/[svn]/hopm/branches/1.0.x/doc/reference.conf
ViewVC logotype

Annotation of /hopm/branches/1.0.x/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 5147 - (hide annotations)
Fri Dec 26 14:33:45 2014 UTC (6 years, 6 months ago) by michael
File size: 20184 byte(s)
- Update documents

1 michael 5052 /*
2 michael 5104 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 michael 5143 *
4     * $Id$
5 michael 5104 */
6 michael 5052
7 michael 5104 /*
8     * Shell style (#), C++ style (//) and C style comments are supported.
9     *
10     * Times/durations are written as:
11     * 12 hours 30 minutes 1 second
12     *
13     * Valid units of time:
14     * year, month, week, day, hour, minute, second
15     *
16     * Valid units of size:
17     * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
18     *
19     * Sizes and times may be singular or plural.
20     */
21 michael 5052
22     options {
23     /*
24     * Full path and filename for storing the process ID of the running
25 michael 5056 * HOPM.
26 michael 5052 */
27 michael 5143 pidfile = "/some/path/var/hopm.pid";
28 michael 5052
29     /*
30 michael 5080 * How long to store the IP address of hosts which are confirmed
31 michael 5147 * (by previous scans) to be secure. New users from these
32 michael 5052 * IP addresses will not be scanned again until this amount of time
33     * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
34     * DIRECTIVE, but it is provided due to demand.
35     *
36     * The main reason for not using this feature is that anyone capable
37     * of running a proxy can get abusers onto your network - all they
38     * need do is shut the proxy down, connect themselves, restart the
39     * proxy, and tell their friends to come flood.
40 michael 5056 *
41 michael 5052 * Keep this directive commented out to disable negative caching.
42     */
43 michael 5080 # negcache = 1 hour;
44 michael 5052
45     /*
46 michael 5147 * Amount of file descriptors to allocate to asynchronous DNS. 64
47 michael 5056 * should be plenty for almost anyone.
48 michael 5052 */
49     dns_fdlimit = 64;
50    
51     /*
52     * Put the full path and filename of a logfile here if you wish to log
53 michael 5147 * every scan done. Normally HOPM only logs successfully detected
54 michael 5056 * proxies in the hopm.log, but you may get abuse reports to your ISP
55 michael 5147 * about portscanning. Being able to show that it was HOPM that did
56     * the scan in question can be useful. Leave commented for no
57 michael 5052 * logging.
58     */
59 michael 5143 # scanlog = "/some/path/var/scan.log";
60 michael 5052 };
61    
62    
63 michael 5104 irc {
64 michael 5052 /*
65 michael 5147 * IP to bind to for the IRC connection. You only need to use this if
66 michael 5056 * you wish HOPM to use a particular interface (virtual host, IP
67 michael 5147 * alias, ...) when connecting to the IRC server. There is another
68 michael 5052 * "vhost" setting in the scan {} block below for the actual
69 michael 5147 * portscans. Note that this directive expects an IP address, not a
70     * hostname. Please leave this commented out if you do not
71 michael 5052 * understand what it does, as most people don't need it.
72     */
73     # vhost = "0.0.0.0";
74    
75     /*
76 michael 5056 * Nickname for HOPM to use.
77 michael 5052 */
78 michael 5056 nick = "MyHopm";
79 michael 5052
80     /*
81 michael 5056 * Text to appear in the "realname" field of HOPM's /whois output.
82 michael 5052 */
83 michael 5056 realname = "Hybrid Open Proxy Monitor";
84 michael 5052
85     /*
86     * If you don't have an identd running, what username to use.
87     */
88 michael 5056 username = "hopm";
89 michael 5052
90     /*
91 michael 5056 * Hostname (or IP) of the IRC server which HOPM will monitor
92 michael 5052 * connections on.
93     */
94 michael 5109 server = "irc.example.org";
95 michael 5052
96     /*
97     * Password used to connect to the IRC server (PASS)
98     */
99     # password = "secret";
100    
101     /*
102 michael 5147 * Port of the above server to connect to. This is what HOPM uses to
103 michael 5052 * get onto IRC itself, it is nothing to do with what ports/protocols
104     * are scanned, nor do you need to list every port your ircd listens
105     * on.
