/[svn]/hopm/branches/1.0.x/doc/reference.conf
ViewVC logotype

Diff of /hopm/branches/1.0.x/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 5146 by michael, Fri Dec 26 14:02:15 2014 UTC revision 5147 by michael, Fri Dec 26 14:33:45 2014 UTC
# Line 28  options { Line 28  options {
28    
29          /*          /*
30           * How long to store the IP address of hosts which are confirmed           * How long to store the IP address of hosts which are confirmed
31           * (by previous scans) to be secure.  New users from these           * (by previous scans) to be secure. New users from these
32           * IP addresses will not be scanned again until this amount of time           * IP addresses will not be scanned again until this amount of time
33           * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS           * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
34           * DIRECTIVE, but it is provided due to demand.           * DIRECTIVE, but it is provided due to demand.
# Line 43  options { Line 43  options {
43  #       negcache = 1 hour;  #       negcache = 1 hour;
44    
45          /*          /*
46           * Amount of file descriptors to allocate to asynchronous DNS.  64           * Amount of file descriptors to allocate to asynchronous DNS. 64
47           * should be plenty for almost anyone.           * should be plenty for almost anyone.
48           */           */
49          dns_fdlimit = 64;          dns_fdlimit = 64;
50    
51          /*          /*
52           * Put the full path and filename of a logfile here if you wish to log           * Put the full path and filename of a logfile here if you wish to log
53           * every scan done.  Normally HOPM only logs successfully detected           * every scan done. Normally HOPM only logs successfully detected
54           * proxies in the hopm.log, but you may get abuse reports to your ISP           * proxies in the hopm.log, but you may get abuse reports to your ISP
55           * about portscanning.  Being able to show that it was HOPM that did           * about portscanning. Being able to show that it was HOPM that did
56           * the scan in question can be useful.  Leave commented for no           * the scan in question can be useful. Leave commented for no
57           * logging.           * logging.
58           */           */
59  #       scanlog = "/some/path/var/scan.log";  #       scanlog = "/some/path/var/scan.log";
# Line 62  options { Line 62  options {
62    
63  irc {  irc {
64          /*          /*
65           * IP to bind to for the IRC connection.  You only need to use this if           * IP to bind to for the IRC connection. You only need to use this if
66           * you wish HOPM to use a particular interface (virtual host, IP           * you wish HOPM to use a particular interface (virtual host, IP
67           * alias, ...) when connecting to the IRC server.  There is another           * alias, ...) when connecting to the IRC server. There is another
68           * "vhost" setting in the scan {} block below for the actual           * "vhost" setting in the scan {} block below for the actual
69           * portscans.  Note that this directive expects an IP address, not a           * portscans. Note that this directive expects an IP address, not a
70           * hostname.  Please leave this commented out if you do not           * hostname. Please leave this commented out if you do not
71           * understand what it does, as most people don't need it.           * understand what it does, as most people don't need it.
72           */           */
73  #       vhost = "0.0.0.0";  #       vhost = "0.0.0.0";
# Line 99  irc { Line 99  irc {
99  #       password = "secret";  #       password = "secret";
100    
101          /*          /*
102           * Port of the above server to connect to.  This is what HOPM uses to           * Port of the above server to connect to. This is what HOPM uses to
103           * get onto IRC itself, it is nothing to do with what ports/protocols           * get onto IRC itself, it is nothing to do with what ports/protocols
104           * are scanned, nor do you need to list every port your ircd listens           * are scanned, nor do you need to list every port your ircd listens
105           * on.           * on.
# Line 108  irc { Line 108  irc {
108    
109          /*          /*
110           * Command to execute to identify to NickServ (if your network uses           * Command to execute to identify to NickServ (if your network uses
111           * it).  This is the raw IRC command text, and the below example           * it). This is the raw IRC command text, and the below example
112           * corresponds to "/msg nickserv identify password" in a client.  If           * corresponds to "/msg nickserv identify password" in a client. If
113           * you don't understand, just edit "password" in the line below to be           * you don't understand, just edit "password" in the line below to be
114           * your HOPM's nick password.  Leave commented out if you don't need           * your HOPM's nick password. Leave commented out if you don't need
115           * to identify to NickServ.           * to identify to NickServ.
