1eurephia-variables(7) eurephia-variables(7)
2
6 eurephia-variables - eurephia configuration variables
7
9 Overview over all eurephia configuration variables. These variables
10 are stored in the database and can be modified by the eurephiadm config
11 command.
12
14 These variables are related to the password hash configuration. All of
15 them must be set, but they can be changed over time without affecting
16 the functionality of the already stored passwords.
17 These parameters are the first to be set when eurephia_init is run.
19 The minimum and maximum hash rounds are bechmarked for you with this
20 tool to find more suitable numbers for the hardware eurephia will be
21 running on.
22 passwordhash_salt_length
24 Sets number of bytes to use for the password hash salt.
25 passwordhash_rounds_min
27 Sets the minimum number of hashing rounds to perform when calcu‐
28 lating new password hashes.
29 passwordhash_rounds_max
31 Sets the maximum number of hashing rounds to perform when calcu‐
32 lating new password hashes
33
35 eurephia can blacklist user names, certificates and IP addresses based
36 on number of failed attempts. The following parameters defines the
37 limits of how many attempts you are willing to allow before blacklist‐
38 ing them.
39 allow_cert_attempts
41 Defines the number of attempts of failed login attempts you
42 allow before you will blacklist the OpenVPN clients cerrtifi‐
43 cate. This number should normally be higher than allow_user‐
44 name_attempts. Default is 5.
45 allow_username_attempts
47 Defines the number of failed ttempts for a user name can be
48 tried before you will blacklist the user name from further
49 attempts. Default is 3.
50 allow_ipaddr_attempts
52 Defines the number of failed attempts for an IP address to be
53 used before you will blacklist the IP address from further
54 attempts. This one should be the least strictest limit. You
55 also need to consider if your clients will log in via a proxy or
56 NATed network and how many of your clients will do so. If you
57 experience many users failing to log on and more of them are
58 behind the same proxy or NAT gateway, this may blacklist the IP
59 address quicker than intended. But if among many failing
60 attempts a valid authentication happens, the attempts counter
61 will be reset again, so this limit do not need to be too forgiv‐
62 ing. Default is 10.
63
65 If you are running the OpenVPN server with eurephia on a Linux server,
66 it is possible to let eurephia interact with the firewall as well.
67 These settings will enable the firewall integration and tell eurephia
68 how to interact with the firewall. These parameters are very iptables
69 oriented. The iptables firewall module must be enabled at compile time
70 and be installed to work.
71 firewall_interface
73 This is the variable which enables firewall integration. This
74 variable must point at the firewall driver, which is a shared
75 object file which eurephia will load dynamically. These drivers
76 are prefixed efw and will be found in the same lib or lib64
77 directory as the eurephia-auth and edb-sqlite modules. The
78 variable must contain the full path to the driver module.
79 firewall_command
81 This defines the binary the firewall module will execute to help
82 update the firewall. For iptables this defaults to /sbin/ipta‐
83 bles.
84 firewall_destination
86 Defines which predefined firewall rule to use when updating the
87 firewall. The default value is vpn_users.
88 firewall_blacklist_destination
90 This activates firewall based IP address blacklisting in addi‐
91 tion to the internal blacklist in eurephia. This variable
92 defines which firewall rule to use when wanting to blacklist an
93 IP address.
94 firewall_blacklist_send_to
96 This is an optional parameter. Normally when eurephia black‐
97 lists an IP address it will default to drop the network packets
98 from that client. You can use this variable to send it to a dif‐
99 ferent firewall target. This is useful if you to, for example,
100 log the incident to the system log before dropping the packets.
101
103 These settings are used by the eurephia administration utility,
104 eurephiadm.
105 eurephiadmin_autologout
107 This defines how long a eurephia administration utility may have
108 an open session before it is considered inactive. When exceed‐
109 ing this limit, the administrator user will be out automati‐
110 cally. The unit for this setting is minutes and the default
111 value is 10.
112 eurephiadm_xslt_path
114 The eurephiadm utility uses XSLT templates for generating the
115 output to the screen. This variable gives you the possibility
116 to have your own set of templates in a different directory
117 instead of using the system wide XSLT templates installed by
118 default. This variable is not set by default.
119
121 openvpn_devtype
122 The eurephia-auth plug-in will try to auto-detect the device
123 type, which must be either tun or tap. If this auto-detection
124 fails, this configuration variable needs to be set to tun or
125 tap. This value must correspond to the OpenVPN configuration.
126
128 eurephiadm-config(7), eurephia_init(7),
129 Administrators Tutorial and Manual
130
132 Copyright (C) 2008-2012 David Sommerseth <dazo@users.sourceforge.net>
133David Sommerseth October 2010 eurephia-variables(7)