1 |
michael |
5052 |
/* |
2 |
michael |
5104 |
* Hybrid Open Proxy Monitor - HOPM sample configuration |
3 |
michael |
5142 |
* |
4 |
|
|
* $Id$ |
5 |
michael |
5104 |
*/ |
6 |
michael |
5052 |
|
7 |
michael |
5104 |
/* |
8 |
|
|
* Shell style (#), C++ style (//) and C style comments are supported. |
9 |
|
|
* |
10 |
|
|
* Times/durations are written as: |
11 |
|
|
* 12 hours 30 minutes 1 second |
12 |
|
|
* |
13 |
|
|
* Valid units of time: |
14 |
|
|
* year, month, week, day, hour, minute, second |
15 |
|
|
* |
16 |
|
|
* Valid units of size: |
17 |
|
|
* megabyte/mbyte/mb, kilobyte/kbyte/kb, byte |
18 |
|
|
* |
19 |
|
|
* Sizes and times may be singular or plural. |
20 |
|
|
*/ |
21 |
michael |
5052 |
|
22 |
|
|
options { |
23 |
|
|
/* |
24 |
|
|
* Full path and filename for storing the process ID of the running |
25 |
michael |
5056 |
* HOPM. |
26 |
michael |
5052 |
*/ |
27 |
michael |
6276 |
pidfile = "var/run/hopm.pid"; |
28 |
michael |
5052 |
|
29 |
|
|
/* |
30 |
michael |
5080 |
* How long to store the IP address of hosts which are confirmed |
31 |
michael |
5146 |
* (by previous scans) to be secure. New users from these |
32 |
michael |
5052 |
* IP addresses will not be scanned again until this amount of time |
33 |
|
|
* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS |
34 |
|
|
* DIRECTIVE, but it is provided due to demand. |
35 |
|
|
* |
36 |
|
|
* The main reason for not using this feature is that anyone capable |
37 |
|
|
* of running a proxy can get abusers onto your network - all they |
38 |
|
|
* need do is shut the proxy down, connect themselves, restart the |
39 |
|
|
* proxy, and tell their friends to come flood. |
40 |
michael |
5056 |
* |
41 |
michael |
5052 |
* Keep this directive commented out to disable negative caching. |
42 |
|
|
*/ |
43 |
michael |
5080 |
# negcache = 1 hour; |
44 |
michael |
5052 |
|
45 |
|
|
/* |
46 |
michael |
5332 |
* How long between rebuilds of the negative cache. The negcache |
47 |
|
|
* is only rebuilt to free up memory used by entries that are too old. |
48 |
|
|
* You probably don't need to tweak this unless you have huge amounts |
49 |
|
|
* of people connecting (hundreds per minute). Default is 12 hours. |
50 |
|
|
*/ |
51 |
|
|
negcache_rebuild = 12 hours; |
52 |
|
|
|
53 |
|
|
/* |
54 |
michael |
5146 |
* Amount of file descriptors to allocate to asynchronous DNS. 64 |
55 |
michael |
5056 |
* should be plenty for almost anyone. |
56 |
michael |
5052 |
*/ |
57 |
|
|
dns_fdlimit = 64; |
58 |
|
|
|
59 |
|
|
/* |
60 |
michael |
6200 |
* Amount of time the resolver waits until a response is received |
61 |
|
|
* from a name server. |
62 |
|
|
*/ |
63 |
|
|
dns_timeout = 5 seconds; |
64 |
|
|
|
65 |
|
|
/* |
66 |
michael |
5052 |
* Put the full path and filename of a logfile here if you wish to log |
67 |
michael |
5146 |
* every scan done. Normally HOPM only logs successfully detected |
68 |
michael |
5056 |
* proxies in the hopm.log, but you may get abuse reports to your ISP |
69 |
michael |
5146 |
* about portscanning. Being able to show that it was HOPM that did |
70 |
|
|
* the scan in question can be useful. Leave commented for no |
71 |
michael |
5052 |
* logging. |
72 |
|
|
*/ |
73 |
michael |
6276 |
# scanlog = "var/log/scan.log"; |
74 |
michael |
5052 |
}; |
75 |
|
|
|
76 |
|
|
|
77 |
michael |
5104 |
irc { |
78 |
michael |
5052 |
/* |
79 |
michael |
6170 |
* IP address to bind to for the IRC connection. You only need to |
80 |
|
|
* use this if you wish HOPM to use a particular interface |
81 |
|
|
* (virtual host, IP alias, ...) when connecting to the IRC server. |
82 |
|
|
* There is another "vhost" setting in the scan {} block below for |
83 |
|
|
* the actual portscans. Note that this directive expects an IP address, |
84 |
|
|
* not a hostname. Please leave this commented out if you do not |
85 |
michael |
5052 |
* understand what it does, as most people don't need it. |
86 |
|
|
*/ |
87 |
|
|
# vhost = "0.0.0.0"; |
88 |
|
|
|
89 |
|
|
/* |
90 |
michael |
5056 |
* Nickname for HOPM to use. |
91 |
michael |
5052 |
*/ |
92 |
michael |
5056 |
nick = "MyHopm"; |
93 |
michael |
5052 |
|
94 |
|
|
/* |
