ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/hopm/trunk/doc/reference.conf
Revision: 6985
Committed: Fri Dec 25 20:15:06 2015 UTC (8 years, 3 months ago) by michael
File size: 22615 byte(s)
Log Message:
- Update reference.conf: add 'connregex' for Unreal 4.0.0; update README file

File Contents

# User Rev Content
1 michael 5052 /*
2 michael 5104 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 michael 5142 *
4     * $Id$
5 michael 5104 */
6 michael 5052
7 michael 5104 /*
8     * Shell style (#), C++ style (//) and C style comments are supported.
9     *
10     * Times/durations are written as:
11     * 12 hours 30 minutes 1 second
12     *
13     * Valid units of time:
14     * year, month, week, day, hour, minute, second
15     *
16     * Valid units of size:
17     * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
18     *
19     * Sizes and times may be singular or plural.
20     */
21 michael 5052
22     options {
23     /*
24     * Full path and filename for storing the process ID of the running
25 michael 5056 * HOPM.
26 michael 5052 */
27 michael 6276 pidfile = "var/run/hopm.pid";
28 michael 5052
29     /*
30 michael 5080 * How long to store the IP address of hosts which are confirmed
31 michael 5146 * (by previous scans) to be secure. New users from these
32 michael 5052 * IP addresses will not be scanned again until this amount of time
33     * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
34     * DIRECTIVE, but it is provided due to demand.
35     *
36     * The main reason for not using this feature is that anyone capable
37     * of running a proxy can get abusers onto your network - all they
38     * need do is shut the proxy down, connect themselves, restart the
39     * proxy, and tell their friends to come flood.
40 michael 5056 *
41 michael 5052 * Keep this directive commented out to disable negative caching.
42     */
43 michael 5080 # negcache = 1 hour;
44 michael 5052
45     /*
46 michael 5332 * How long between rebuilds of the negative cache. The negcache
47     * is only rebuilt to free up memory used by entries that are too old.
48     * You probably don't need to tweak this unless you have huge amounts
49     * of people connecting (hundreds per minute). Default is 12 hours.
50     */
51     negcache_rebuild = 12 hours;
52    
53     /*
54 michael 5146 * Amount of file descriptors to allocate to asynchronous DNS. 64
55 michael 5056 * should be plenty for almost anyone.
56 michael 5052 */
57     dns_fdlimit = 64;
58    
59     /*
60 michael 6200 * Amount of time the resolver waits until a response is received
61     * from a name server.
62     */
63     dns_timeout = 5 seconds;
64    
65     /*
66 michael 5052 * Put the full path and filename of a logfile here if you wish to log
67 michael 5146 * every scan done. Normally HOPM only logs successfully detected
68 michael 5056 * proxies in the hopm.log, but you may get abuse reports to your ISP
69 michael 5146 * about portscanning. Being able to show that it was HOPM that did
70     * the scan in question can be useful. Leave commented for no
71 michael 5052 * logging.
72     */
73 michael 6276 # scanlog = "var/log/scan.log";
74 michael 5052 };
75    
76    
77 michael 5104 irc {
78 michael 5052 /*
79 michael 6170 * IP address to bind to for the IRC connection. You only need to
80     * use this if you wish HOPM to use a particular interface
81     * (virtual host, IP alias, ...) when connecting to the IRC server.
82     * There is another "vhost" setting in the scan {} block below for
83     * the actual portscans. Note that this directive expects an IP address,
84     * not a hostname. Please leave this commented out if you do not
85 michael 5052 * understand what it does, as most people don't need it.
86     */
87     # vhost = "0.0.0.0";
88    
89     /*
90 michael 5056 * Nickname for HOPM to use.
91 michael 5052 */
92 michael 5056 nick = "MyHopm";
93 michael 5052
94     /*
95 michael 5056 * Text to appear in the "realname" field of HOPM's /whois output.
96 michael 5052 */
97 michael 5056 realname = "Hybrid Open Proxy Monitor";
98 michael 5052
99     /*
100     * If you don't have an identd running, what username to use.
101     */
102 michael 5056 username = "hopm";
103 michael 5052
104     /*
105 michael 6170 * Hostname (or IP address) of the IRC server which HOPM will monitor
106 michael 5682 * connections on. IPv6 is now supported.
107 michael 5052 */
108 michael 5109 server = "irc.example.org";
109 michael 5052
110     /*
111     * Password used to connect to the IRC server (PASS)
112     */
113     # password = "secret";
114    
115     /*
116 michael 5146 * Port of the above server to connect to. This is what HOPM uses to
117 michael 5052 * get onto IRC itself, it is nothing to do with what ports/protocols
118     * are scanned, nor do you need to list every port your ircd listens
119     * on.