106     */
107     port = 6667;
108    
109     /*
110     * Command to execute to identify to NickServ (if your network uses
111 michael 5147 * it). This is the raw IRC command text, and the below example
112     * corresponds to "/msg nickserv identify password" in a client. If
113 michael 5052 * you don't understand, just edit "password" in the line below to be
114 michael 5147 * your HOPM's nick password. Leave commented out if you don't need
115 michael 5052 * to identify to NickServ.
116     */
117 michael 5056 # nickserv = "NS IDENTIFY password";
118 michael 5052
119     /*
120 michael 5056 * The username and password needed for HOPM to oper up.
121 michael 5052 */
122 michael 5056 oper = "hopm operpass";
123 michael 5104
124 michael 5052 /*
125 michael 5056 * Mode string that HOPM needs to set on itself as soon as it opers
126 michael 5147 * up. This needs to include the mode for seeing connection notices,
127 michael 5056 * otherwise HOPM won't scan anyone (that's usually umode +c).
128 michael 5052 */
129 michael 5056 mode = "+c";
130 michael 5052
131     /*
132 michael 5056 * If this is set then HOPM will use it as an /away message as soon as
133 michael 5052 * it connects.
134     */
135 michael 5069 away = "I'm a bot. Your messages will be ignored.";
136 michael 5052
137     /*
138 michael 5056 * Info about channels you wish HOPM to join in order to accept
139 michael 5147 * commands. HOPM will also print messages in these channels every
140     * time it detects a proxy. Only IRC operators can command HOPM to do
141 michael 5056 * anything, but some of the things HOPM reports to these channels
142 michael 5104 * could be considered sensitive, so it's best not to put HOPM into
143 michael 5052 * public channels.
144     */
145     channel {
146 michael 5056 /*
147 michael 5147 * Channel name. Local ("&") channels are supported if your ircd
148 michael 5056 * supports them.
149     */
150     name = "#hopm";
151 michael 5052
152 michael 5056 /*
153     * If HOPM will need to use a key to enter this channel, this is
154     * where you specify it.
155     */
156     # key = "somekey";
157 michael 5052
158 michael 5056 /*
159     * If you use ChanServ then maybe you want to set the channel
160     * invite-only and have each HOPM do "/msg ChanServ invite" to get
161 michael 5147 * itself in. Leave commented if you don't, or if this makes no
162 michael 5056 * sense to you.
163     */
164     # invite = "CS INVITE #hopm";
165 michael 5052 };
166    
167     /*
168     * You can define a bunch of channels if you want:
169     *
170     * channel { name = "#other"; }; channel { name="#channel"; }
171     */
172 michael 5056
173 michael 5052 /*
174     * connregex is a POSIX regular expression used to parse connection
175     * (+c) notices from the ircd. The complexity of the expression should
176     * be kept to a minimum.
177 michael 5056 *
178 michael 5052 * Items in order MUST be: nick user host IP
179     *
180 michael 5056 * HOPM will not work with ircds which do not send an IP in the
181 michael 5052 * connection notice.
182     *
183     * This is fairly complicated stuff, and the consequences of getting
184 michael 5147 * it wrong are the HOPM does not scan anyone. Unless you know
185 michael 5052 * absolutely what you are doing, please just uncomment the example
186     * below that best matches the type of ircd you use.
187     */
188     connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
189    
190     /*
191     * "kline" controls the command used when an open proxy is confirmed.
192     * We suggest applying a temporary (no more than a few hours) KLINE on the host.
193     *
194     * <WARNING>
195 michael 5056 * Make sure if you need to change this string you also change the
196     * kline command for every DNSBL you enable below.
197 michael 5052 *
198 michael 5056 * Also note that some servers do not allow you to include ':' characters
199     * inside the KLINE message (e.g. for a http:// address).
200 michael 5052 *
201     * Users rewriting this message into something that isn't even a valid
202     * IRC command is the single most common cause of support requests and
203     * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
204     * KLINE COMMANDS BELOW.