95 |
michael |
5056 |
* Text to appear in the "realname" field of HOPM's /whois output. |
96 |
michael |
5052 |
*/ |
97 |
michael |
5056 |
realname = "Hybrid Open Proxy Monitor"; |
98 |
michael |
5052 |
|
99 |
|
|
/* |
100 |
|
|
* If you don't have an identd running, what username to use. |
101 |
|
|
*/ |
102 |
michael |
5056 |
username = "hopm"; |
103 |
michael |
5052 |
|
104 |
|
|
/* |
105 |
michael |
6170 |
* Hostname (or IP address) of the IRC server which HOPM will monitor |
106 |
michael |
5682 |
* connections on. IPv6 is now supported. |
107 |
michael |
5052 |
*/ |
108 |
michael |
5109 |
server = "irc.example.org"; |
109 |
michael |
5052 |
|
110 |
|
|
/* |
111 |
|
|
* Password used to connect to the IRC server (PASS) |
112 |
|
|
*/ |
113 |
|
|
# password = "secret"; |
114 |
|
|
|
115 |
|
|
/* |
116 |
michael |
5146 |
* Port of the above server to connect to. This is what HOPM uses to |
117 |
michael |
5052 |
* get onto IRC itself, it is nothing to do with what ports/protocols |
118 |
|
|
* are scanned, nor do you need to list every port your ircd listens |
119 |
|
|
* on. |
120 |
|
|
*/ |
121 |
|
|
port = 6667; |
122 |
|
|
|
123 |
|
|
/* |
124 |
michael |
5198 |
* Defines time in which bot will timeout if no data is received |
125 |
|
|
*/ |
126 |
|
|
readtimeout = 15 minutes; |
127 |
|
|
|
128 |
|
|
/* |
129 |
michael |
6078 |
* Interval in how often we try to reconnect to the IRC server |
130 |
|
|
*/ |
131 |
|
|
reconnectinterval = 30 seconds; |
132 |
|
|
|
133 |
|
|
/* |
134 |
michael |
5052 |
* Command to execute to identify to NickServ (if your network uses |
135 |
michael |
5146 |
* it). This is the raw IRC command text, and the below example |
136 |
|
|
* corresponds to "/msg nickserv identify password" in a client. If |
137 |
michael |
5052 |
* you don't understand, just edit "password" in the line below to be |
138 |
michael |
5146 |
* your HOPM's nick password. Leave commented out if you don't need |
139 |
michael |
5052 |
* to identify to NickServ. |
140 |
|
|
*/ |
141 |
michael |
5056 |
# nickserv = "NS IDENTIFY password"; |
142 |
michael |
5052 |
|
143 |
|
|
/* |
144 |
michael |
5056 |
* The username and password needed for HOPM to oper up. |
145 |
michael |
5052 |
*/ |
146 |
michael |
5056 |
oper = "hopm operpass"; |
147 |
michael |
5104 |
|
148 |
michael |
5052 |
/* |
149 |
michael |
5056 |
* Mode string that HOPM needs to set on itself as soon as it opers |
150 |
michael |
5146 |
* up. This needs to include the mode for seeing connection notices, |
151 |
michael |
5056 |
* otherwise HOPM won't scan anyone (that's usually umode +c). |
152 |
michael |
5052 |
*/ |
153 |
michael |
5056 |
mode = "+c"; |
154 |
michael |
5052 |
|
155 |
|
|
/* |
156 |
michael |
5056 |
* If this is set then HOPM will use it as an /away message as soon as |
157 |
michael |
5052 |
* it connects. |
158 |
|
|
*/ |
159 |
michael |
5069 |
away = "I'm a bot. Your messages will be ignored."; |
160 |
michael |
5052 |
|
161 |
|
|
/* |
162 |
michael |
5056 |
* Info about channels you wish HOPM to join in order to accept |
163 |
michael |
5146 |
* commands. HOPM will also print messages in these channels every |
164 |
|
|
* time it detects a proxy. Only IRC operators can command HOPM to do |
165 |
michael |
5056 |
* anything, but some of the things HOPM reports to these channels |
166 |
michael |
5104 |
* could be considered sensitive, so it's best not to put HOPM into |
167 |
michael |
5052 |
* public channels. |
168 |
|
|
*/ |
169 |
|
|
channel { |
170 |
michael |
5056 |
/* |
171 |
michael |
5146 |
* Channel name. Local ("&") channels are supported if your ircd |
172 |
michael |
5056 |
* supports them. |
173 |
|
|
*/ |
174 |
|
|
name = "#hopm"; |
175 |
michael |
5052 |
|
176 |
michael |
5056 |
/* |
177 |
|
|
* If HOPM will need to use a key to enter this channel, this is |
178 |
|
|
* where you specify it. |
179 |
|
|
*/ |
180 |
|
|
# key = "somekey"; |
181 |
michael |
5052 |
|
182 |
michael |
5056 |
/* |
183 |
|
|
* If you use ChanServ then maybe you want to set the channel |
184 |
|
|
* invite-only and have each HOPM do "/msg ChanServ invite" to get |
185 |
michael |
5146 |
