Configuration Reference
Complete reference for /etc/vistoshield/vistoshield.conf — every setting explained.
Configuration File
The main configuration file uses a simple KEY=value format. Lines starting with # are comments. Changes take effect after restarting the daemon:
vistoshield restart
Feature Toggles
Enable or disable individual protection modules. Set to 1 to enable, 0 to disable.
| Setting | Default | Description |
|---|
FEATURE_RATE_LIMIT | 1 | Per-IP request rate limiting |
FEATURE_BRUTE_FORCE | 1 | Brute force attack detection |
FEATURE_BOT_SIGNATURES | 1 | User-Agent bot signature matching |
FEATURE_LFD | 1 | Login Failure Detection (monitors auth logs) |
FEATURE_CONN_TRACK | 1 | Connection tracking and limiting |
FEATURE_COUNTRY_BLOCK | 0 | Country-based IP blocking via GeoIP |
FEATURE_PORT_FLOOD | 1 | Per-port flood detection |
FEATURE_SYN_FLOOD | 1 | SYN flood protection |
Rate Limiting
| Setting | Default | Description |
|---|
RATE_LIMIT | 120 | Maximum requests per minute per IP before temporary block |
RATE_LIMIT_BURST | 20 | Allowed burst above the rate limit before triggering |
RATE_LIMIT_BLOCK_TIME | 3600 | Block duration in seconds after rate limit is exceeded |
Login Failure Detection (LFD)
Thresholds for individual services. When consecutive failures from the same IP reach the threshold, the IP is blocked.
| Setting | Default | Description |
|---|
LF_SSHD | 5 | SSH login failures before block |
LF_FTPD | 10 | FTP login failures before block |
LF_IMAPD | 10 | IMAP login failures before block |
LF_POP3D | 10 | POP3 login failures before block |
LF_SMTPD | 10 | SMTP authentication failures before block |
LF_DA | 10 | DirectAdmin login failures before block |
LF_CPANEL | 10 | cPanel/WHM login failures before block |
LF_WEBMIN | 10 | Webmin login failures before block |
LF_MODSEC | 5 | ModSecurity trigger count before block |
LF_BLOCK_TIME | 3600 | LFD block duration in seconds |
LF_BLOCK_PERM | 0 | Set to 1 to make LFD blocks permanent |
Connection Tracking
| Setting | Default | Description |
|---|
CT_LIMIT | 150 | Maximum simultaneous connections per IP |
CT_INTERVAL | 30 | Seconds between connection tracking checks |
CT_BLOCK_TIME | 1800 | Block duration when connection limit exceeded |
CT_PORTS | 80,443 | Ports to monitor for connection tracking (comma-separated) |
Port Configuration
| Setting | Default | Description |
|---|
TCP_IN | 20,21,22,25,53,80,110,143,443,465,587,993,995,2222 | Allowed inbound TCP ports |
TCP_OUT | 20,21,22,25,53,80,110,113,443,2222 | Allowed outbound TCP ports |
UDP_IN | 53 | Allowed inbound UDP ports |
UDP_OUT | 53,113,123 | Allowed outbound UDP ports |
SYN Flood & Port Flood
| Setting | Default | Description |
|---|
SYNFLOOD | 1 | Enable SYN flood protection |
SYNFLOOD_RATE | 100/s | SYN packets per second threshold |
SYNFLOOD_BURST | 150 | SYN burst threshold |
PORTFLOOD | 22;tcp;5;300,80;tcp;30;5 | Per-port flood limits: port;protocol;hits;seconds |
Country Blocking
| Setting | Default | Description |
|---|
CC_DENY | (empty) | Comma-separated ISO country codes to block (e.g., CN,RU,KP) |
CC_ALLOW | (empty) | Always allow these countries, even if other rules would block |
CC_ALLOW_FILTER | 0 | Apply port filtering to allowed countries too |
Firewall Backend
| Setting | Default | Description |
|---|
FW_BACKEND | auto | Force nftables or iptables, or leave as auto for detection |
IPV6 | 1 | Enable IPv6 protection |
ICMP_IN | 1 | Allow inbound ICMP (ping) |
ICMP_OUT | 1 | Allow outbound ICMP |
Testing Mode
| Setting | Default | Description |
|---|
TESTING_MODE | 1 | Enable testing mode (auto-clears blocks periodically) |
TESTING_INTERVAL | 300 | Seconds between auto-clear cycles in testing mode |
Important: Always start with TESTING_MODE=1 when first deploying. This prevents accidental lockouts. Disable it only after verifying your configuration is correct.
Logging
| Setting | Default | Description |
|---|
LOG_FILE | /var/log/vistoshield/vistoshield.log | Main daemon log path |
LOG_LEVEL | info | Logging verbosity: debug, info, warn, error |
LOG_ROTATE | 1 | Enable automatic log rotation |
LOG_ROTATE_SIZE | 50M | Rotate when log exceeds this size |
LOG_ROTATE_KEEP | 7 | Number of rotated log files to keep |
Notifications
| Setting | Default | Description |
|---|
EMAIL_ALERT | 1 | Send email alerts on blocks |
EMAIL_TO | root | Alert recipient email address |
EMAIL_FROM | vistoshield@hostname | Alert sender address |
Example Minimal Configuration
# /etc/vistoshield/vistoshield.conf — Production example
# Features
FEATURE_RATE_LIMIT=1
FEATURE_BRUTE_FORCE=1
FEATURE_BOT_SIGNATURES=1
FEATURE_LFD=1
FEATURE_CONN_TRACK=1
# Thresholds
RATE_LIMIT=120
LF_SSHD=5
CT_LIMIT=150
# Ports
TCP_IN=22,80,443,2222
TCP_OUT=22,80,443
# Disable testing mode for production
TESTING_MODE=0