ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/hopm/trunk/doc/reference.conf
Revision: 5087
Committed: Mon Dec 22 21:37:16 2014 UTC (9 years, 3 months ago) by michael
File size: 19815 byte(s)
Log Message:
- Update reference.conf

File Contents

# User Rev Content
1 michael 5052 /*
2    
3 michael 5056 HOPM sample configuration
4 michael 5052
5     */
6    
7     options {
8     /*
9     * Full path and filename for storing the process ID of the running
10 michael 5056 * HOPM.
11 michael 5052 */
12 michael 5056 pidfile = "/some/path/hopm.pid";
13 michael 5052
14     /*
15 michael 5080 * How long to store the IP address of hosts which are confirmed
16     * (by previous scans) to be secure. New users from these
17 michael 5052 * IP addresses will not be scanned again until this amount of time
18     * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
19     * DIRECTIVE, but it is provided due to demand.
20     *
21     * The main reason for not using this feature is that anyone capable
22     * of running a proxy can get abusers onto your network - all they
23     * need do is shut the proxy down, connect themselves, restart the
24     * proxy, and tell their friends to come flood.
25 michael 5056 *
26 michael 5052 * Keep this directive commented out to disable negative caching.
27     */
28 michael 5080 # negcache = 1 hour;
29 michael 5052
30     /*
31     * Amount of file descriptors to allocate to asynchronous DNS. 64
32 michael 5056 * should be plenty for almost anyone.
33 michael 5052 */
34     dns_fdlimit = 64;
35    
36     /*
37     * Put the full path and filename of a logfile here if you wish to log
38 michael 5056 * every scan done. Normally HOPM only logs successfully detected
39     * proxies in the hopm.log, but you may get abuse reports to your ISP
40     * about portscanning. Being able to show that it was HOPM that did
41 michael 5052 * the scan in question can be useful. Leave commented for no
42     * logging.
43     */
44     # scanlog = "/some/path/scan.log";
45     };
46    
47    
48     IRC {
49     /*
50     * IP to bind to for the IRC connection. You only need to use this if
51 michael 5056 * you wish HOPM to use a particular interface (virtual host, IP
52 michael 5052 * alias, ...) when connecting to the IRC server. There is another
53     * "vhost" setting in the scan {} block below for the actual
54     * portscans. Note that this directive expects an IP address, not a
55     * hostname. Please leave this commented out if you do not
56     * understand what it does, as most people don't need it.
57     */
58     # vhost = "0.0.0.0";
59    
60     /*
61 michael 5056 * Nickname for HOPM to use.
62 michael 5052 */
63 michael 5056 nick = "MyHopm";
64 michael 5052
65     /*
66 michael 5056 * Text to appear in the "realname" field of HOPM's /whois output.
67 michael 5052 */
68 michael 5056 realname = "Hybrid Open Proxy Monitor";
69 michael 5052
70     /*
71     * If you don't have an identd running, what username to use.
72     */
73 michael 5056 username = "hopm";
74 michael 5052
75     /*
76 michael 5056 * Hostname (or IP) of the IRC server which HOPM will monitor
77 michael 5052 * connections on.
78     */
79     server = "myserver.somenetwork.org";
80    
81     /*
82     * Password used to connect to the IRC server (PASS)
83     */
84     # password = "secret";
85    
86     /*
87 michael 5056 * Port of the above server to connect to. This is what HOPM uses to
88 michael 5052 * get onto IRC itself, it is nothing to do with what ports/protocols
89     * are scanned, nor do you need to list every port your ircd listens
90     * on.
91     */
92     port = 6667;
93    
94     /*
95     * Command to execute to identify to NickServ (if your network uses
96     * it). This is the raw IRC command text, and the below example
97     * corresponds to "/msg nickserv identify password" in a client. If
98     * you don't understand, just edit "password" in the line below to be
99 michael 5056 * your HOPM's nick password. Leave commented out if you don't need
100 michael 5052 * to identify to NickServ.