116           */           */
117  #       nickserv = "NS IDENTIFY password";  #       nickserv = "NS IDENTIFY password";
# Line 123  irc { Line 123  irc {
123    
124          /*          /*
125           * Mode string that HOPM needs to set on itself as soon as it opers           * Mode string that HOPM needs to set on itself as soon as it opers
126           * up.  This needs to include the mode for seeing connection notices,           * up. This needs to include the mode for seeing connection notices,
127           * otherwise HOPM won't scan anyone (that's usually umode +c).           * otherwise HOPM won't scan anyone (that's usually umode +c).
128           */           */
129          mode = "+c";          mode = "+c";
# Line 136  irc { Line 136  irc {
136    
137          /*          /*
138           * Info about channels you wish HOPM to join in order to accept           * Info about channels you wish HOPM to join in order to accept
139           * commands.  HOPM will also print messages in these channels every           * commands. HOPM will also print messages in these channels every
140           * time it detects a proxy.  Only IRC operators can command HOPM to do           * time it detects a proxy. Only IRC operators can command HOPM to do
141           * anything, but some of the things HOPM reports to these channels           * anything, but some of the things HOPM reports to these channels
142           * could be considered sensitive, so it's best not to put HOPM into           * could be considered sensitive, so it's best not to put HOPM into
143           * public channels.           * public channels.
144           */           */
145          channel {          channel {
146                  /*                  /*
147                   * Channel name.  Local ("&") channels are supported if your ircd                   * Channel name. Local ("&") channels are supported if your ircd
148                   * supports them.                   * supports them.
149                   */                   */
150                  name = "#hopm";                  name = "#hopm";
# Line 158  irc { Line 158  irc {
158                  /*                  /*
159                   * If you use ChanServ then maybe you want to set the channel                   * If you use ChanServ then maybe you want to set the channel
160                   * invite-only and have each HOPM do "/msg ChanServ invite" to get                   * invite-only and have each HOPM do "/msg ChanServ invite" to get
161                   * itself in.  Leave commented if you don't, or if this makes no                   * itself in. Leave commented if you don't, or if this makes no
162                   * sense to you.                   * sense to you.
163                   */                   */
164  #               invite = "CS INVITE #hopm";  #               invite = "CS INVITE #hopm";
# Line 181  irc { Line 181  irc {
181           * connection notice.           * connection notice.
182           *           *
183           * This is fairly complicated stuff, and the consequences of getting           * This is fairly complicated stuff, and the consequences of getting
184           * it wrong are the HOPM does not scan anyone.  Unless you know           * it wrong are the HOPM does not scan anyone. Unless you know
185           * absolutely what you are doing, please just uncomment the example           * absolutely what you are doing, please just uncomment the example
186           * below that best matches the type of ircd you use.           * below that best matches the type of ircd you use.
187           */           */
# Line 230  irc { Line 230  irc {
230    
231  /*  /*
232   * OPM Block defines blacklists and information required to report new proxies   * OPM Block defines blacklists and information required to report new proxies
233   * to a dns blacklist.  DNS-based blacklists store IP addresses in a DNS zone   * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
234   * file. There are several blacklist that list IP addresses known to be open   * file. There are several blacklist that list IP addresses known to be open
235   * proxies or other forms of IRC abuse. By checking against these blacklists,   * proxies or other forms of IRC abuse. By checking against these blacklists,
236   * HOPMs are able to ban known sources of abuse without completely scanning them.   * HOPMs are able to ban known sources of abuse without completely scanning them.