* itself in. Leave commented if you don't, or if this makes no |
186 |
michael |
5056 |
* sense to you. |
187 |
|
|
*/ |
188 |
|
|
# invite = "CS INVITE #hopm"; |
189 |
michael |
5052 |
}; |
190 |
|
|
|
191 |
|
|
/* |
192 |
|
|
* You can define a bunch of channels if you want: |
193 |
|
|
* |
194 |
michael |
6170 |
* channel { name = "#other"; }; channel { name= "#channel"; } |
195 |
michael |
5052 |
*/ |
196 |
michael |
5056 |
|
197 |
michael |
5052 |
/* |
198 |
|
|
* connregex is a POSIX regular expression used to parse connection |
199 |
michael |
5682 |
* notices from the ircd. The complexity of the expression should |
200 |
michael |
5052 |
* be kept to a minimum. |
201 |
michael |
5056 |
* |
202 |
michael |
5052 |
* Items in order MUST be: nick user host IP |
203 |
|
|
* |
204 |
michael |
6170 |
* HOPM will not work with ircds which do not send an IP address in the |
205 |
michael |
5052 |
* connection notice. |
206 |
|
|
* |
207 |
|
|
* This is fairly complicated stuff, and the consequences of getting |
208 |
michael |
5146 |
* it wrong are the HOPM does not scan anyone. Unless you know |
209 |
michael |
5052 |
* absolutely what you are doing, please just uncomment the example |
210 |
|
|
* below that best matches the type of ircd you use. |
211 |
|
|
*/ |
212 |
michael |
5437 |
|
213 |
michael |
6985 |
/* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */ |
214 |
michael |
5052 |
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; |
215 |
|
|
|
216 |
michael |
6984 |
/* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */ |
217 |
michael |
6985 |
# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; |
218 |
michael |
6984 |
|
219 |
michael |
6985 |
/* UnrealIRCd 4.0.0 */ |
220 |
|
|
# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; |
221 |
|
|
|
222 |
michael |
5439 |
/* InspIRCd */ |
223 |
|
|
# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]"; |
224 |
michael |
5437 |
|
225 |
michael |
5922 |
/* ngIRCd */ |
226 |
|
|
# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; |
227 |
|
|
|
228 |
michael |
5052 |
/* |
229 |
|
|
* "kline" controls the command used when an open proxy is confirmed. |
230 |
|
|
* We suggest applying a temporary (no more than a few hours) KLINE on the host. |
231 |
|
|
* |
232 |
|
|
* <WARNING> |
233 |
michael |
5056 |
* Make sure if you need to change this string you also change the |
234 |
|
|
* kline command for every DNSBL you enable below. |
235 |
michael |
5052 |
* |
236 |
michael |
5056 |
* Also note that some servers do not allow you to include ':' characters |
237 |
|
|
* inside the KLINE message (e.g. for a http:// address). |
238 |
michael |
5052 |
* |
239 |
|
|
* Users rewriting this message into something that isn't even a valid |
240 |
|
|
* IRC command is the single most common cause of support requests and |
241 |
|
|
* therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE |
242 |
|
|
* KLINE COMMANDS BELOW. |
243 |
|
|
* </WARNING> |
244 |
|
|
* |
245 |
|
|
* That said, should you wish to customise this text, several |
246 |
|
|
* printf-like placeholders are available: |
247 |
|
|
* |
248 |
|
|
* %n User's nick |
249 |
|
|
* %u User's username |
250 |
|
|
* %h User's irc hostname |
251 |
|
|
* %i User's IP address |
252 |
michael |
5482 |
* %t Protocol type which has triggered a positive scan |
253 |
michael |
5052 |
*/ |
254 |
michael |
5107 |
kline = "KLINE 180 *@%h :Open proxy found on your host."; |
255 |
michael |
5052 |
|
256 |
michael |
6178 |
/* A GLINE example for ircu */ |
257 |
|
|
# kline = "GLINE +*@%i 1800 :Open proxy found on your host."; |
258 |
|
|
|
259 |
michael |
5056 |
/* |
260 |
|
|
* An AKILL example for services with OperServ. Your HOPM must have permission to |
261 |
|
|
* AKILL for this to work! |
262 |
|
|
*/ |
263 |
michael |
5142 |
# kline = "OS AKILL ADD +3h *@%h Open proxy found on your host."; |
264 |
michael |
5052 |
|
265 |
|
|
/* |
266 |
michael |
5056 |
* Text to send on connection, these can be stacked and will be sent in this order. |
267 |
michael |
5876 |
* |
268 |
michael |
5443 |
* !!! UNREAL USERS PLEASE NOTE !!! |
269 |
|
|
