1eurephia-variables(7)                                    eurephia-variables(7)
2
3
4

NAME

6       eurephia-variables - eurephia configuration variables
7

DESCRIPTION

9       Overview  over  all  eurephia configuration variables.  These variables
10       are stored in the database and can be modified by the eurephiadm config
11       command.
12

PASSWORD HASH

14       These variables are related to the password hash configuration.  All of
15       them must be set, but they can be changed over time  without  affecting
16       the functionality of the already stored passwords.
17
18       These  parameters  are  the  first to be set when eurephia_init is run.
19       The minimum and maximum hash rounds are bechmarked for  you  with  this
20       tool  to  find  more suitable numbers for the hardware eurephia will be
21       running on.
22
23       passwordhash_salt_length
24              Sets number of bytes to use for the password hash salt.
25
26       passwordhash_rounds_min
27              Sets the minimum number of hashing rounds to perform when calcu‐
28              lating new password hashes.
29
30       passwordhash_rounds_max
31              Sets the maximum number of hashing rounds to perform when calcu‐
32              lating new password hashes
33

ATTEMPTS SETTINGS

35       eurephia can blacklist user names, certificates and IP addresses  based
36       on  number  of  failed  attempts.  The following parameters defines the
37       limits of how many attempts you are willing to allow before  blacklist‐
38       ing them.
39
40       allow_cert_attempts
41              Defines  the  number  of  attempts  of failed login attempts you
42              allow before you will blacklist the  OpenVPN  clients  cerrtifi‐
43              cate.   This  number  should normally be higher than allow_user‐
44              name_attempts. Default is 5.
45
46       allow_username_attempts
47              Defines the number of failed ttempts for  a  user  name  can  be
48              tried  before  you  will  blacklist  the  user name from further
49              attempts.  Default is 3.
50
51       allow_ipaddr_attempts
52              Defines the number of failed attempts for an IP  address  to  be
53              used  before  you  will  blacklist  the  IP address from further
54              attempts.  This one should be the least  strictest  limit.   You
55              also need to consider if your clients will log in via a proxy or
56              NATed network and how many of your clients will do so.   If  you
57              experience  many  users  failing  to log on and more of them are
58              behind the same proxy or NAT gateway, this may blacklist the  IP
59              address  quicker  than  intended.   But  if  among  many failing
60              attempts a valid authentication happens,  the  attempts  counter
61              will be reset again, so this limit do not need to be too forgiv‐
62              ing.  Default is 10.
63

FIREWALL INTEGRATION

65       If you are running the OpenVPN server with eurephia on a Linux  server,
66       it  is  possible  to  let  eurephia interact with the firewall as well.
67       These settings will enable the firewall integration and  tell  eurephia
68       how  to interact with the firewall.  These parameters are very iptables
69       oriented.  The iptables firewall module must be enabled at compile time
70       and be installed to work.
71
72       firewall_interface
73              This  is  the  variable which enables firewall integration. This
74              variable must point at the firewall driver, which  is  a  shared
75              object file which eurephia will load dynamically.  These drivers
76              are prefixed efw and will be found in  the  same  lib  or  lib64
77              directory  as  the  eurephia-auth  and  edb-sqlite modules.  The
78              variable must contain the full path to the driver module.
79
80       firewall_command
81              This defines the binary the firewall module will execute to help
82              update  the firewall.  For iptables this defaults to /sbin/ipta‐
83              bles.
84
85       firewall_destination
86              Defines which predefined firewall rule to use when updating  the
87              firewall.  The default value is vpn_users.
88
89       firewall_blacklist_destination
90              This  activates  firewall based IP address blacklisting in addi‐
91              tion to the  internal  blacklist  in  eurephia.   This  variable
92              defines  which firewall rule to use when wanting to blacklist an
93              IP address.
94
95       firewall_blacklist_send_to
96              This is an optional parameter.  Normally  when  eurephia  black‐
97              lists  an IP address it will default to drop the network packets
98              from that client. You can use this variable to send it to a dif‐
99              ferent  firewall target.  This is useful if you to, for example,
100              log the incident to the system log before dropping the packets.
101

EUREPHIA UTILITIES

103       These  settings  are  used  by  the  eurephia  administration  utility,
104       eurephiadm.
105
106       eurephiadmin_autologout
107              This defines how long a eurephia administration utility may have
108              an open session before it is considered inactive.  When  exceed‐
109              ing  this  limit,  the  administrator user will be out automati‐
110              cally.  The unit for this setting is  minutes  and  the  default
111              value is 10.
112
113       eurephiadm_xslt_path
114              The  eurephiadm  utility  uses XSLT templates for generating the
115              output to the screen.  This variable gives you  the  possibility
116              to  have  your  own  set  of  templates in a different directory
117              instead of using the system wide  XSLT  templates  installed  by
118              default.  This variable is not set by default.
119
121       openvpn_devtype
122              The  eurephia-auth  plug-in  will  try to auto-detect the device
123              type, which must be either tun or tap.  If  this  auto-detection
124              fails,  this  configuration  variable  needs to be set to tun or
125              tap.  This value must correspond to the OpenVPN configuration.
126

SEE ALSO

128       eurephiadm-config(7), eurephia_init(7),
129       Administrators Tutorial and Manual
130

AUTHOR

132       Copyright (C) 2008-2012  David Sommerseth <dazo@users.sourceforge.net>
133
134
135
136David Sommerseth                 October 2010            eurephia-variables(7)
Impressum