237   */   */
238  opm {  opm {
239          /*          /*
240           * Blacklist zones to check IPs against.  If you would rather not           * Blacklist zones to check IPs against. If you would rather not
241           * trust a remotely managed blacklist, you could set up your own, or           * trust a remotely managed blacklist, you could set up your own, or
242           * leave these commented out in which case every user will be           * leave these commented out in which case every user will be
243           * scanned. The use of at least one open proxy DNSBL is recommended           * scanned. The use of at least one open proxy DNSBL is recommended
# Line 350  opm { Line 350  opm {
350          /*          /*
351           * You can report the insecure proxies you find to a DNSBL also!           * You can report the insecure proxies you find to a DNSBL also!
352           * The remaining directives in this section are only needed if you           * The remaining directives in this section are only needed if you
353           * intend to do this.  Reports are sent by email, one email per IP           * intend to do this. Reports are sent by email, one email per IP
354           * address.  The format does support multiple addresses in one email,           * address. The format does support multiple addresses in one email,
355           * but we don't know of any servers that are detecting enough insecure           * but we don't know of any servers that are detecting enough insecure
356           * proxies for this to be really necessary.           * proxies for this to be really necessary.
357           */           */
358    
359          /*          /*
360           * Email address to send reports FROM.  If you intend to send reports,           * Email address to send reports FROM. If you intend to send reports,
361           * please pick an email address that we can actually send mail to           * please pick an email address that we can actually send mail to
362           * should we ever need to contact you.           * should we ever need to contact you.
363           */           */
# Line 370  opm { Line 370  opm {
370  #       dnsbl_to = "bopm-report@dronebl.org";  #       dnsbl_to = "bopm-report@dronebl.org";
371    
372          /*          /*
373           * Full path to your sendmail binary.  Even if your system does not           * Full path to your sendmail binary. Even if your system does not
374           * use sendmail, it probably does have a binary called "sendmail"           * use sendmail, it probably does have a binary called "sendmail"
375           * present in /usr/sbin or /usr/lib.  If you don't set this, no           * present in /usr/sbin or /usr/lib. If you don't set this, no
376           * proxies will be reported.           * proxies will be reported.
377           */           */
378  #       sendmail = "/usr/sbin/sendmail";  #       sendmail = "/usr/sbin/sendmail";
# Line 382  opm { Line 382  opm {
382  /*  /*
383   * The short explanation:   * The short explanation:
384   *   *
385   * This is where you define what ports/protocols to check for.  You can have   * This is where you define what ports/protocols to check for. You can have
386   * multiple scanner blocks and then choose which users will get scanned by   * multiple scanner blocks and then choose which users will get scanned by
387   * which scanners further down.   * which scanners further down.
388   *   *
389   * The long explanation:   * The long explanation:
390   *   *
391   * Scanner defines a virtual scanner.  For each user being scanned, a scanner   * Scanner defines a virtual scanner. For each user being scanned, a scanner
392   * will use a file descriptor (and subsequent connection) for each protocol.   * will use a file descriptor (and subsequent connection) for each protocol.
393   * Once connecting it will negotiate the proxy to connect to   * Once connecting it will negotiate the proxy to connect to
394   * target_ip:target_port (target_ip MUST be an IP).   * target_ip:target_port (target_ip MUST be an IP).
395   *   *
396   * Once connected, any data passed through the proxy will be checked to see if   * Once connected, any data passed through the proxy will be checked to see if
397   * target_string is contained within that data.  If it is the proxy is   * target_string is contained within that data. If it is the proxy is
398   * considered open. If the connection is closed at any point before   * considered open. If the connection is closed at any point before
399   * target_string is matched, or if at least max_read bytes are read from the   * target_string is matched, or if at least max_read bytes are read from the
400   * connection, the negotiation is considered failed.   * connection, the negotiation is considered failed.
# Line 402  opm { Line 402  opm {
402  scanner {  scanner {
403    
404          /*          /*
405           * Unique name of this scanner.  This is used further down in the           * Unique name of this scanner. This is used further down in the
406           * user {} blocks to decide which users get affected by which           * user {} blocks to decide which users get affected by which
407           * scanners.           * scanners.