* Unreal users will need PROTOCTL HCN to force hybrid connect |
270 |
|
|
* notices. |
271 |
|
|
* |
272 |
|
|
* Yes Unreal users! That means you! That means you need the line |
273 |
|
|
* below! See that thing at the start of the line? That's what we |
274 |
|
|
* call a comment! Remove it to UNcomment the line. |
275 |
michael |
5052 |
*/ |
276 |
michael |
5443 |
# perform = "PROTOCTL HCN"; |
277 |
michael |
5405 |
|
278 |
|
|
/* |
279 |
michael |
5409 |
* Text to send, via NOTICE, immediately when a new client connects. These can be |
280 |
michael |
5405 |
* stacked and will be sent in this order. |
281 |
|
|
*/ |
282 |
|
|
# notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear."; |
283 |
michael |
5052 |
}; |
284 |
|
|
|
285 |
|
|
|
286 |
|
|
/* |
287 |
|
|
* OPM Block defines blacklists and information required to report new proxies |
288 |
michael |
5146 |
* to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone |
289 |
michael |
5052 |
* file. There are several blacklist that list IP addresses known to be open |
290 |
|
|
* proxies or other forms of IRC abuse. By checking against these blacklists, |
291 |
michael |
5056 |
* HOPMs are able to ban known sources of abuse without completely scanning them. |
292 |
michael |
5052 |
*/ |
293 |
michael |
5221 |
#opm { |
294 |
michael |
5052 |
/* |
295 |
michael |
5146 |
* Blacklist zones to check IPs against. If you would rather not |
296 |
michael |
5052 |
* trust a remotely managed blacklist, you could set up your own, or |
297 |
|
|
* leave these commented out in which case every user will be |
298 |
|
|
* scanned. The use of at least one open proxy DNSBL is recommended |
299 |
michael |
5056 |
* however. |
300 |
|
|
* |
301 |
michael |
5074 |
* Please check the policies of each blacklist you use to check you |
302 |
michael |
5056 |
* are comfortable with using them to block access to your server |
303 |
|
|
* (and that you are allowed to use them). |
304 |
michael |
5052 |
*/ |
305 |
|
|
|
306 |
michael |
5074 |
|
307 |
|
|
/* dnsbl.dronebl.org - http://dronebl.org */ |
308 |
michael |
5052 |
# blacklist { |
309 |
michael |
5074 |
/* The DNS name of the blacklist */ |
310 |
|
|
# name = "dnsbl.dronebl.org"; |
311 |
michael |
5052 |
|
312 |
michael |
5074 |
/* |
313 |
|
|
* There are only two values that are valid for this |
314 |
|
|
* "A record bitmask" and "A record reply" |
315 |
|
|
* These options affect how the values specified to reply |
316 |
|
|
* below will be interpreted, a bitmask is where the reply |
317 |
|
|
* values are 2^n and more than one is added up, a reply is |
318 |
michael |
6170 |
* simply where the last octet of the IP address is that number. |
319 |
michael |
5074 |
* If you are not sure then the values set for dnsbl.dronebl.org |
320 |
|
|
* will work without any changes. |
321 |
|
|
*/ |
322 |
|
|
# type = "A record reply"; |
323 |
michael |
5052 |
|
324 |
michael |
5074 |
/* |
325 |
|
|
* Kline types not listed in the reply list below. |
326 |
|
|
* |
327 |
|
|
* For DNSBLs that are not IRC specific and you just wish to kline |
328 |
|
|
* certain types this can be enabled/disabled. |
329 |
|
|
*/ |
330 |
|
|
# ban_unknown = no; |
331 |
michael |
5052 |
|
332 |
michael |
5074 |
/* |
333 |
|
|
* The actual values returned by the dnsbl.dronebl.org blacklist as |
334 |
|
|
* documented at http://dronebl.org/docs/howtouse |
335 |
|
|
*/ |
336 |
|
|
# reply { |
337 |
|
|
# 2 = "Sample"; |
338 |
|
|
# 3 = "IRC Drone"; |
339 |
|
|
# 5 = "Bottler"; |
340 |
|
|
# 6 = "Unknown spambot or drone"; |
341 |
|
|
# 7 = "DDOS Drone"; |
342 |
|
|
# 8 = "SOCKS Proxy"; |
343 |
|
|
# 9 = "HTTP Proxy"; |
344 |
|
|
# 10 = "ProxyChain"; |
345 |
|
|
# 13 = "Brute force attackers"; |
346 |
|
|
# 14 = "Open Wingate Proxy"; |
347 |
|
|
# 15 = "Compromised router / gateway"; |
348 |
|
|
# 17 = "Automatically determined botnet IPs (experimental)"; |
349 |
|
|
# 255 = "Unknown"; |
350 |
|
|
# }; |
351 |
michael |
5052 |
|
352 |
michael |
5074 |
/* |
353 |
|
|
* The kline message sent for this specific blacklist, remember to put |
354 |
|
|
* the removal method in this. |
355 |
|
|
*/ |
356 |
michael |
5107 |
# kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network"; |
357 |
michael |
5246 |
# }; |
358 |
michael |
5052 |
|
359 |
michael |
5074 |
|
360 |
|
|
/* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */ |
361 |
|
|
# blacklist { |
362 |
|
|
# name = "tor.dnsbl.sectoor.de"; |
363 |
|
|
# type = "A record reply"; |
364 |
|
|
# ban_unknown = no; |
365 |
|
|
|
366 |
|
|
# reply { |
367 |
|
|
# 1 = "Tor exit server"; |
368 |
|
|
# }; |
369 |
|
|
|
370 |
michael |
5107 |
# kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i"; |
371 |
michael |
5052 |
# }; |
372 |
|
|
|
373 |
michael |
5074 |
/* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */ |
374 |
|
|
# blacklist { |
375 |
|
|
# name = "rbl.efnetrbl.org"; |
376 |
|
|
# type = "A record reply"; |
377 |
|
|
# ban_unknown = no; |
378 |
|
|
|
379 |
|
|
# reply { |
380 |
|
|
# 1 = "Open proxy"; |
381 |
|
|
# 2 = "spamtrap666"; |
382 |
|
|
# 3 = "spamtrap50"; |
383 |
|
|
# 4 = "TOR"; |
384 |
|
|
# 5 = "Drones / Flooding"; |
385 |
|
|
# }; |
386 |
|
|
|
387 |
michael |
5107 |
# kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; |
388 |
michael |
5074 |
# }; |
389 |
|
|
|
390 |
|
|
|
391 |
michael |
5075 |
|
392 |
|
|
/* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */ |
393 |
|
|
# blacklist { |
394 |
|
|
# name = "tor.efnetrbl.org"; |
395 |
|
|
# type = "A record reply"; |
396 |
|
|
# ban_unknown = no; |
397 |
|
|
|
398 |
|
|
# reply { |
399 |
|
|
# 1 = "TOR"; |
400 |
|
|
# }; |
401 |
|
|
|
402 |
michael |
5107 |
# kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; |
403 |
michael |
5075 |
# }; |
404 |
|
|
|
405 |
michael |
5052 |
/* |
406 |
|
|
* You can report the insecure proxies you find to a DNSBL also! |
407 |
|
|
* The remaining directives in this section are only needed if you |
408 |
michael |
5146 |
* intend to do this. Reports are sent by email, one email per IP |
409 |
|
|
* address. The format does support multiple addresses in one email, |
410 |
michael |
5052 |
* but we don't know of any servers that are detecting enough insecure |
411 |
|
|
* proxies for this to be really necessary. |
412 |
|
|
*/ |
413 |
|
|
|
414 |
|
|
/* |
415 |
michael |
5146 |
* Email address to send reports FROM. If you intend to send reports, |
416 |
michael |
5052 |
* please pick an email address that we can actually send mail to |
417 |
|
|
* should we ever need to contact you. |
418 |
|
|
*/ |
419 |
|
|
# dnsbl_from = "mybopm@myserver.org"; |
420 |
|
|
|
421 |
|
|
/* |
422 |
|
|
* Email address to send reports TO. |
423 |
michael |
5056 |
* For example DroneBL: |
424 |
michael |
5052 |
*/ |
425 |
|
|
# dnsbl_to = "bopm-report@dronebl.org"; |
426 |
|
|
|
427 |
|
|
/* |
428 |
michael |
5146 |
* Full path to your sendmail binary. Even if your system does not |
429 |
michael |
5052 |
* use sendmail, it probably does have a binary called "sendmail" |
430 |
michael |
5146 |
* present in /usr/sbin or /usr/lib. If you don't set this, no |
431 |
michael |
5052 |
* proxies will be reported. |
432 |
|
|
*/ |
433 |
|
|
# sendmail = "/usr/sbin/sendmail"; |
434 |
michael |
5221 |
#}; |
435 |
michael |
5052 |
|
436 |
|
|
|
437 |
|
|
/* |
438 |
|
|
* The short explanation: |
439 |
|
|
* |
440 |
michael |
5146 |
* This is where you define what ports/protocols to check for. You can have |
441 |
michael |
5052 |
* multiple scanner blocks and then choose which users will get scanned by |
442 |
|
|
* which scanners further down. |
443 |
|
|
* |
444 |
|
|
* The long explanation: |
445 |
|
|
* |
446 |
michael |
5146 |
* Scanner defines a virtual scanner. For each user being scanned, a scanner |
447 |
michael |
5052 |
* will use a file descriptor (and subsequent connection) for each protocol. |
448 |
|
|
* Once connecting it will negotiate the proxy to connect to |
449 |
michael |
6170 |
* target_ip:target_port (target_ip MUST be an IP address). |
450 |
michael |
5052 |
* |
451 |
|
|
* Once connected, any data passed through the proxy will be checked to see if |
452 |
michael |
5146 |
* target_string is contained within that data. If it is the proxy is |
453 |
michael |
5052 |
* considered open. If the connection is closed at any point before |
