{
# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
}
security \{
{        # user/group: The name (or #number) of the user/group to run radiusd as.
        #
        #   If these are commented out, the server will run as the
        #   user/group that started it.  In order to change to a
        #   different user/group, you MUST be root ( or have root
        #   privileges ) to start the server.
        #
        #   We STRONGLY recommend that you run the server with as few
        #   permissions as possible.  That is, if you're not using
        #   shadow passwords, the user and group items below should be
        #   set to radius'.
        #
        #  NOTE that some kernels refuse to setgid(group) when the
        #  value of (unsigned)group is above 60000; don't use group
        #  "nobody" on these systems!
        #
        #  On systems with shadow passwords, you might have to set
        #  'group = shadow' for the server to be able to read the
        #  shadow password file.  If you can authenticate users while
        #  in debug mode, but not in daemon mode, it may be that the
        #  debugging mode server is running as a user that can read
        #  the shadow info, and the user listed below can not.
        #
        #  The server will also try to use "initgroups" to read
        #  /etc/groups.  It will join all groups where "user" is a
        #  member.  This can allow for some finer-grained access
        #  controls.
        #
}        user = root
        group = root
{
        #  Core dumps are a bad thing.  This should only be set to
        #  'yes' if you're debugging a problem with the server.
        #
        #  allowed values: {no, yes}
        #
}        allow_core_dumps = no
{
	#  max_attributes: The maximum number of attributes
	#  permitted in a RADIUS packet.  Packets which have MORE
	#  than this number of attributes in them will be dropped.
	#
	#  If this number is set too low, then no RADIUS packets
	#  will be accepted.
	#
	#  If this number is set too high, then an attacker may be
	#  able to send a small number of packets which will cause
	#  the server to use all available memory on the machine.
	#
	#  Setting this number to 0 means "allow any number of attributes"
}	max_attributes = 200
{
	#  delayed_reject: When sending an Access-Reject, it can be
	#  delayed for a few seconds.  This may help slow down a DoS
	#  attack.  It also helps to slow down people trying to brute-force
	#  crack a users password.
	#
	#  Setting this number to 0 means "send rejects immediately"
	#
	#  If this number is set higher than 'cleanup_delay', then the
	#  rejects will be sent at 'cleanup_delay' time, when the request
	#  is deleted from the internal cache of requests.
	#
	#  Useful ranges: 1 to 5
}	reject_delay = 1
{
	#  status_server: Whether or not the server will respond
	#  to Status-Server requests.
	#
	#  Normally this should be set to "no", because they're useless.
	#  See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
	#
	#  However, certain NAS boxes may require them. 
	#
	#  When sent a Status-Server message, the server responds with
	#  an Access-Accept packet, containing a Reply-Message attribute,
	#  which is a string describing how long the server has been
	#  running.
}	status_server = no
\}