205     * </WARNING>
206     *
207     * That said, should you wish to customise this text, several
208     * printf-like placeholders are available:
209     *
210     * %n User's nick
211     * %u User's username
212     * %h User's irc hostname
213     * %i User's IP address
214     *
215     */
216 michael 5107 kline = "KLINE 180 *@%h :Open proxy found on your host.";
217 michael 5052
218 michael 5056 /*
219     * An AKILL example for services with OperServ. Your HOPM must have permission to
220     * AKILL for this to work!
221     */
222 michael 5143 # kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";
223 michael 5052
224     /*
225 michael 5056 * Text to send on connection, these can be stacked and will be sent in this order.
226 michael 5052 */
227 michael 5056 # perform = "TIME";
228 michael 5052 };
229    
230    
231     /*
232     * OPM Block defines blacklists and information required to report new proxies
233 michael 5147 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
234 michael 5052 * file. There are several blacklist that list IP addresses known to be open
235     * proxies or other forms of IRC abuse. By checking against these blacklists,
236 michael 5056 * HOPMs are able to ban known sources of abuse without completely scanning them.
237 michael 5052 */
238 michael 5104 opm {
239 michael 5052 /*
240 michael 5147 * Blacklist zones to check IPs against. If you would rather not
241 michael 5052 * trust a remotely managed blacklist, you could set up your own, or
242     * leave these commented out in which case every user will be
243     * scanned. The use of at least one open proxy DNSBL is recommended
244 michael 5056 * however.
245     *
246 michael 5074 * Please check the policies of each blacklist you use to check you
247 michael 5056 * are comfortable with using them to block access to your server
248     * (and that you are allowed to use them).
249 michael 5052 */
250    
251 michael 5074
252     /* dnsbl.dronebl.org - http://dronebl.org */
253 michael 5052 # blacklist {
254 michael 5074 /* The DNS name of the blacklist */
255     # name = "dnsbl.dronebl.org";
256 michael 5052
257 michael 5074 /*
258     * There are only two values that are valid for this
259     * "A record bitmask" and "A record reply"
260     * These options affect how the values specified to reply
261     * below will be interpreted, a bitmask is where the reply
262     * values are 2^n and more than one is added up, a reply is
263     * simply where the last octet of the IP is that number.
264     * If you are not sure then the values set for dnsbl.dronebl.org
265     * will work without any changes.
266     */
267     # type = "A record reply";
268 michael 5052
269 michael 5074 /*
270     * Kline types not listed in the reply list below.
271     *
272     * For DNSBLs that are not IRC specific and you just wish to kline
273     * certain types this can be enabled/disabled.
274     */
275     # ban_unknown = no;
276 michael 5052
277 michael 5074 /*
278     * The actual values returned by the dnsbl.dronebl.org blacklist as
279     * documented at http://dronebl.org/docs/howtouse
280     */
281     # reply {
282     # 2 = "Sample";
283     # 3 = "IRC Drone";
284     # 5 = "Bottler";
285     # 6 = "Unknown spambot or drone";
286     # 7 = "DDOS Drone";
287     # 8 = "SOCKS Proxy";
288     # 9 = "HTTP Proxy";
289     # 10 = "ProxyChain";
290     # 13 = "Brute force attackers";
291     # 14 = "Open Wingate Proxy";
292     # 15 = "Compromised router / gateway";
293     # 17 = "Automatically determined botnet IPs (experimental)";
294     # 255 = "Unknown";
295     # };
296 michael 5052
297 michael 5074 /*
298     * The kline message sent for this specific blacklist, remember to put
299     * the removal method in this.
