-
Notifications
You must be signed in to change notification settings - Fork 3
/
fortress.conf
61 lines (49 loc) · 2.13 KB
/
fortress.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#
# Fortress configuration
#
# turn on/of the debugging of the daemon
debug=0
# if you don't run Fortress as systemd service, you most likely want fortress running as daemon
daemonize=0
# Exclude IPs or ranges from being blocked
# The files have one IP or CIDR range per line and can have comments with # at the begining of the line.
# You have many lists prepared for you in /etc/fortress.
excludes="/etc/fortress/cloudflare.txt /etc/fortress/google.txt /etc/fortress/yahoo.txt /etc/fortress/my.txt"
# On which ports should we monitor for connections in SYN_RECV or ESTABLISHED states.
# Anything other then these local ports is skipped.
# Default: 80 443
ports=25 53 80 110 143 443 993 995
# Type of blocking you want to do:
# iptables - using iptables to block the offending IP. You may also uncomment the chain_name option.
# If chain_name is not defined INPUT will be used.
# ipset - using IPsets to block the offending IP. You also have to uncomment ipset_name option.
# redirect - in this setup, traffic to web will be redirected to an IP using DNAT. For this type
# you also need to set redirect_ip
block_type=iptables
#ipset_name=blocklist
#chain_name=block
#redirect_ip=127.0.0.1
# Path to the scripts used for blocking and unblocking of offending IPs
block_script=/usr/sbin/fortress-block
# When using ipset with automatic expire, unblock script is not needed
unblock_script=/usr/sbin/fortress-unblock
# Blocked time in seconds.
# Default: 900sec(15min)
block_time=900
## Connection count configuration
# If the load is above this value, the high_conns value will be used.
# If the load is below this value, the low_conns value will be used.
high_load=5
# Maximum number of simmultaneous connections
# when the load is below the high_load value
low_conns=50
# when the load is above the high_load value
high_conns=20
# Maximum number of connections in SYN_RECV state before the IP is blocked
low_syn_recv_conns=50
high_syn_recv_conns=25
# File that stores the list of last blocked IPs before last service interruption.
store_db=/var/cache/fortress/ip.db
# File locations
pid_file=/var/run/fortress.pid
log_file=/var/log/fortress.log