408           */           */
# Line 410  scanner { Line 410  scanner {
410    
411          /*          /*
412           * HTTP CONNECT - very common proxy protocol supported by widely known           * HTTP CONNECT - very common proxy protocol supported by widely known
413           * software such as Squid and Apache.  The most common sort of           * software such as Squid and Apache. The most common sort of
414           * insecure proxy and found on a multitude of weird ports too.  Offers           * insecure proxy and found on a multitude of weird ports too. Offers
415           * transparent two way TCP connections.           * transparent two way TCP connections.
416           */           */
417          protocol = HTTP:80;          protocol = HTTP:80;
# Line 422  scanner { Line 422  scanner {
422          /*          /*
423           * SOCKS4/5 - well known proxy protocols, probably the second most           * SOCKS4/5 - well known proxy protocols, probably the second most
424           * common for insecure proxies, also offers transparent two way TCP           * common for insecure proxies, also offers transparent two way TCP
425           * connections.  Fortunately largely confined to port 1080.           * connections. Fortunately largely confined to port 1080.
426           */           */
427          protocol = SOCKS4:1080;          protocol = SOCKS4:1080;
428          protocol = SOCKS5:1080;          protocol = SOCKS5:1080;
# Line 430  scanner { Line 430  scanner {
430          /*          /*
431           * Cisco routers with a default password (yes, it really does happen).           * Cisco routers with a default password (yes, it really does happen).
432           * Also pretty much anything else that will let you telnet to anywhere           * Also pretty much anything else that will let you telnet to anywhere
433           * else on the internet.  Fortunately these are always on port 23.           * else on the internet. Fortunately these are always on port 23.
434           */           */
435          protocol = ROUTER:23;          protocol = ROUTER:23;
436    
# Line 449  scanner { Line 449  scanner {
449           * Found on the same ports that HTTP CONNECT proxies inhabit.           * Found on the same ports that HTTP CONNECT proxies inhabit.
450           *           *
451           * Note that if your ircd has "ping cookies" then clients from HTTP           * Note that if your ircd has "ping cookies" then clients from HTTP
452           * POST proxies cannot actually ever get onto your network anyway.  If           * POST proxies cannot actually ever get onto your network anyway. If
453           * you leave the checks in then you'll still find some (because some           * you leave the checks in then you'll still find some (because some
454           * people IRC from boxes that run them), but if you use HOPM purely as           * people IRC from boxes that run them), but if you use HOPM purely as
455           * a protective measure and you have ping cookies, you need not scan           * a protective measure and you have ping cookies, you need not scan
# Line 458  scanner { Line 458  scanner {
458          protocol = HTTPPOST:80;          protocol = HTTPPOST:80;
459    
460          /*          /*
461           * IP this scanner will bind to.  Use this if you need your scans to           * IP this scanner will bind to. Use this if you need your scans to
462           * come FROM a particular interface on the machine you run HOPM from.           * come FROM a particular interface on the machine you run HOPM from.
463           * If you don't understand what this means, please leave this           * If you don't understand what this means, please leave this
464           * commented out, as this is a major source of support queries!           * commented out, as this is a major source of support queries!
465           */           */
466  #       vhost = "127.0.0.1";  #       vhost = "127.0.0.1";
467    
468          /* Maximum file descriptors this scanner can use.  Remember that there          /* Maximum file descriptors this scanner can use. Remember that there
469           * will be one FD for each protocol listed above.  As this example           * will be one FD for each protocol listed above. As this example
470           * scanner has 8 protocols, it requires 8 FDs per user.  With a 512 FD           * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
471           * limit, this scanner can be used on 64 users _at the same time_.           * limit, this scanner can be used on 64 users _at the same time_.
472           * That should be adequate for most servers.           * That should be adequate for most servers.