120     */
121     port = 6667;
122    
123     /*
124 michael 5198 * Defines time in which bot will timeout if no data is received
125     */
126     readtimeout = 15 minutes;
127    
128     /*
129 michael 6078 * Interval in how often we try to reconnect to the IRC server
130     */
131     reconnectinterval = 30 seconds;
132    
133     /*
134 michael 5052 * Command to execute to identify to NickServ (if your network uses
135 michael 5146 * it). This is the raw IRC command text, and the below example
136     * corresponds to "/msg nickserv identify password" in a client. If
137 michael 5052 * you don't understand, just edit "password" in the line below to be
138 michael 5146 * your HOPM's nick password. Leave commented out if you don't need
139 michael 5052 * to identify to NickServ.
140     */
141 michael 5056 # nickserv = "NS IDENTIFY password";
142 michael 5052
143     /*
144 michael 5056 * The username and password needed for HOPM to oper up.
145 michael 5052 */
146 michael 5056 oper = "hopm operpass";
147 michael 5104
148 michael 5052 /*
149 michael 5056 * Mode string that HOPM needs to set on itself as soon as it opers
150 michael 5146 * up. This needs to include the mode for seeing connection notices,
151 michael 5056 * otherwise HOPM won't scan anyone (that's usually umode +c).
152 michael 5052 */
153 michael 5056 mode = "+c";
154 michael 5052
155     /*
156 michael 5056 * If this is set then HOPM will use it as an /away message as soon as
157 michael 5052 * it connects.
158     */
159 michael 5069 away = "I'm a bot. Your messages will be ignored.";
160 michael 5052
161     /*
162 michael 5056 * Info about channels you wish HOPM to join in order to accept
163 michael 5146 * commands. HOPM will also print messages in these channels every
164     * time it detects a proxy. Only IRC operators can command HOPM to do
165 michael 5056 * anything, but some of the things HOPM reports to these channels
166 michael 5104 * could be considered sensitive, so it's best not to put HOPM into
167 michael 5052 * public channels.
168     */
169     channel {
170 michael 5056 /*
171 michael 5146 * Channel name. Local ("&") channels are supported if your ircd
172 michael 5056 * supports them.
173     */
174     name = "#hopm";
175 michael 5052
176 michael 5056 /*
177     * If HOPM will need to use a key to enter this channel, this is
178     * where you specify it.
179     */
180     # key = "somekey";
181 michael 5052
182 michael 5056 /*
183     * If you use ChanServ then maybe you want to set the channel
184     * invite-only and have each HOPM do "/msg ChanServ invite" to get
185 michael 5146 * itself in. Leave commented if you don't, or if this makes no
186 michael 5056 * sense to you.
187     */
188     # invite = "CS INVITE #hopm";
189 michael 5052 };
190    
191     /*
192     * You can define a bunch of channels if you want:
193     *
194 michael 6170 * channel { name = "#other"; }; channel { name= "#channel"; }
195 michael 5052 */
196 michael 5056
197 michael 5052 /*
198     * connregex is a POSIX regular expression used to parse connection
199 michael 5682 * notices from the ircd. The complexity of the expression should
200 michael 5052 * be kept to a minimum.
201 michael 5056 *
202 michael 5052 * Items in order MUST be: nick user host IP
203     *
204 michael 6170 * HOPM will not work with ircds which do not send an IP address in the
205 michael 5052 * connection notice.
206     *
207     * This is fairly complicated stuff, and the consequences of getting
208 michael 5146 * it wrong are the HOPM does not scan anyone. Unless you know
209 michael 5052 * absolutely what you are doing, please just uncomment the example
210     * below that best matches the type of ircd you use.
211     */
212 michael 5437
213 michael 6985 /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
214 michael 5052 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
215    
216 michael 6984 /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
217 michael 6985 # connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
218 michael 6984
219 michael 6985 /* UnrealIRCd 4.0.0 */
220     # connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
221    
222 michael 5439 /* InspIRCd */
223     # connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]";
224 michael 5437
225 michael 5922 /* ngIRCd */
226     # connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
227    
228 michael 5052 /*
229     * "kline" controls the command used when an open proxy is confirmed.
230     * We suggest applying a temporary (no more than a few hours) KLINE on the host.
231     *
232     * <WARNING>
233 michael 5056 * Make sure if you need to change this string you also change the
234     * kline command for every DNSBL you enable below.