101     */
102 michael 5056 # nickserv = "NS IDENTIFY password";
103 michael 5052
104     /*
105 michael 5056 * The username and password needed for HOPM to oper up.
106 michael 5052 */
107 michael 5056 oper = "hopm operpass";
108 michael 5052
109     /*
110 michael 5056 * Mode string that HOPM needs to set on itself as soon as it opers
111 michael 5052 * up. This needs to include the mode for seeing connection notices,
112 michael 5056 * otherwise HOPM won't scan anyone (that's usually umode +c).
113 michael 5052 */
114 michael 5056 mode = "+c";
115 michael 5052
116     /*
117 michael 5056 * If this is set then HOPM will use it as an /away message as soon as
118 michael 5052 * it connects.
119     */
120 michael 5069 away = "I'm a bot. Your messages will be ignored.";
121 michael 5052
122     /*
123 michael 5056 * Info about channels you wish HOPM to join in order to accept
124     * commands. HOPM will also print messages in these channels every
125     * time it detects a proxy. Only IRC operators can command HOPM to do
126     * anything, but some of the things HOPM reports to these channels
127     * could be soncidered sensitive, so it's best not to put HOPM into
128 michael 5052 * public channels.
129     */
130     channel {
131 michael 5056 /*
132     * Channel name. Local ("&") channels are supported if your ircd
133     * supports them.
134     */
135     name = "#hopm";
136 michael 5052
137 michael 5056 /*
138     * If HOPM will need to use a key to enter this channel, this is
139     * where you specify it.
140     */
141     # key = "somekey";
142 michael 5052
143 michael 5056 /*
144     * If you use ChanServ then maybe you want to set the channel
145     * invite-only and have each HOPM do "/msg ChanServ invite" to get
146     * itself in. Leave commented if you don't, or if this makes no
147     * sense to you.
148     */
149     # invite = "CS INVITE #hopm";
150 michael 5052 };
151    
152     /*
153     * You can define a bunch of channels if you want:
154     *
155     * channel { name = "#other"; }; channel { name="#channel"; }
156     */
157 michael 5056
158 michael 5052 /*
159     * connregex is a POSIX regular expression used to parse connection
160     * (+c) notices from the ircd. The complexity of the expression should
161     * be kept to a minimum.
162 michael 5056 *
163 michael 5052 * Items in order MUST be: nick user host IP
164     *
165 michael 5056 * HOPM will not work with ircds which do not send an IP in the
166 michael 5052 * connection notice.
167     *
168     * This is fairly complicated stuff, and the consequences of getting
169 michael 5056 * it wrong are the HOPM does not scan anyone. Unless you know
170 michael 5052 * absolutely what you are doing, please just uncomment the example
171     * below that best matches the type of ircd you use.
172     */
173     connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
174    
175     /*
176     * "kline" controls the command used when an open proxy is confirmed.
177     * We suggest applying a temporary (no more than a few hours) KLINE on the host.
178     *
179     * <WARNING>
180 michael 5056 * Make sure if you need to change this string you also change the
181     * kline command for every DNSBL you enable below.
182 michael 5052 *
183 michael 5056 * Also note that some servers do not allow you to include ':' characters
184     * inside the KLINE message (e.g. for a http:// address).
185 michael 5052 *
186     * Users rewriting this message into something that isn't even a valid
187     * IRC command is the single most common cause of support requests and
188     * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
189     * KLINE COMMANDS BELOW.
190     * </WARNING>
191     *
192     * That said, should you wish to customise this text, several
193     * printf-like placeholders are available:
194     *
195     * %n User's nick
196     * %u User's username
197     * %h User's irc hostname
198     * %i User's IP address
199     *
200     */
201 michael 5056 kline = "KLINE *@%h :Open Proxy found on your host.";
202 michael 5052
203 michael 5056 /*
204     * An AKILL example for services with OperServ. Your HOPM must have permission to
205     * AKILL for this to work!
