eurephia-variables(7)													     eurephia-variables(7)

NAME

       eurephia-variables - eurephia configuration variables

DESCRIPTION

       Overview  over all eurephia configuration variables.  These variables are stored in the database and can be modified by the eurephiadm con-
       fig command.

PASSWORD HASH

       These variables are related to the password hash configuration.	All of them must be set, but they can be changed over time without affect-
       ing the functionality of the already stored passwords.

       These  parameters  are the first to be set when eurephia_init is run.  The minimum and maximum hash rounds are bechmarked for you with this
       tool to find more suitable numbers for the hardware eurephia will be running on.

       passwordhash_salt_length
	      Sets number of bytes to use for the password hash salt.

       passwordhash_rounds_min
	      Sets the minimum number of hashing rounds to perform when calculating new password hashes.

       passwordhash_rounds_max
	      Sets the maximum number of hashing rounds to perform when calculating new password hashes

ATTEMPTS SETTINGS

       eurephia can blacklist user names, certificates and IP addresses based on number of failed attempts.  The following parameters defines  the
       limits of how many attempts you are willing to allow before blacklisting them.

       allow_cert_attempts
	      Defines  the number of attempts of failed login attempts you allow before you will blacklist the OpenVPN clients cerrtificate.  This
	      number should normally be higher than allow_username_attempts. Default is 5.

       allow_username_attempts
	      Defines the number of failed ttempts for a user name can be tried before you will blacklist the user  name  from	further  attempts.
	      Default is 3.

       allow_ipaddr_attempts
	      Defines  the  number of failed attempts for an IP address to be used before you will blacklist the IP address from further attempts.
	      This one should be the least strictest limit.  You also need to consider if your clients will log in via a proxy	or  NATed  network
	      and  how many of your clients will do so.  If you experience many users failing to log on and more of them are behind the same proxy
	      or NAT gateway, this may blacklist the IP address quicker than intended.	But if among many failing attempts a valid  authentication
	      happens, the attempts counter will be reset again, so this limit do not need to be too forgiving.  Default is 10.

FIREWALL INTEGRATION

       If  you	are running the OpenVPN server with eurephia on a Linux server, it is possible to let eurephia interact with the firewall as well.
       These settings will enable the firewall integration and tell eurephia how to interact with the firewall.  These parameters are  very  ipta-
       bles oriented.  The iptables firewall module must be enabled at compile time and be installed to work.

       firewall_interface
	      This  is	the variable which enables firewall integration. This variable must point at the firewall driver, which is a shared object
	      file which eurephia will load dynamically.  These drivers are prefixed efw and will be found in the same lib or lib64  directory	as
	      the eurephia-auth and edb-sqlite modules.  The variable must contain the full path to the driver module.

       firewall_command
	      This defines the binary the firewall module will execute to help update the firewall.  For iptables this defaults to /sbin/iptables.

       firewall_destination
	      Defines which predefined firewall rule to use when updating the firewall.  The default value is vpn_users.

       firewall_blacklist_destination
	      This  activates  firewall  based	IP  address blacklisting in addition to the internal blacklist in eurephia.  This variable defines
	      which firewall rule to use when wanting to blacklist an IP address.

       firewall_blacklist_send_to
	      This is an optional parameter.  Normally when eurephia blacklists an IP address it will default to drop  the  network  packets  from
	      that  client.  You  can use this variable to send it to a different firewall target.  This is useful if you to, for example, log the
	      incident to the system log before dropping the packets.

EUREPHIA UTILITIES

       These settings are used by the eurephia administration utility, eurephiadm.

       eurephiadmin_autologout
	      This defines how long a eurephia administration utility may have an open session before it is considered inactive.   When  exceeding
	      this limit, the administrator user will be out automatically.  The unit for this setting is minutes and the default value is 10.

       eurephiadm_xslt_path
	      The eurephiadm utility uses XSLT templates for generating the output to the screen.  This variable gives you the possibility to have
	      your own set of templates in a different directory instead of using the system wide XSLT templates installed by default.	This vari-
	      able is not set by default.

SEE ALSO

       eurephiadm-config(7), eurephia_init(7),
       Administrators Tutorial and Manual

AUTHOR

       Copyright (C) 2008-2010	David Sommerseth <dazo@users.sourceforge.net>

David Sommerseth						     July 2010						     eurephia-variables(7)