# GENERAL SETTINGS ServerId = www-data ConnectionsTotal = 1000 ConnectionsPerIP = 25 SystemLogfile = /var/log/hiawatha/system.log GarbageLogfile = /var/log/hiawatha/garbage.log ExploitLogfile = /var/log/exploit_attempts.log # xss sqli etc DHsize = 4096 # default 2048, for tls RandomHeader = 250 # anti decryption on https listening set local_net = 192.168.0.0/24 #define your local networks you do not want to block # BANNING SETTINGS # Deny service to clients who misbehave. #anti hacker trying evil things PreventCSRF = yes # ignoring all cookies sent by a browser when following an external link PreventSQLi = yes #no 100% guarantee, resource intensive! PreventXSS = yes # replacing a less-then, greater-then, quote or double-quote in the URL with an underscore BanlistMask = deny local_net ## this network will not be banned RequestLimitMask = deny local_net ## this network can upload all they want BanOnDeniedBody = 120 BanOnGarbage = 600 #seconds BanOnInvalidURL = 0 #seconds #risky if > 0 BanOnMaxReqSize = 600 #seconds BanOnSQLi = 600 #seconds BanOnWrongPassword = 3:120 #seconds MinTLSversion = 1.1 #drop attempts to fool webserver to be insecure. You might want 1.0 #anti dos BanOnFlooding = 10/1:15 KickOnBan = yes # close all connections for an IP that is banned #MaxUrlLength = 500 #default 1000. Longer -> 404 ReconnectDelay = 3 #how long connection wil stay open after no traffic RebanDuringBan = yes # keep them banned if they retry #anti ddos: usable when under attack #BanOnMaxPerIP = 60 #seconds #ChallengeClient = 200, httpheader, 60 #after 200 connects send a coockie BanOnTimeout = 10 #ban if no request comes after X seconds, only syn etc #ListenBacklog = 128 #default 16