206     */
207     # kline = "OS AKILL +3h *@%h Open proxy found on your host.";
208 michael 5052
209     /*
210 michael 5056 * Text to send on connection, these can be stacked and will be sent in this order.
211 michael 5052 */
212 michael 5056 # perform = "TIME";
213 michael 5052 };
214    
215    
216     /*
217     * OPM Block defines blacklists and information required to report new proxies
218     * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
219     * file. There are several blacklist that list IP addresses known to be open
220     * proxies or other forms of IRC abuse. By checking against these blacklists,
221 michael 5056 * HOPMs are able to ban known sources of abuse without completely scanning them.
222 michael 5052 */
223    
224     OPM {
225     /*
226     * Blacklist zones to check IPs against. If you would rather not
227     * trust a remotely managed blacklist, you could set up your own, or
228     * leave these commented out in which case every user will be
229     * scanned. The use of at least one open proxy DNSBL is recommended
230 michael 5056 * however.
231     *
232 michael 5074 * Please check the policies of each blacklist you use to check you
233 michael 5056 * are comfortable with using them to block access to your server
234     * (and that you are allowed to use them).
235 michael 5052 */
236    
237 michael 5074
238     /* dnsbl.dronebl.org - http://dronebl.org */
239 michael 5052 # blacklist {
240 michael 5074 /* The DNS name of the blacklist */
241     # name = "dnsbl.dronebl.org";
242 michael 5052
243 michael 5074 /*
244     * There are only two values that are valid for this
245     * "A record bitmask" and "A record reply"
246     * These options affect how the values specified to reply
247     * below will be interpreted, a bitmask is where the reply
248     * values are 2^n and more than one is added up, a reply is
249     * simply where the last octet of the IP is that number.
250     * If you are not sure then the values set for dnsbl.dronebl.org
251     * will work without any changes.
252     */
253     # type = "A record reply";
254 michael 5052
255 michael 5074 /*
256     * Kline types not listed in the reply list below.
257     *
258     * For DNSBLs that are not IRC specific and you just wish to kline
259     * certain types this can be enabled/disabled.
260     */
261     # ban_unknown = no;
262 michael 5052
263 michael 5074 /*
264     * The actual values returned by the dnsbl.dronebl.org blacklist as
265     * documented at http://dronebl.org/docs/howtouse
266     */
267     # reply {
268     # 2 = "Sample";
269     # 3 = "IRC Drone";
270     # 5 = "Bottler";
271     # 6 = "Unknown spambot or drone";
272     # 7 = "DDOS Drone";
273     # 8 = "SOCKS Proxy";
274     # 9 = "HTTP Proxy";
275     # 10 = "ProxyChain";
276     # 13 = "Brute force attackers";
277     # 14 = "Open Wingate Proxy";
278     # 15 = "Compromised router / gateway";
279     # 17 = "Automatically determined botnet IPs (experimental)";
280     # 255 = "Unknown";
281     # };
282 michael 5052
283 michael 5074 /*
284     * The kline message sent for this specific blacklist, remember to put
285     * the removal method in this.
286     */
287     # kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
288     # }
289 michael 5052
290 michael 5074
291     /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
292     # blacklist {
293     # name = "tor.dnsbl.sectoor.de";
294     # type = "A record reply";
295     # ban_unknown = no;
296    
297     # reply {
298     # 1 = "Tor exit server";
299     # };
300    
301     # kline = "KLINE *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
302 michael 5052 # };
303    
304 michael 5074 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
305     # blacklist {
306     # name = "rbl.efnetrbl.org";
307     # type = "A record reply";
308     # ban_unknown = no;
309    
310     # reply {
311     # 1 = "Open proxy";
312     # 2 = "spamtrap666";
313     # 3 = "spamtrap50";
314     # 4 = "TOR";
315     # 5 = "Drones / Flooding";
316     # };
317    
318     # kline = "KLINE *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
319     # };
320    
321    
322 michael 5075
323     /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
324     # blacklist {
325     # name = "tor.efnetrbl.org";
326     # type = "A record reply";
327     # ban_unknown = no;
328    
329     # reply {
330     # 1 = "TOR";
331     # };
332    
333     # kline = "KLINE *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
334     # };
335    
336 michael 5052 /*
337     * You can report the insecure proxies you find to a DNSBL also!