235 michael 5052 *
236 michael 5056 * Also note that some servers do not allow you to include ':' characters
237     * inside the KLINE message (e.g. for a http:// address).
238 michael 5052 *
239     * Users rewriting this message into something that isn't even a valid
240     * IRC command is the single most common cause of support requests and
241     * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
242     * KLINE COMMANDS BELOW.
243     * </WARNING>
244     *
245     * That said, should you wish to customise this text, several
246     * printf-like placeholders are available:
247     *
248     * %n User's nick
249     * %u User's username
250     * %h User's irc hostname
251     * %i User's IP address
252 michael 5482 * %t Protocol type which has triggered a positive scan
253 michael 5052 */
254 michael 5107 kline = "KLINE 180 *@%h :Open proxy found on your host.";
255 michael 5052
256 michael 6178 /* A GLINE example for ircu */
257     # kline = "GLINE +*@%i 1800 :Open proxy found on your host.";
258    
259 michael 5056 /*
260     * An AKILL example for services with OperServ. Your HOPM must have permission to
261     * AKILL for this to work!
262     */
263 michael 5142 # kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";
264 michael 5052
265     /*
266 michael 5056 * Text to send on connection, these can be stacked and will be sent in this order.
267 michael 5876 *
268 michael 5443 * !!! UNREAL USERS PLEASE NOTE !!!
269     * Unreal users will need PROTOCTL HCN to force hybrid connect
270     * notices.
271     *
272     * Yes Unreal users! That means you! That means you need the line
273     * below! See that thing at the start of the line? That's what we
274     * call a comment! Remove it to UNcomment the line.
275 michael 5052 */
276 michael 5443 # perform = "PROTOCTL HCN";
277 michael 5405
278     /*
279 michael 5409 * Text to send, via NOTICE, immediately when a new client connects. These can be
280 michael 5405 * stacked and will be sent in this order.
281     */
282     # notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
283 michael 5052 };
284    
285    
286     /*
287     * OPM Block defines blacklists and information required to report new proxies
288 michael 5146 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
289 michael 5052 * file. There are several blacklist that list IP addresses known to be open
290     * proxies or other forms of IRC abuse. By checking against these blacklists,
291 michael 5056 * HOPMs are able to ban known sources of abuse without completely scanning them.
292 michael 5052 */
293 michael 5221 #opm {
294 michael 5052 /*
295 michael 5146 * Blacklist zones to check IPs against. If you would rather not
296 michael 5052 * trust a remotely managed blacklist, you could set up your own, or
297     * leave these commented out in which case every user will be
298     * scanned. The use of at least one open proxy DNSBL is recommended
299 michael 5056 * however.
300     *
301 michael 5074 * Please check the policies of each blacklist you use to check you
302 michael 5056 * are comfortable with using them to block access to your server
303     * (and that you are allowed to use them).
304 michael 5052 */
305    
306 michael 5074
307     /* dnsbl.dronebl.org - http://dronebl.org */
308 michael 5052 # blacklist {
309 michael 5074 /* The DNS name of the blacklist */
310     # name = "dnsbl.dronebl.org";
311 michael 5052
312 michael 5074 /*
313     * There are only two values that are valid for this
314     * "A record bitmask" and "A record reply"
315     * These options affect how the values specified to reply
316     * below will be interpreted, a bitmask is where the reply
317     * values are 2^n and more than one is added up, a reply is
318 michael 6170 * simply where the last octet of the IP address is that number.
319 michael 5074 * If you are not sure then the values set for dnsbl.dronebl.org
320     * will work without any changes.
321     */
322     # type = "A record reply";
323 michael 5052
324 michael 5074 /*
325     * Kline types not listed in the reply list below.
326     *
327     * For DNSBLs that are not IRC specific and you just wish to kline
328     * certain types this can be enabled/disabled.
329     */
330     # ban_unknown = no;
331 michael 5052
332 michael 5074 /*
333     * The actual values returned by the dnsbl.dronebl.org blacklist as
334     * documented at http://dronebl.org/docs/howtouse
335     */
336     # reply {
337     # 2 = "Sample";
338     # 3 = "IRC Drone";
339     # 5 = "Bottler";
340     # 6 = "Unknown spambot or drone";
341     # 7 = "DDOS Drone";
342     # 8 = "SOCKS Proxy";
343     # 9 = "HTTP Proxy";
344     # 10 = "ProxyChain";
345     # 13 = "Brute force attackers";
346     # 14 = "Open Wingate Proxy";
347     # 15 = "Compromised router / gateway";
348     # 17 = "Automatically determined botnet IPs (experimental)";
349     # 255 = "Unknown";
350     # };
351 michael 5052
352 michael 5074 /*
353     * The kline message sent for this specific blacklist, remember to put
354     * the removal method in this.
