{{ ansible_managed | comment }} ### ### Main configuration params ### ### Logging configuration # enable this option if you want to send logs to local syslog facility logging:local_syslog_logging = off # enable this option if you want to send logs to a remote syslog server via UDP logging:remote_syslog_logging = off # specify a custom server and port for remote logging logging:remote_syslog_server = 10.10.10.10 logging:remote_syslog_port = 514 # Enable/Disable any actions in case of attack enable_ban = on # Enable ban for IPv6 enable_ban_ipv6 = on # disable processing for certain direction of traffic process_incoming_traffic = on process_outgoing_traffic = on # How many packets will be collected from attack traffic ban_details_records_count = 50 # How long (in seconds) we should keep an IP in blocked state # If you set 0 here it completely disables unban capability ban_time = {{ ban_time }} # Check if the attack is still active, before triggering an unban callback with this option # If the attack is still active, check each run of the unban watchdog unban_only_if_attack_finished = on # enable per subnet speed meters # For each subnet, list track speed in bps and pps for both directions enable_subnet_counters = off # list of all your networks in CIDR format networks_list_path = /etc/networks_list # list networks in CIDR format which will be not monitored for attacks white_list_path = /etc/networks_whitelist # redraw period for client's screen check_period = 1 # Connection tracking is very useful for attack detection because it provides huge amounts of information, # but it's very CPU intensive and not recommended in big networks enable_connection_tracking = on # Different approaches to attack detection ban_for_pps = {{ ban_for_pps }} ban_for_bandwidth = {{ ban_for_bandwidth }} ban_for_flows = {{ ban_for_flows }} # Limits for Dos/DDoS attacks threshold_pps = {{ threshold_pps }} threshold_mbps = {{ threshold_mbps }} threshold_flows = {{ threshold_flows }} # Per protocol attack thresholds # We don't implement per protocol flow limits # These limits should be smaller than global pps/mbps limits threshold_tcp_mbps = 100000 threshold_udp_mbps = 100000 threshold_icmp_mbps = 100000 threshold_tcp_pps = {{ threshold_tcp_pps }} threshold_udp_pps = {{ threshold_udp_pps }} threshold_icmp_pps = {{ threshold_icmp_pps }} ban_for_tcp_bandwidth = off ban_for_udp_bandwidth = off ban_for_icmp_bandwidth = off ban_for_tcp_pps = {{ ban_for_tcp_pps }} ban_for_udp_pps = {{ ban_for_udp_pps }} ban_for_icmp_pps = {{ ban_for_icmp_pps }} ### ### Traffic capture methods ### # PF_RING traffic capture, fast enough but the wirespeed version needs a paid license mirror = off # Port mirroring sample rate pfring_sampling_ratio = 1 # Netmap traffic capture (very fast but needs patched drivers) mirror_netmap = off # AF_PACKET capture engine # Please use it only with modern Linux kernels (3.6 and more) # And please install birq for irq ditribution over cores mirror_afpacket = off # You can use this option to multiply all incoming traffc by this value # It may be useful for sampled mirror ports mirror_af_packet_custom_sampling_rate = 1 # AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html # Available modes: cpu, lb, hash, random, rollover, queue_mapping mirror_af_packet_fanout_mode = cpu # This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110; af_packet_read_packet_length_from_ip_header = off # Port mirroring sampling ratio netmap_sampling_ratio = 1 # This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110; netmap_read_packet_length_from_ip_header = off # Pcap mode, very slow and thus not suitable for production pcap = off # Netflow capture method with v5, v9 and IPFIX support netflow = {{ netflow_on }} # sFLOW capture suitable for switches sflow = off # PF_RING configuration # If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for10GE enable_pf_ring_zc_mode = off # Configuration for netmap, mirror, pcap modes # For pcap and PF_RING we could specify "any" # For netmap and PF_RING we could specify multiple interfaces separated by comma interfaces = eth3,eth4 # We use average values for traffic speed to certain IP and we calculate average over this time slice average_calculation_time = 5 # We use average values for traffic speed for subnet and we calculate average over this timeslice average_calculation_time_for_subnets = 5 # Delay between traffic recalculation attempts speed_calculation_delay = 1 # Netflow configuration # it's possible to specify multiple ports here, using commas as delimiter netflow_port = {{ netflow_port }} netflow_host = 0.0.0.0 # To bind to all interfaces for all protocols: not possible yet # To bind to all interfaces for a specific protocol: :: or 0.0.0.0 # To bind to