300     */
301 michael 5107 # kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
302 michael 5074 # }
303 michael 5052
304 michael 5074
305     /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
306     # blacklist {
307     # name = "tor.dnsbl.sectoor.de";
308     # type = "A record reply";
309     # ban_unknown = no;
310    
311     # reply {
312     # 1 = "Tor exit server";
313     # };
314    
315 michael 5107 # kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
316 michael 5052 # };
317    
318 michael 5074 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
319     # blacklist {
320     # name = "rbl.efnetrbl.org";
321     # type = "A record reply";
322     # ban_unknown = no;
323    
324     # reply {
325     # 1 = "Open proxy";
326     # 2 = "spamtrap666";
327     # 3 = "spamtrap50";
328     # 4 = "TOR";
329     # 5 = "Drones / Flooding";
330     # };
331    
332 michael 5107 # kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
333 michael 5074 # };
334    
335    
336 michael 5075
337     /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
338     # blacklist {
339     # name = "tor.efnetrbl.org";
340     # type = "A record reply";
341     # ban_unknown = no;
342    
343     # reply {
344     # 1 = "TOR";
345     # };
346    
347 michael 5107 # kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
348 michael 5075 # };
349    
350 michael 5052 /*
351     * You can report the insecure proxies you find to a DNSBL also!
352     * The remaining directives in this section are only needed if you
353 michael 5147 * intend to do this. Reports are sent by email, one email per IP
354     * address. The format does support multiple addresses in one email,
355 michael 5052 * but we don't know of any servers that are detecting enough insecure
356     * proxies for this to be really necessary.
357     */
358    
359     /*
360 michael 5147 * Email address to send reports FROM. If you intend to send reports,
361 michael 5052 * please pick an email address that we can actually send mail to
362     * should we ever need to contact you.
363     */
364     # dnsbl_from = "mybopm@myserver.org";
365    
366     /*
367     * Email address to send reports TO.
368 michael 5056 * For example DroneBL:
369 michael 5052 */
370     # dnsbl_to = "bopm-report@dronebl.org";
371    
372     /*
373 michael 5147 * Full path to your sendmail binary. Even if your system does not
374 michael 5052 * use sendmail, it probably does have a binary called "sendmail"
375 michael 5147 * present in /usr/sbin or /usr/lib. If you don't set this, no
376 michael 5052 * proxies will be reported.
377     */
378     # sendmail = "/usr/sbin/sendmail";
379     };
380    
381    
382     /*
383     * The short explanation:
384     *
385 michael 5147 * This is where you define what ports/protocols to check for. You can have
386 michael 5052 * multiple scanner blocks and then choose which users will get scanned by
387     * which scanners further down.
388     *
389     * The long explanation:
390     *
391 michael 5147 * Scanner defines a virtual scanner. For each user being scanned, a scanner
392 michael 5052 * will use a file descriptor (and subsequent connection) for each protocol.
393     * Once connecting it will negotiate the proxy to connect to
394     * target_ip:target_port (target_ip MUST be an IP).
395     *
396     * Once connected, any data passed through the proxy will be checked to see if
397 michael 5147 * target_string is contained within that data. If it is the proxy is
398 michael 5052 * considered open. If the connection is closed at any point before
399     * target_string is matched, or if at least max_read bytes are read from the
400     * connection, the negotiation is considered failed.
401     */
402     scanner {
403    
404     /*
405 michael 5147 * Unique name of this scanner. This is used further down in the
406 michael 5052 * user {} blocks to decide which users get affected by which
407     * scanners.
408     */
409 michael 5104 name = "default";
410 michael 5052
411     /*
412     * HTTP CONNECT - very common proxy protocol supported by widely known
413 michael 5147 * software such as Squid and Apache. The most common sort of
414     * insecure proxy and found on a multitude of weird ports too. Offers
415 michael 5052 * transparent two way TCP connections.
416     */
417     protocol = HTTP:80;
418     protocol = HTTP:8080;
419     protocol = HTTP:3128;
420     protocol = HTTP:6588;
421    
422     /*
423     * SOCKS4/5 - well known proxy protocols, probably the second most
424     * common for insecure proxies, also offers transparent two way TCP
425 michael 5147 * connections. Fortunately largely confined to port 1080.
426 michael 5052 */
427     protocol = SOCKS4:1080;
428     protocol = SOCKS5:1080;
429    
430     /*
431     * Cisco routers with a default password (yes, it really does happen).
432     * Also pretty much anything else that will let you telnet to anywhere
433 michael 5147 * else on the internet. Fortunately these are always on port 23.
434 michael 5052 */
435     protocol = ROUTER:23;
436    
437     /*
438     * WinGate is commercial windows proxy software which is now not so
439     * common, but still to be found, and helpfully presents an interface
440     * that can be used to telnet out, on port 23.