355     */
356 michael 5107 # kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
357 michael 5246 # };
358 michael 5052
359 michael 5074
360     /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
361     # blacklist {
362     # name = "tor.dnsbl.sectoor.de";
363     # type = "A record reply";
364     # ban_unknown = no;
365    
366     # reply {
367     # 1 = "Tor exit server";
368     # };
369    
370 michael 5107 # kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
371 michael 5052 # };
372    
373 michael 5074 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
374     # blacklist {
375     # name = "rbl.efnetrbl.org";
376     # type = "A record reply";
377     # ban_unknown = no;
378    
379     # reply {
380     # 1 = "Open proxy";
381     # 2 = "spamtrap666";
382     # 3 = "spamtrap50";
383     # 4 = "TOR";
384     # 5 = "Drones / Flooding";
385     # };
386    
387 michael 5107 # kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
388 michael 5074 # };
389    
390    
391 michael 5075
392     /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
393     # blacklist {
394     # name = "tor.efnetrbl.org";
395     # type = "A record reply";
396     # ban_unknown = no;
397    
398     # reply {
399     # 1 = "TOR";
400     # };
401    
402 michael 5107 # kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
403 michael 5075 # };
404    
405 michael 5052 /*
406     * You can report the insecure proxies you find to a DNSBL also!
407     * The remaining directives in this section are only needed if you
408 michael 5146 * intend to do this. Reports are sent by email, one email per IP
409     * address. The format does support multiple addresses in one email,
410 michael 5052 * but we don't know of any servers that are detecting enough insecure
411     * proxies for this to be really necessary.
412     */
413    
414     /*
415 michael 5146 * Email address to send reports FROM. If you intend to send reports,
416 michael 5052 * please pick an email address that we can actually send mail to
417     * should we ever need to contact you.
418     */
419     # dnsbl_from = "mybopm@myserver.org";
420    
421     /*
422     * Email address to send reports TO.
423 michael 5056 * For example DroneBL:
424 michael 5052 */
425     # dnsbl_to = "bopm-report@dronebl.org";
426    
427     /*
428 michael 5146 * Full path to your sendmail binary. Even if your system does not
429 michael 5052 * use sendmail, it probably does have a binary called "sendmail"
430 michael 5146 * present in /usr/sbin or /usr/lib. If you don't set this, no
431 michael 5052 * proxies will be reported.
432     */
433     # sendmail = "/usr/sbin/sendmail";
434 michael 5221 #};
435 michael 5052
436    
437     /*
438     * The short explanation:
439     *
440 michael 5146 * This is where you define what ports/protocols to check for. You can have
441 michael 5052 * multiple scanner blocks and then choose which users will get scanned by
442     * which scanners further down.
443     *
444     * The long explanation:
445     *
446 michael 5146 * Scanner defines a virtual scanner. For each user being scanned, a scanner
447 michael 5052 * will use a file descriptor (and subsequent connection) for each protocol.
448     * Once connecting it will negotiate the proxy to connect to
449 michael 6170 * target_ip:target_port (target_ip MUST be an IP address).
450 michael 5052 *
451     * Once connected, any data passed through the proxy will be checked to see if
452 michael 5146 * target_string is contained within that data. If it is the proxy is
453 michael 5052 * considered open. If the connection is closed at any point before
454     * target_string is matched, or if at least max_read bytes are read from the
455     * connection, the negotiation is considered failed.
456     */
457     scanner {
458     /*
459 michael 5146 * Unique name of this scanner. This is used further down in the
460 michael 5052 * user {} blocks to decide which users get affected by which
461     * scanners.
462     */
463 michael 5104 name = "default";
464 michael 5052
465     /*
466     * HTTP CONNECT - very common proxy protocol supported by widely known
467 michael 5146 * software such as Squid and Apache. The most common sort of
468     * insecure proxy and found on a multitude of weird ports too. Offers
469 michael 5052 * transparent two way TCP connections.
470     */
471     protocol = HTTP:80;
472     protocol = HTTP:8080;
473     protocol = HTTP:3128;
474     protocol = HTTP:6588;
475    
476 michael 6235 /*
477     * The SSL/TLS variant of HTTP
478     */
479 michael 6297 # protocol = HTTPS:443;
480     # protocol = HTTPS:8443;
481 michael 6222
482 michael 5052 /*
483     * SOCKS4/5 - well known proxy protocols, probably the second most
484     * common for insecure proxies, also offers transparent two way TCP
485 michael 5146 * connections. Fortunately largely confined to port 1080.