localhost for a specific protocol: ::1 or 127.0.0.1 # Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio # Here you could specify a sampling ratio for all this agents # For NetFLOW v5 we extract sampling ratio from packets directely and this option not used netflow_sampling_ratio = 1 # sFlow configuration # It's possible to specify multiple ports here, using commas as delimiter sflow_port = 6343 # sflow_port = 6343,6344 sflow_host = 0.0.0.0 # Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header sflow_read_packet_length_from_ip_header = off ### ### Actions when attack detected ### # This script executed for ban, unban and attack detail collection notify_script_path = /usr/local/bin/notify_about_attack.sh # pass attack details to notify_script via stdin # Pass details only in case of "ban" call # No details will be passed for "unban" call notify_script_pass_details = on # collect a full dump of the attack with full payload in pcap compatible format collect_attack_pcap_dumps = on # Execute Deep Packet Inspection on captured PCAP packets process_pcap_attack_dumps_with_dpi = on # Save attack details to Redis redis_enabled = off # Redis configuration redis_port = 6379 redis_host = 127.0.0.1 # specify a custom prefix here redis_prefix = mydc1 # We could store attack information to MongoDB mongodb_enabled = off mongodb_host = localhost mongodb_port = 27017 mongodb_database_name = fastnetmon # announce blocked IPs with BGP protocol with ExaBGP exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 # specify multiple communities with this syntax: # exabgp_community = [65001:666 65001:777] # specify different communities for host and subnet announces # exabgp_community_subnet = 65001:667 # exabgp_community_host = 65001:668 exabgp_next_hop = 10.0.3.114 # In complex cases you could have both options enabled and announce host and subnet simultaneously # Announce /32 host itself with BGP exabgp_announce_host = on # Announce origin subnet of IP address instead IP itself exabgp_announce_whole_subnet = off # Announce Flow Spec rules when we could detect certain attack type # Please we aware! Flow Spec announce triggered when we collect some details about attack, # i.e. when we call attack_details script # Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature # Please use ExaBGP v4 only (Git version), for more details: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md exabgp_flow_spec_announces = off # GoBGP intergation gobgp = on # Configuration for IPv4 announces gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off gobgp_community_host = 65001:666 gobgp_community_subnet = 65001:777 # Configuration for IPv6 announces gobgp_next_hop_ipv6 = 100::1 gobgp_announce_host_ipv6 = off gobgp_announce_whole_subnet_ipv6 = off gobgp_community_host_ipv6 = 65001:666 gobgp_community_subnet_ipv6 = 65001:777 # Graphite monitoring # InfluxDB is also supported, please check our reference: # https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md graphite = off # Please use only IP because domain names are not allowed here graphite_host = 127.0.0.1 graphite_port = 2003 # Default namespace for Graphite data graphite_prefix = fastnetmon # Before using InfluxDB you need to create database using influx tool: # create database fastnetmon # InfluxDB influxdb = off influxdb_host = 127.0.0.1 influxdb_port = 8086 influxdb_database = fastnetmon # InfluxDB auth influxdb_auth = off influxdb_user = fastnetmon influxdb_password = secure # Add local IP addresses and aliases to monitoring list # Works only for Linux monitor_local_ip_addresses = on # Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list monitor_openvz_vps_ip_addresses = off # Create group of hosts with non-standard thresholds # You should create this group before (in configuration file) specifying any limits # hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32 # Configure this group my_hosts_enable_ban = off my_hosts_ban_for_pps = off my_hosts_ban_for_bandwidth = off my_hosts_ban_for_flows = off my_hosts_threshold_pps = 20000 my_hosts_threshold_mbps = 1000 my_hosts_threshold_flows = 3500 # Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool pid_path = /var/run/fastnetmon.pid # Path to file where we store IPv4 traffic information for fastnetmon_client cli_stats_file_path = /tmp/fastnetmon.dat # Path to file where we store IPv6 traffic information for fastnetmon_client cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat # Enable gRPC api (required for fastnetmon_api_client tool) enable_api = on ### ### Client configuration ### # Field used for sorting in client, valid values are: packets, bytes or flows sort_parameter = packets # How much IPs will be listed for incoming and outgoing channel eaters max_ips_in_list = 7