454 |
|
|
* target_string is matched, or if at least max_read bytes are read from the |
455 |
|
|
* connection, the negotiation is considered failed. |
456 |
|
|
*/ |
457 |
|
|
scanner { |
458 |
|
|
/* |
459 |
michael |
5146 |
* Unique name of this scanner. This is used further down in the |
460 |
michael |
5052 |
* user {} blocks to decide which users get affected by which |
461 |
|
|
* scanners. |
462 |
|
|
*/ |
463 |
michael |
5104 |
name = "default"; |
464 |
michael |
5052 |
|
465 |
|
|
/* |
466 |
|
|
* HTTP CONNECT - very common proxy protocol supported by widely known |
467 |
michael |
5146 |
* software such as Squid and Apache. The most common sort of |
468 |
|
|
* insecure proxy and found on a multitude of weird ports too. Offers |
469 |
michael |
5052 |
* transparent two way TCP connections. |
470 |
|
|
*/ |
471 |
|
|
protocol = HTTP:80; |
472 |
|
|
protocol = HTTP:8080; |
473 |
|
|
protocol = HTTP:3128; |
474 |
|
|
protocol = HTTP:6588; |
475 |
|
|
|
476 |
michael |
6235 |
/* |
477 |
|
|
* The SSL/TLS variant of HTTP |
478 |
|
|
*/ |
479 |
michael |
6297 |
# protocol = HTTPS:443; |
480 |
|
|
# protocol = HTTPS:8443; |
481 |
michael |
6222 |
|
482 |
michael |
5052 |
/* |
483 |
|
|
* SOCKS4/5 - well known proxy protocols, probably the second most |
484 |
|
|
* common for insecure proxies, also offers transparent two way TCP |
485 |
michael |
5146 |
* connections. Fortunately largely confined to port 1080. |
486 |
michael |
5052 |
*/ |
487 |
|
|
protocol = SOCKS4:1080; |
488 |
|
|
protocol = SOCKS5:1080; |
489 |
|
|
|
490 |
|
|
/* |
491 |
|
|
* Cisco routers with a default password (yes, it really does happen). |
492 |
|
|
* Also pretty much anything else that will let you telnet to anywhere |
493 |
michael |
6565 |
* else on the Internet. Fortunately these are always on port 23. |
494 |
michael |
5052 |
*/ |
495 |
|
|
protocol = ROUTER:23; |
496 |
|
|
|
497 |
|
|
/* |
498 |
|
|
* WinGate is commercial windows proxy software which is now not so |
499 |
|
|
* common, but still to be found, and helpfully presents an interface |
500 |
|
|
* that can be used to telnet out, on port 23. |
501 |
|
|
*/ |
502 |
|
|
protocol = WINGATE:23; |
503 |
|
|
|
504 |
michael |
6001 |
/* |
505 |
|
|
* Dreambox DVB receivers with a default password allowing |
506 |
|
|
* full root access to telnet or install bouncers. |
507 |
|
|
*/ |
508 |
michael |
5998 |
protocol = DREAMBOX:23; |
509 |
|
|
|
510 |
michael |
5052 |
/* |
511 |
|
|
* The HTTP POST protocol, often dismissed when writing the access |
512 |
|
|
* controls for proxies, but sadly can still be used to abused. |
513 |
|
|
* Offers only the opportunity to send a single block of data, but |
514 |
|
|
* enough of them at once can still make for a devastating flood. |
515 |
|
|
* Found on the same ports that HTTP CONNECT proxies inhabit. |
516 |
|
|
* |
517 |
|
|
* Note that if your ircd has "ping cookies" then clients from HTTP |
518 |
michael |
5146 |
* POST proxies cannot actually ever get onto your network anyway. If |
519 |
michael |
5052 |
* you leave the checks in then you'll still find some (because some |
520 |
michael |
5056 |
* people IRC from boxes that run them), but if you use HOPM purely as |
521 |
michael |
5052 |
* a protective measure and you have ping cookies, you need not scan |
522 |
|
|
* for HTTP POST. |
523 |
|
|
*/ |
524 |
|
|
protocol = HTTPPOST:80; |
525 |
|
|
|
526 |
michael |
6235 |
/* |
527 |
|
|
* The SSL/TLS variant of HTTPPOST |
528 |
|
|
*/ |
529 |
michael |
6297 |
# protocol = HTTPSPOST:443; |
530 |
|
|
# protocol = HTTPSPOST:8443; |
531 |
michael |
6222 |
|
532 |
michael |
5052 |
/* |
533 |
michael |
6170 |
* IP address this scanner will bind to. Use this if you need your scans to |
534 |
michael |
5056 |
* come FROM a particular interface on the machine you run HOPM from. |
535 |
michael |
5052 |
* If you don't understand what this means, please leave this |
536 |
|
|
* commented out, as this is a major source of support queries! |
537 |
|
|
*/ |
538 |
|
|
# vhost = "127.0.0.1"; |
539 |
|
|
|
540 |
michael |
5298 |
/* |
541 |
|
|
* Maximum file descriptors this scanner can use. Remember that there |