473           */           */
474          fd = 512;          fd = 512;
475    
476          /*          /*
477           * Maximum data read from a proxy before considering it closed.  Don't           * Maximum data read from a proxy before considering it closed. Don't
478           * set this too high, some people have fun setting up lots of ports           * set this too high, some people have fun setting up lots of ports
479           * that send endless data to tie up your scanner.  4KB is plenty for           * that send endless data to tie up your scanner. 4KB is plenty for
480           * any known proxy.           * any known proxy.
481           */           */
482          max_read = 4kb;          max_read = 4kb;
# Line 499  scanner { Line 499  scanner {
499           *           *
500           * Please use an IP that is publically reachable from anywhere on the           * Please use an IP that is publically reachable from anywhere on the
501           * Internet, because you have no way of knowing where the insecure           * Internet, because you have no way of knowing where the insecure
502           * proxies will be located.  Just because you and your HOPM can           * proxies will be located. Just because you and your HOPM can
503           * connect to your ircd on some private IP like 192.168.0.1, does not           * connect to your ircd on some private IP like 192.168.0.1, does not
504           * mean that the insecure proxies out there on the Internet will be           * mean that the insecure proxies out there on the Internet will be
505           * able to.  And if they never connect, you will never detect them.           * able to. And if they never connect, you will never detect them.
506           *           *
507           * Remember to change this setting for every scanner you configure.           * Remember to change this setting for every scanner you configure.
508           */           */
509          target_ip = "127.0.0.1";          target_ip = "127.0.0.1";
510    
511          /*          /*
512           * Target port to tell the proxy to connect to.  This is usually           * Target port to tell the proxy to connect to. This is usually
513           * something like 6667.  Basically any client-usable port.           * something like 6667. Basically any client-usable port.
514           */           */
515          target_port = 6667;          target_port = 6667;
516    
517          /*          /*
518           * Target string we check for in the data read back by the scanner.           * Target string we check for in the data read back by the scanner.
519           * This should be some string out of the data that your ircd usually           * This should be some string out of the data that your ircd usually
520           * sends on connect.  The example below will work on most           * sends on connect. The example below will work on most
521           * hybrid/bahamut ircds.  Multiple target strings are allowed.           * hybrid/bahamut ircds. Multiple target strings are allowed.
522           *           *
523           * NOTE: Try to keep the number of target strings to a minimum. Two           * NOTE: Try to keep the number of target strings to a minimum. Two
524           *       should be fine. One for normal connections and one for throttled           *       should be fine. One for normal connections and one for throttled
# Line 534  scanner { Line 534  scanner {
534    
535          /*          /*
536           * If you try to connect too fast, you'll be throttled by your own           * If you try to connect too fast, you'll be throttled by your own
537           * ircd.  Here's what a hybrid throttle message looks like:           * ircd. Here's what a hybrid throttle message looks like:
538           */           */
539          target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";          target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
540  };  };
# Line 644  user { Line 644  user {
644   * HOPM will check each string against both the hostname and the IP address of   * HOPM will check each string against both the hostname and the IP address of
645   * the user.   * the user.
646   *   *
647   * There are very few valid reasons to actually use "exempt".  HOPM should   * There are very few valid reasons to actually use "exempt". HOPM should
648   * never get false positives, and we would like to know very much if it does.   * never get false positives, and we would like to know very much if it does.
649   * One possible scenario is that the machine HOPM runs from is specifically   * One possible scenario is that the machine HOPM runs from is specifically
650   * authorized to use certain hosts as proxies, and users from those hosts use   * authorized to use certain hosts as proxies, and users from those hosts use
651   * your network.  In this case, without exempt, HOPM will scan these hosts,   * your network. In this case, without exempt, HOPM will scan these hosts,
652   * find itself able to use them as proxies, and ban them.   * find itself able to use them as proxies, and ban them.
653   */   */
654  exempt {  exempt {

Legend:
Removed from v.5146  
changed lines
  Added in v.5147

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28