1eurephia-variables(7) eurephia-variables(7)
2
6 Overview over all eurephia configuration variables. These variables
7 are stored in the database and can be modified by the eurephiadm config
8 command.
9
11 These variables are related to the password hash configuration. All of
12 them must be set, but they can be changed over time without affecting
13 the functionality of the already stored passwords.
14 These parameters are the first to be set when eurephia_init is run.
16 The minimum and maximum hash rounds are bechmarked for you with this
17 tool to find more suitable numbers for the hardware eurephia will be
18 running on.
19 passwordhash_salt_length
21 Sets number of bytes to use for the password hash salt.
22 passwordhash_rounds_min
24 Sets the minimum number of hashing rounds to perform when calcu‐
25 lating new password hashes.
26 passwordhash_rounds_max
28 Sets the maximum number of hashing rounds to perform when calcu‐
29 lating new password hashes
30
32 eurephia can blacklist user names, certificates and IP addresses based
33 on number of failed attempts. The following parameters defines the
34 limits of how many attempts you are willing to allow before blacklist‐
35 ing them.
36 allow_cert_attempts
38 Defines the number of attempts of failed login attempts you
39 allow before you will blacklist the OpenVPN clients cerrtifi‐
40 cate. This number should normally be higher than allow_user‐
41 name_attempts. Default is 5.
42 allow_username_attempts
44 Defines the number of failed ttempts for a user name can be
45 tried before you will blacklist the user name from further
46 attempts. Default is 3.
47 allow_ipaddr_attempts
49 Defines the number of failed attempts for an IP address to be
50 used before you will blacklist the IP address from further
51 attempts. This one should be the least strictest limit. You
52 also need to consider if your clients will log in via a proxy or
53 NATed network and how many of your clients will do so. If you
54 experience many users failing to log on and more of them are
55 behind the same proxy or NAT gateway, this may blacklist the IP
56 address quicker than intended. But if among many failing
57 attempts a valid authentication happens, the attempts counter
58 will be reset again, so this limit do not need to be too forgiv‐
59 ing. Default is 10.
60
62 If you are running the OpenVPN server with eurephia on a Linux server,
63 it is possible to let eurephia interact with the firewall as well.
64 These settings will enable the firewall integration and tell eurephia
65 how to interact with the firewall. These parameters are very iptables
66 oriented. The iptables firewall module must be enabled at compile time
67 and be installed to work.
68 firewall_interface
70 This is the variable which enables firewall integration. This
71 variable must point at the firewall driver, which is a shared
72 object file which eurephia will load dynamically. These drivers
73 are prefixed efw and will be found in the same lib or lib64
74 directory as the eurephia-auth and edb-sqlite modules. The
75 variable must contain the full path to the driver module.
76 firewall_command
78 This defines the binary the firewall module will execute to help
79 update the firewall. For iptables this defaults to /sbin/ipta‐
80 bles.
81 firewall_destination
83 Defines which predefined firewall rule to use when updating the
84 firewall. The default value is vpn_users.
85 firewall_blacklist_destination
87 This activates firewall based IP address blacklisting in addi‐
88 tion to the internal blacklist in eurephia. This variable
89 defines which firewall rule to use when wanting to blacklist an
90 IP address.
91 firewall_blacklist_send_to
93 This is an optional parameter. Normally when eurephia black‐
94 lists an IP address it will default to drop the network packets
95 from that client. You can use this variable to send it to a dif‐
96 ferent firewall target. This is useful if you to, for example,
97 log the incident to the system log before dropping the packets.
98
100 These settings are used by the eurephia administration utility,
101 eurephiadm.
102 eurephiadmin_autologout
104 This defines how long a eurephia administration utility may have
105 an open session before it is considered inactive. When exceed‐
106 ing this limit, the administrator user will be out automati‐
107 cally. The unit for this setting is minutes and the default
108 value is 10.
109 eurephiadm_xslt_path
111 The eurephiadm utility uses XSLT templates for generating the
112 output to the screen. This variable gives you the possibility
113 to have your own set of templates in a different directory
114 instead of using the system wide XSLT templates installed by
115 default. This variable is not set by default.
116
118 eurephiadm-config(7), eurephia_init(7),
119 Administrators Tutorial and Manual
120
122 Copyright (C) 2008-2010 David Sommerseth <dazo@users.sourceforge.net>
123David Sommerseth July 2010 eurephia-variables(7)