542 |
michael |
5146 |
* will be one FD for each protocol listed above. As this example |
543 |
|
|
* scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD |
544 |
michael |
5052 |
* limit, this scanner can be used on 64 users _at the same time_. |
545 |
|
|
* That should be adequate for most servers. |
546 |
|
|
*/ |
547 |
|
|
fd = 512; |
548 |
|
|
|
549 |
|
|
/* |
550 |
michael |
5146 |
* Maximum data read from a proxy before considering it closed. Don't |
551 |
michael |
5052 |
* set this too high, some people have fun setting up lots of ports |
552 |
michael |
5146 |
* that send endless data to tie up your scanner. 4KB is plenty for |
553 |
michael |
5052 |
* any known proxy. |
554 |
|
|
*/ |
555 |
michael |
6170 |
max_read = 4 kbytes; |
556 |
michael |
5052 |
|
557 |
|
|
/* |
558 |
michael |
5080 |
* Amount of time before a test is considered timed out. |
559 |
michael |
5052 |
* Again, all but the poorest slowest proxies will be detected within |
560 |
|
|
* 30 seconds, and this helps keep resource usage low. |
561 |
|
|
*/ |
562 |
michael |
5080 |
timeout = 30 seconds; |
563 |
michael |
5052 |
|
564 |
michael |
5104 |
/* |
565 |
michael |
5052 |
* Target IP to tell the proxy to connect to |
566 |
michael |
5104 |
* |
567 |
michael |
5052 |
* !!! THIS MUST BE CHANGED !!! |
568 |
|
|
* |
569 |
|
|
* You cannot instruct the proxy to connect to itself! The easiest |
570 |
michael |
6170 |
* thing to do would be to set this to the IP address of your ircd |
571 |
|
|
* and then keep the default target_strings. |
572 |
michael |
5052 |
* |
573 |
michael |
6170 |
* Please use an IP address that is publically reachable from anywhere |
574 |
|
|
* on the Internet, because you have no way of knowing where the insecure |
575 |
michael |
5146 |
* proxies will be located. Just because you and your HOPM can |
576 |
michael |
6170 |
* connect to your ircd on some private IP address like 192.168.0.1, |
577 |
|
|
* does not mean that the insecure proxies out there on the Internet will be |
578 |
michael |
5146 |
* able to. And if they never connect, you will never detect them. |
579 |
michael |
5052 |
* |
580 |
|
|
* Remember to change this setting for every scanner you configure. |
581 |
|
|
*/ |
582 |
michael |
5056 |
target_ip = "127.0.0.1"; |
583 |
michael |
5052 |
|
584 |
|
|
/* |
585 |
michael |
5146 |
* Target port to tell the proxy to connect to. This is usually |
586 |
|
|
* something like 6667. Basically any client-usable port. |
587 |
michael |
5052 |
*/ |
588 |
michael |
5056 |
target_port = 6667; |
589 |
michael |
5052 |
|
590 |
michael |
5104 |
/* |
591 |
michael |
5052 |
* Target string we check for in the data read back by the scanner. |
592 |
|
|
* This should be some string out of the data that your ircd usually |
593 |
michael |
5686 |
* sends on connect. Multiple target strings are allowed. |
594 |
michael |
5052 |
* |
595 |
|
|
* NOTE: Try to keep the number of target strings to a minimum. Two |
596 |
|
|
* should be fine. One for normal connections and one for throttled |
597 |
|
|
* connections. Comment out any others for efficiency. |
598 |
|
|
*/ |
599 |
|
|
|
600 |
michael |
5056 |
/* |
601 |
michael |
5104 |
* Usually first line sent to client on connection to ircd. |
602 |
michael |
5052 |
* If your ircd supports a more specific line (see below), |
603 |
|
|
* using it will reduce false positives. |
604 |
|
|
*/ |
605 |
michael |
5109 |
target_string = ":irc.example.org NOTICE * :*** Looking up your hostname"; |
606 |
michael |
5052 |
|
607 |
michael |
5056 |
/* |
608 |
|
|
* If you try to connect too fast, you'll be throttled by your own |
609 |
michael |
5146 |
* ircd. Here's what a hybrid throttle message looks like: |
610 |
michael |
5052 |
*/ |
611 |
|
|
target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; |
612 |
|
|
}; |
613 |
|
|
|
614 |
michael |
5056 |
|
615 |
michael |
5052 |
scanner { |
616 |
|
|
name = "extended"; |
617 |
|
|
|
618 |
|
|
protocol = HTTP:81; |
619 |
|
|
protocol = HTTP:8000; |
620 |
|
|
protocol = HTTP:8001; |
621 |
|
|
protocol = HTTP:8081; |
622 |
|
|
|
623 |
|
|
protocol = HTTPPOST:81; |
624 |