338     * The remaining directives in this section are only needed if you
339     * intend to do this. Reports are sent by email, one email per IP
340     * address. The format does support multiple addresses in one email,
341     * but we don't know of any servers that are detecting enough insecure
342     * proxies for this to be really necessary.
343     */
344    
345     /*
346     * Email address to send reports FROM. If you intend to send reports,
347     * please pick an email address that we can actually send mail to
348     * should we ever need to contact you.
349     */
350     # dnsbl_from = "mybopm@myserver.org";
351    
352     /*
353     * Email address to send reports TO.
354 michael 5056 * For example DroneBL:
355 michael 5052 */
356     # dnsbl_to = "bopm-report@dronebl.org";
357    
358     /*
359     * Full path to your sendmail binary. Even if your system does not
360     * use sendmail, it probably does have a binary called "sendmail"
361     * present in /usr/sbin or /usr/lib. If you don't set this, no
362     * proxies will be reported.
363     */
364     # sendmail = "/usr/sbin/sendmail";
365     };
366    
367    
368     /*
369     * The short explanation:
370     *
371     * This is where you define what ports/protocols to check for. You can have
372     * multiple scanner blocks and then choose which users will get scanned by
373     * which scanners further down.
374     *
375     * The long explanation:
376     *
377     * Scanner defines a virtual scanner. For each user being scanned, a scanner
378     * will use a file descriptor (and subsequent connection) for each protocol.
379     * Once connecting it will negotiate the proxy to connect to
380     * target_ip:target_port (target_ip MUST be an IP).
381     *
382     * Once connected, any data passed through the proxy will be checked to see if
383     * target_string is contained within that data. If it is the proxy is
384     * considered open. If the connection is closed at any point before
385     * target_string is matched, or if at least max_read bytes are read from the
386     * connection, the negotiation is considered failed.
387     */
388    
389     scanner {
390    
391     /*
392     * Unique name of this scanner. This is used further down in the
393     * user {} blocks to decide which users get affected by which
394     * scanners.
395     */
396     name="default";
397    
398     /*
399     * HTTP CONNECT - very common proxy protocol supported by widely known
400     * software such as Squid and Apache. The most common sort of
401     * insecure proxy and found on a multitude of weird ports too. Offers
402     * transparent two way TCP connections.
403     */
404     protocol = HTTP:80;
405     protocol = HTTP:8080;
406     protocol = HTTP:3128;
407     protocol = HTTP:6588;
408    
409     /*
410     * SOCKS4/5 - well known proxy protocols, probably the second most
411     * common for insecure proxies, also offers transparent two way TCP
412     * connections. Fortunately largely confined to port 1080.
413     */
414     protocol = SOCKS4:1080;
415     protocol = SOCKS5:1080;
416    
417     /*
418     * Cisco routers with a default password (yes, it really does happen).
419     * Also pretty much anything else that will let you telnet to anywhere
420     * else on the internet. Fortunately these are always on port 23.
421     */
422     protocol = ROUTER:23;
423    
424     /*
425     * WinGate is commercial windows proxy software which is now not so
426     * common, but still to be found, and helpfully presents an interface
427     * that can be used to telnet out, on port 23.
428     */
429     protocol = WINGATE:23;
430    
431     /*
432     * The HTTP POST protocol, often dismissed when writing the access
433     * controls for proxies, but sadly can still be used to abused.