441     */
442     protocol = WINGATE:23;
443    
444     /*
445     * The HTTP POST protocol, often dismissed when writing the access
446     * controls for proxies, but sadly can still be used to abused.
447     * Offers only the opportunity to send a single block of data, but
448     * enough of them at once can still make for a devastating flood.
449     * Found on the same ports that HTTP CONNECT proxies inhabit.
450     *
451     * Note that if your ircd has "ping cookies" then clients from HTTP
452 michael 5147 * POST proxies cannot actually ever get onto your network anyway. If
453 michael 5052 * you leave the checks in then you'll still find some (because some
454 michael 5056 * people IRC from boxes that run them), but if you use HOPM purely as
455 michael 5052 * a protective measure and you have ping cookies, you need not scan
456     * for HTTP POST.
457     */
458     protocol = HTTPPOST:80;
459    
460     /*
461 michael 5147 * IP this scanner will bind to. Use this if you need your scans to
462 michael 5056 * come FROM a particular interface on the machine you run HOPM from.
463 michael 5052 * If you don't understand what this means, please leave this
464     * commented out, as this is a major source of support queries!
465     */
466     # vhost = "127.0.0.1";
467    
468 michael 5147 /* Maximum file descriptors this scanner can use. Remember that there
469     * will be one FD for each protocol listed above. As this example
470     * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
471 michael 5052 * limit, this scanner can be used on 64 users _at the same time_.
472     * That should be adequate for most servers.
473     */
474     fd = 512;
475    
476     /*
477 michael 5147 * Maximum data read from a proxy before considering it closed. Don't
478 michael 5052 * set this too high, some people have fun setting up lots of ports
479 michael 5147 * that send endless data to tie up your scanner. 4KB is plenty for
480 michael 5052 * any known proxy.
481     */
482 michael 5080 max_read = 4kb;
483 michael 5052
484     /*
485 michael 5080 * Amount of time before a test is considered timed out.
486 michael 5052 * Again, all but the poorest slowest proxies will be detected within
487     * 30 seconds, and this helps keep resource usage low.
488     */
489 michael 5080 timeout = 30 seconds;
490 michael 5052
491 michael 5104 /*
492 michael 5052 * Target IP to tell the proxy to connect to
493 michael 5104 *
494 michael 5052 * !!! THIS MUST BE CHANGED !!!
495     *
496     * You cannot instruct the proxy to connect to itself! The easiest
497     * thing to do would be to set this to the IP of your ircd and then
498     * keep the default target_strings.
499     *
500     * Please use an IP that is publically reachable from anywhere on the
501     * Internet, because you have no way of knowing where the insecure
502 michael 5147 * proxies will be located. Just because you and your HOPM can
503 michael 5052 * connect to your ircd on some private IP like 192.168.0.1, does not
504     * mean that the insecure proxies out there on the Internet will be
505 michael 5147 * able to. And if they never connect, you will never detect them.
506 michael 5052 *
507     * Remember to change this setting for every scanner you configure.
508     */
509 michael 5056 target_ip = "127.0.0.1";
510 michael 5052
511     /*
512 michael 5147 * Target port to tell the proxy to connect to. This is usually
513     * something like 6667. Basically any client-usable port.
514 michael 5052 */
515 michael 5056 target_port = 6667;
516 michael 5052
517 michael 5104 /*
518 michael 5052 * Target string we check for in the data read back by the scanner.
519     * This should be some string out of the data that your ircd usually
520 michael 5147 * sends on connect. The example below will work on most
521     * hybrid/bahamut ircds. Multiple target strings are allowed.
522 michael 5052 *
523     * NOTE: Try to keep the number of target strings to a minimum. Two
524     * should be fine. One for normal connections and one for throttled
525     * connections. Comment out any others for efficiency.
526     */
527    
528 michael 5056 /*
529 michael 5104 * Usually first line sent to client on connection to ircd.
530 michael 5052 * If your ircd supports a more specific line (see below),
531     * using it will reduce false positives.