|
|
protocol = HTTPPOST:6588; |
625 |
michael |
6235 |
protocol = HTTPPOST:4480; |
626 |
michael |
5052 |
protocol = HTTPPOST:8000; |
627 |
|
|
protocol = HTTPPOST:8001; |
628 |
|
|
protocol = HTTPPOST:8080; |
629 |
|
|
protocol = HTTPPOST:8081; |
630 |
|
|
|
631 |
|
|
/* |
632 |
|
|
* IRCnet have seen many socks5 on these ports, more than on the |
633 |
|
|
* standard ports even. |
634 |
|
|
*/ |
635 |
|
|
protocol = SOCKS4:4914; |
636 |
|
|
protocol = SOCKS4:6826; |
637 |
|
|
protocol = SOCKS4:7198; |
638 |
|
|
protocol = SOCKS4:7366; |
639 |
|
|
protocol = SOCKS4:9036; |
640 |
|
|
|
641 |
|
|
protocol = SOCKS5:4438; |
642 |
|
|
protocol = SOCKS5:5104; |
643 |
|
|
protocol = SOCKS5:5113; |
644 |
|
|
protocol = SOCKS5:5262; |
645 |
|
|
protocol = SOCKS5:5634; |
646 |
|
|
protocol = SOCKS5:6552; |
647 |
|
|
protocol = SOCKS5:6561; |
648 |
|
|
protocol = SOCKS5:7464; |
649 |
|
|
protocol = SOCKS5:7810; |
650 |
|
|
protocol = SOCKS5:8130; |
651 |
|
|
protocol = SOCKS5:8148; |
652 |
|
|
protocol = SOCKS5:8520; |
653 |
|
|
protocol = SOCKS5:8814; |
654 |
|
|
protocol = SOCKS5:9100; |
655 |
|
|
protocol = SOCKS5:9186; |
656 |
|
|
protocol = SOCKS5:9447; |
657 |
|
|
protocol = SOCKS5:9578; |
658 |
michael |
6967 |
protocol = SOCKS5:64101; |
659 |
michael |
5052 |
|
660 |
|
|
/* |
661 |
|
|
* These came courtsey of Keith Dunnett from a bunch of public open |
662 |
|
|
* proxy lists. |
663 |
|
|
*/ |
664 |
|
|
protocol = SOCKS4:29992; |
665 |
|
|
protocol = SOCKS4:38884; |
666 |
|
|
protocol = SOCKS4:18844; |
667 |
|
|
protocol = SOCKS4:17771; |
668 |
|
|
protocol = SOCKS4:31121; |
669 |
|
|
|
670 |
|
|
fd = 400; |
671 |
|
|
|
672 |
michael |
5298 |
/* |
673 |
|
|
* If required you can add settings such as target_ip here |
674 |
michael |
5052 |
* they will override the defaults set in the first scanner |
675 |
|
|
* for this and subsequent scanners defined in the config file |
676 |
|
|
* This affects the following options: |
677 |
|
|
* fd, vhost, target_ip, target_port, target_string, timeout and |
678 |
|
|
* max_read. |
679 |
|
|
*/ |
680 |
|
|
}; |
681 |
|
|
|
682 |
|
|
|
683 |
|
|
/* |
684 |
michael |
5298 |
* User blocks define what scanners will be used to scan which hostmasks. |
685 |
|
|
* When a user connects they will be scanned on every scanner {} (above) |
686 |
|
|
* that matches their host. |
687 |
michael |
5052 |
*/ |
688 |
|
|
user { |
689 |
|
|
/* |
690 |
|
|
* Users matching this host mask will be scanned with all the |
691 |
|
|
* protocols in the scanner named. |
692 |
|
|
*/ |
693 |
|
|
mask = "*!*@*"; |
694 |
|
|
scanner = "default"; |
695 |
|
|
}; |
696 |
|
|
|
697 |
|
|
user { |
698 |
michael |
5056 |
/* |
699 |
|
|
* Connections without ident will match on a vast number of connections |
700 |
|
|
* very few proxies run ident though |
701 |
|
|
*/ |
702 |
michael |
5052 |
# mask = "*!~*@*"; |
703 |
|
|
mask = "*!squid@*"; |
704 |
|
|
mask = "*!nobody@*"; |
705 |
|
|
mask = "*!www-data@*"; |
706 |
|
|
mask = "*!cache@*"; |
707 |
|
|
mask = "*!CacheFlowS@*"; |
708 |
|
|
mask = "*!*@*www*"; |
709 |
|
|
mask = "*!*@*proxy*"; |
710 |
|
|
mask = "*!*@*cache*"; |
711 |
|
|
|
712 |
|
|
scanner = "extended"; |
713 |
|
|
}; |
714 |
|
|
|
715 |
|
|
|
716 |
|
|
/* |
717 |
|
|
* Exempt hosts matching certain strings from any form of scanning or dnsbl. |
718 |
michael |
5056 |
* HOPM will check each string against both the hostname and the IP address of |
719 |
michael |
5052 |
* the user. |
720 |
|
|
* |
721 |
michael |
5146 |
* There are very few valid reasons to actually use "exempt". HOPM should |
722 |
michael |
5052 |
* never get false positives, and we would like to know very much if it does. |
723 |
michael |
5056 |
* One possible scenario is that the machine HOPM runs from is specifically |
724 |
michael |
5052 |
* authorized to use certain hosts as proxies, and users from those hosts use |
725 |
michael |
5146 |
* your network. In this case, without exempt, HOPM will scan these hosts, |
726 |
michael |
5052 |
* find itself able to use them as proxies, and ban them. |
727 |
|
|
*/ |
728 |
|
|
exempt { |
729 |
|
|
mask = "*!*@127.0.0.1"; |
730 |
|
|
}; |