_PATH/chains"
# Just a temp file we can write to
TMPF="$INSTALL_PATH/.ad.swp"
# Grab the systems numeric timezone (e.g: -0500)
TMZ=`date +"%z"`
# unix time for lock tracking
UTIME=`date +"%s"`
# lock file path
LOCK="$INSTALL_PATH/lock.utime"
# lock file timeout in seconds
LOCK_TIMEOUT="300"