532     */
533 michael 5109 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
534 michael 5052
535 michael 5056 /*
536     * If you try to connect too fast, you'll be throttled by your own
537 michael 5147 * ircd. Here's what a hybrid throttle message looks like:
538 michael 5052 */
539     target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
540     };
541    
542 michael 5056
543 michael 5052 scanner {
544     name = "extended";
545    
546     protocol = HTTP:81;
547     protocol = HTTP:8000;
548     protocol = HTTP:8001;
549     protocol = HTTP:8081;
550    
551     protocol = HTTPPOST:81;
552     protocol = HTTPPOST:6588;
553     # protocol = HTTPPOST:4480;
554     protocol = HTTPPOST:8000;
555     protocol = HTTPPOST:8001;
556     protocol = HTTPPOST:8080;
557     protocol = HTTPPOST:8081;
558    
559     /*
560     * IRCnet have seen many socks5 on these ports, more than on the
561     * standard ports even.
562     */
563     protocol = SOCKS4:4914;
564     protocol = SOCKS4:6826;
565     protocol = SOCKS4:7198;
566     protocol = SOCKS4:7366;
567     protocol = SOCKS4:9036;
568    
569     protocol = SOCKS5:4438;
570     protocol = SOCKS5:5104;
571     protocol = SOCKS5:5113;
572     protocol = SOCKS5:5262;
573     protocol = SOCKS5:5634;
574     protocol = SOCKS5:6552;
575     protocol = SOCKS5:6561;
576     protocol = SOCKS5:7464;
577     protocol = SOCKS5:7810;
578     protocol = SOCKS5:8130;
579     protocol = SOCKS5:8148;
580     protocol = SOCKS5:8520;
581     protocol = SOCKS5:8814;
582     protocol = SOCKS5:9100;
583     protocol = SOCKS5:9186;
584     protocol = SOCKS5:9447;
585     protocol = SOCKS5:9578;
586    
587     /*
588     * These came courtsey of Keith Dunnett from a bunch of public open
589     * proxy lists.
590     */
591     protocol = SOCKS4:29992;
592     protocol = SOCKS4:38884;
593     protocol = SOCKS4:18844;
594     protocol = SOCKS4:17771;
595     protocol = SOCKS4:31121;
596    
597     fd = 400;
598    
599     /* If required you can add settings such as target_ip here
600     * they will override the defaults set in the first scanner
601     * for this and subsequent scanners defined in the config file
602     * This affects the following options:
603     * fd, vhost, target_ip, target_port, target_string, timeout and
604     * max_read.
605     */
606     };
607    
608    
609     /*
610     * User blocks define what scanners will be used to scan which hostmasks. When
611     * a user connects they will be scanned on every scanner {} (above) that
612     * matches their host.
613     */
614     user {
615     /*
616     * Users matching this host mask will be scanned with all the
617     * protocols in the scanner named.
618     */
619     mask = "*!*@*";
620     scanner = "default";
621     };
622    
623     user {
624 michael 5056 /*
625     * Connections without ident will match on a vast number of connections
626     * very few proxies run ident though
627     */
628 michael 5052 # mask = "*!~*@*";
629     mask = "*!squid@*";
630     mask = "*!nobody@*";
631     mask = "*!www-data@*";
632     mask = "*!cache@*";
633     mask = "*!CacheFlowS@*";
634     mask = "*!*@*www*";
635     mask = "*!*@*proxy*";
636     mask = "*!*@*cache*";
637    
638     scanner = "extended";
639     };
640    
641    
642     /*
643     * Exempt hosts matching certain strings from any form of scanning or dnsbl.
644 michael 5056 * HOPM will check each string against both the hostname and the IP address of
645 michael 5052 * the user.
646     *
647 michael 5147 * There are very few valid reasons to actually use "exempt". HOPM should
648 michael 5052 * never get false positives, and we would like to know very much if it does.
649 michael 5056 * One possible scenario is that the machine HOPM runs from is specifically
650 michael 5052 * authorized to use certain hosts as proxies, and users from those hosts use
651 michael 5147 * your network. In this case, without exempt, HOPM will scan these hosts,
652 michael 5052 * find itself able to use them as proxies, and ban them.
653     */
654     exempt {
655     mask = "*!*@127.0.0.1";
656     };

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28