Provided by: eurephia_1.1.0-6build1_amd64 bug

NAME
       eurephia-variables - eurephia configuration variables


DESCRIPTION
       Overview  over  all eurephia configuration variables.  These variables are stored in the database and can
       be modified by the eurephiadm config command.


PASSWORD HASH
       These variables are related to the password hash configuration.  All of them must be set, but they can be
       changed over time without affecting the functionality of the already stored passwords.

       These parameters are the first to be set when eurephia_init is run.  The minimum and maximum hash rounds
       are bechmarked for you with this tool to find more suitable numbers for the hardware eurephia will be
       running on.

       passwordhash_salt_length
              Sets number of bytes to use for the password hash salt.

       passwordhash_rounds_min
              Sets the minimum number of hashing rounds to perform when calculating new password hashes.

       passwordhash_rounds_max
              Sets the maximum number of hashing rounds to perform when calculating new password hashes


ATTEMPTS SETTINGS
       eurephia can blacklist user names, certificates and IP addresses based on number of failed attempts.  The
       following parameters defines the limits of how many attempts you are willing to allow before blacklisting
       them.

       allow_cert_attempts
              Defines the number of attempts of failed login attempts you allow before you  will  blacklist  the
              OpenVPN clients cerrtificate.  This number should normally be higher than allow_username_attempts.
              Default is 5.

       allow_username_attempts
              Defines  the  number  of failed ttempts for a user name can be tried before you will blacklist the
              user name from further attempts.  Default is 3.

       allow_ipaddr_attempts
              Defines the number of failed attempts for an IP address to be used before you will  blacklist  the
              IP address from further attempts.  This one should be the least strictest limit.  You also need to
              consider  if  your  clients  will log in via a proxy or NATed network and how many of your clients
              will do so.  If you experience many users failing to log on and more of them are behind  the  same
              proxy  or NAT gateway, this may blacklist the IP address quicker than intended.  But if among many
              failing attempts a valid authentication happens, the attempts counter will be reset again, so this
              limit do not need to be too forgiving.  Default is 10.


FIREWALL INTEGRATION
       If you are running the OpenVPN server with eurephia on a Linux server, it is  possible  to  let  eurephia
       interact  with  the  firewall  as  well.   These  settings  will enable the firewall integration and tell
       eurephia how to interact with the firewall.  These parameters are very iptables oriented.   The  iptables
       firewall module must be enabled at compile time and be installed to work.

       firewall_interface
              This  is the variable which enables firewall integration. This variable must point at the firewall
              driver, which is a shared object file which eurephia will load  dynamically.   These  drivers  are
              prefixed  efw  and  will  be  found  in  the  same lib or lib64 directory as the eurephia-auth and
              edb-sqlite modules.  The variable must contain the full path to the driver module.

       firewall_command
              This defines the binary the firewall module  will  execute  to  help  update  the  firewall.   For
              iptables this defaults to /sbin/iptables.

       firewall_destination
              Defines  which  predefined  firewall rule to use when updating the firewall.  The default value is
              vpn_users.

       firewall_blacklist_destination
              This activates firewall based IP address blacklisting in addition to  the  internal  blacklist  in
              eurephia.   This  variable  defines  which  firewall  rule  to use when wanting to blacklist an IP
              address.

       firewall_blacklist_send_to
              This is an optional parameter.  Normally when eurephia blacklists an IP address it will default to
              drop the network packets from that client. You can use this variable to send  it  to  a  different
              firewall target.  This is useful if you to, for example, log the incident to the system log before
              dropping the packets.


EUREPHIA UTILITIES
       These settings are used by the eurephia administration utility, eurephiadm.

       eurephiadmin_autologout
              This  defines  how  long  a  eurephia administration utility may have an open session before it is
              considered inactive.  When exceeding this limit, the administrator user will be out automatically.
              The unit for this setting is minutes and the default value is 10.

       eurephiadm_xslt_path
              The eurephiadm utility uses XSLT templates for generating the output to the screen.  This variable
              gives you the possibility to have your own set of templates in a different  directory  instead  of
              using the system wide XSLT templates installed by default.  This variable is not set by default.


OPENVPN RELATED VARIABLES
       openvpn_devtype
              The  eurephia-auth  plug-in  will  try to auto-detect the device type, which must be either tun or
              tap.  If this auto-detection fails, this configuration variable needs to be set  to  tun  or  tap.
              This value must correspond to the OpenVPN configuration.


SEE ALSO
       eurephiadm-config(7), eurephia_init(7),
       Administrators Tutorial and Manual


AUTHOR
       Copyright (C) 2008-2012  David Sommerseth <dazo@users.sourceforge.net>

David Sommerseth                                  October 2010                             eurephia-variables(7)