434     * Offers only the opportunity to send a single block of data, but
435     * enough of them at once can still make for a devastating flood.
436     * Found on the same ports that HTTP CONNECT proxies inhabit.
437     *
438     * Note that if your ircd has "ping cookies" then clients from HTTP
439     * POST proxies cannot actually ever get onto your network anyway. If
440     * you leave the checks in then you'll still find some (because some
441 michael 5056 * people IRC from boxes that run them), but if you use HOPM purely as
442 michael 5052 * a protective measure and you have ping cookies, you need not scan
443     * for HTTP POST.
444     */
445     protocol = HTTPPOST:80;
446    
447     /*
448     * IP this scanner will bind to. Use this if you need your scans to
449 michael 5056 * come FROM a particular interface on the machine you run HOPM from.
450 michael 5052 * If you don't understand what this means, please leave this
451     * commented out, as this is a major source of support queries!
452     */
453     # vhost = "127.0.0.1";
454    
455     /* Maximum file descriptors this scanner can use. Remember that there
456     * will be one FD for each protocol listed above. As this example
457     * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
458     * limit, this scanner can be used on 64 users _at the same time_.
459     * That should be adequate for most servers.
460     */
461     fd = 512;
462    
463     /*
464     * Maximum data read from a proxy before considering it closed. Don't
465     * set this too high, some people have fun setting up lots of ports
466     * that send endless data to tie up your scanner. 4KB is plenty for
467     * any known proxy.
468     */
469 michael 5080 max_read = 4kb;
470 michael 5052
471     /*
472 michael 5080 * Amount of time before a test is considered timed out.
473 michael 5052 * Again, all but the poorest slowest proxies will be detected within
474     * 30 seconds, and this helps keep resource usage low.
475     */
476 michael 5080 timeout = 30 seconds;
477 michael 5052
478     /*
479     * Target IP to tell the proxy to connect to
480     *
481     * !!! THIS MUST BE CHANGED !!!
482     *
483     * You cannot instruct the proxy to connect to itself! The easiest
484     * thing to do would be to set this to the IP of your ircd and then
485     * keep the default target_strings.
486     *
487     * Please use an IP that is publically reachable from anywhere on the
488     * Internet, because you have no way of knowing where the insecure
489 michael 5056 * proxies will be located. Just because you and your HOPM can
490 michael 5052 * connect to your ircd on some private IP like 192.168.0.1, does not
491     * mean that the insecure proxies out there on the Internet will be
492     * able to. And if they never connect, you will never detect them.
493     *
494     * Remember to change this setting for every scanner you configure.
495     */
496 michael 5056 target_ip = "127.0.0.1";
497 michael 5052
498     /*
499     * Target port to tell the proxy to connect to. This is usually
500     * something like 6667. Basically any client-usable port.
501     */
502 michael 5056 target_port = 6667;
503 michael 5052
504     /*
505     * Target string we check for in the data read back by the scanner.
506     * This should be some string out of the data that your ircd usually
507     * sends on connect. The example below will work on most
508     * hybrid/bahamut ircds. Multiple target strings are allowed.
509     *
510     * NOTE: Try to keep the number of target strings to a minimum. Two
511     * should be fine. One for normal connections and one for throttled
512     * connections. Comment out any others for efficiency.
513     */
514    
515 michael 5056 /*
516     * Usually first line sent to client on connection to ircd.
517 michael 5052 * If your ircd supports a more specific line (see below),
518     * using it will reduce false positives.
