# GENERAL SETTINGS
ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/exploit_attempts.log   # xss sqli etc
DHsize = 4096                   # default 2048, for tls
RandomHeader = 250              # anti decryption on https listening
set local_net = 192.168.0.0/24  #define your local networks you do not want to block
# BANNING SETTINGS
# Deny service to clients who misbehave.
#anti hacker trying evil things
PreventCSRF = yes  # ignoring all cookies sent by a browser when following an external link
PreventSQLi = yes  #no 100% guarantee, resource intensive!
PreventXSS = yes   # replacing a less-then, greater-then, quote or double-quote in the URL with an underscore
BanlistMask = deny local_net        ## this network will not be banned
RequestLimitMask = deny local_net   ## this network can upload all they want
BanOnDeniedBody = 120
BanOnGarbage = 600              #seconds
BanOnInvalidURL = 0             #seconds #risky if > 0
BanOnMaxReqSize = 600           #seconds
BanOnSQLi = 600                 #seconds
BanOnWrongPassword = 3:120      #seconds
MinTLSversion = 1.1             #drop attempts to fool webserver to be insecure. You might want 1.0
#anti dos
BanOnFlooding = 10/1:15
KickOnBan = yes                 # close all connections for an IP that is banned
#MaxUrlLength = 500             #default 1000. Longer -> 404
ReconnectDelay = 3              #how long connection wil stay open after no traffic
RebanDuringBan = yes            # keep them banned if they retry
#anti ddos: usable when under attack
#BanOnMaxPerIP = 60                     #seconds
#ChallengeClient = 200, httpheader, 60  #after 200 connects send a coockie
BanOnTimeout = 10                       #ban if no request comes after X seconds, only syn etc
#ListenBacklog = 128                    #default 16