519     */
520 michael 5087 target_string = ":server.yournetwork.org NOTICE * :*** Looking up your hostname";
521 michael 5052
522 michael 5056 /*
523     * If you try to connect too fast, you'll be throttled by your own
524 michael 5052 * ircd. Here's what a hybrid throttle message looks like:
525     */
526     target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
527     };
528    
529 michael 5056
530 michael 5052 scanner {
531     name = "extended";
532    
533     protocol = HTTP:81;
534     protocol = HTTP:8000;
535     protocol = HTTP:8001;
536     protocol = HTTP:8081;
537    
538     protocol = HTTPPOST:81;
539     protocol = HTTPPOST:6588;
540     # protocol = HTTPPOST:4480;
541     protocol = HTTPPOST:8000;
542     protocol = HTTPPOST:8001;
543     protocol = HTTPPOST:8080;
544     protocol = HTTPPOST:8081;
545    
546     /*
547     * IRCnet have seen many socks5 on these ports, more than on the
548     * standard ports even.
549     */
550     protocol = SOCKS4:4914;
551     protocol = SOCKS4:6826;
552     protocol = SOCKS4:7198;
553     protocol = SOCKS4:7366;
554     protocol = SOCKS4:9036;
555    
556     protocol = SOCKS5:4438;
557     protocol = SOCKS5:5104;
558     protocol = SOCKS5:5113;
559     protocol = SOCKS5:5262;
560     protocol = SOCKS5:5634;
561     protocol = SOCKS5:6552;
562     protocol = SOCKS5:6561;
563     protocol = SOCKS5:7464;
564     protocol = SOCKS5:7810;
565     protocol = SOCKS5:8130;
566     protocol = SOCKS5:8148;
567     protocol = SOCKS5:8520;
568     protocol = SOCKS5:8814;
569     protocol = SOCKS5:9100;
570     protocol = SOCKS5:9186;
571     protocol = SOCKS5:9447;
572     protocol = SOCKS5:9578;
573    
574     /*
575     * These came courtsey of Keith Dunnett from a bunch of public open
576     * proxy lists.
577     */
578     protocol = SOCKS4:29992;
579     protocol = SOCKS4:38884;
580     protocol = SOCKS4:18844;
581     protocol = SOCKS4:17771;
582     protocol = SOCKS4:31121;
583    
584     fd = 400;
585    
586     /* If required you can add settings such as target_ip here
587     * they will override the defaults set in the first scanner
588     * for this and subsequent scanners defined in the config file
589     * This affects the following options:
590     * fd, vhost, target_ip, target_port, target_string, timeout and
591     * max_read.
592     */
593     };
594    
595    
596     /*
597     * User blocks define what scanners will be used to scan which hostmasks. When
598     * a user connects they will be scanned on every scanner {} (above) that
599     * matches their host.
600     */
601     user {
602     /*
603     * Users matching this host mask will be scanned with all the
604     * protocols in the scanner named.
605     */
606     mask = "*!*@*";
607     scanner = "default";
608     };
609    
610     user {
611 michael 5056 /*
612     * Connections without ident will match on a vast number of connections
613     * very few proxies run ident though
614     */
615 michael 5052 # mask = "*!~*@*";
616     mask = "*!squid@*";
617     mask = "*!nobody@*";
618     mask = "*!www-data@*";
619     mask = "*!cache@*";
620     mask = "*!CacheFlowS@*";
621     mask = "*!*@*www*";
622     mask = "*!*@*proxy*";
623     mask = "*!*@*cache*";
624    
625     scanner = "extended";
626     };
627    
628    
629     /*
630     * Exempt hosts matching certain strings from any form of scanning or dnsbl.
631 michael 5056 * HOPM will check each string against both the hostname and the IP address of
632 michael 5052 * the user.
633     *
634 michael 5056 * There are very few valid reasons to actually use "exempt". HOPM should
635 michael 5052 * never get false positives, and we would like to know very much if it does.
636 michael 5056 * One possible scenario is that the machine HOPM runs from is specifically
637 michael 5052 * authorized to use certain hosts as proxies, and users from those hosts use
638 michael 5056 * your network. In this case, without exempt, HOPM will scan these hosts,
639 michael 5052 * find itself able to use them as proxies, and ban them.
640     */
641     exempt {
642     mask = "*!*@127.0.0.1";
643     };