486 michael 5052 */
487     protocol = SOCKS4:1080;
488     protocol = SOCKS5:1080;
489    
490     /*
491     * Cisco routers with a default password (yes, it really does happen).
492     * Also pretty much anything else that will let you telnet to anywhere
493 michael 6565 * else on the Internet. Fortunately these are always on port 23.
494 michael 5052 */
495     protocol = ROUTER:23;
496    
497     /*
498     * WinGate is commercial windows proxy software which is now not so
499     * common, but still to be found, and helpfully presents an interface
500     * that can be used to telnet out, on port 23.
501     */
502     protocol = WINGATE:23;
503    
504 michael 6001 /*
505     * Dreambox DVB receivers with a default password allowing
506     * full root access to telnet or install bouncers.
507     */
508 michael 5998 protocol = DREAMBOX:23;
509    
510 michael 5052 /*
511     * The HTTP POST protocol, often dismissed when writing the access
512     * controls for proxies, but sadly can still be used to abused.
513     * Offers only the opportunity to send a single block of data, but
514     * enough of them at once can still make for a devastating flood.
515     * Found on the same ports that HTTP CONNECT proxies inhabit.
516     *
517     * Note that if your ircd has "ping cookies" then clients from HTTP
518 michael 5146 * POST proxies cannot actually ever get onto your network anyway. If
519 michael 5052 * you leave the checks in then you'll still find some (because some
520 michael 5056 * people IRC from boxes that run them), but if you use HOPM purely as
521 michael 5052 * a protective measure and you have ping cookies, you need not scan
522     * for HTTP POST.
523     */
524     protocol = HTTPPOST:80;
525    
526 michael 6235 /*
527     * The SSL/TLS variant of HTTPPOST
528     */
529 michael 6297 # protocol = HTTPSPOST:443;
530     # protocol = HTTPSPOST:8443;
531 michael 6222
532 michael 5052 /*
533 michael 6170 * IP address this scanner will bind to. Use this if you need your scans to
534 michael 5056 * come FROM a particular interface on the machine you run HOPM from.
535 michael 5052 * If you don't understand what this means, please leave this
536     * commented out, as this is a major source of support queries!
537     */
538     # vhost = "127.0.0.1";
539    
540 michael 5298 /*
541     * Maximum file descriptors this scanner can use. Remember that there
542 michael 5146 * will be one FD for each protocol listed above. As this example
543     * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
544 michael 5052 * limit, this scanner can be used on 64 users _at the same time_.
545     * That should be adequate for most servers.
546     */
547     fd = 512;
548    
549     /*
550 michael 5146 * Maximum data read from a proxy before considering it closed. Don't
551 michael 5052 * set this too high, some people have fun setting up lots of ports
552 michael 5146 * that send endless data to tie up your scanner. 4KB is plenty for
553 michael 5052 * any known proxy.
554     */
555 michael 6170 max_read = 4 kbytes;
556 michael 5052
557     /*
558 michael 5080 * Amount of time before a test is considered timed out.
559 michael 5052 * Again, all but the poorest slowest proxies will be detected within
560     * 30 seconds, and this helps keep resource usage low.
561     */
562 michael 5080 timeout = 30 seconds;
563 michael 5052
564 michael 5104 /*
565 michael 5052 * Target IP to tell the proxy to connect to
566 michael 5104 *
567 michael 5052 * !!! THIS MUST BE CHANGED !!!
568     *
569     * You cannot instruct the proxy to connect to itself! The easiest
570 michael 6170 * thing to do would be to set this to the IP address of your ircd
571     * and then keep the default target_strings.
572 michael 5052 *
573 michael 6170 * Please use an IP address that is publically reachable from anywhere
574     * on the Internet, because you have no way of knowing where the insecure
575 michael 5146 * proxies will be located. Just because you and your HOPM can
576 michael 6170 * connect to your ircd on some private IP address like 192.168.0.1,
577     * does not mean that the insecure proxies out there on the Internet will be
578 michael 5146 * able to. And if they never connect, you will never detect them.
579 michael 5052 *
580     * Remember to change this setting for every scanner you configure.
581     */
582 michael 5056 target_ip = "127.0.0.1";
583 michael 5052
584     /*
585 michael 5146 * Target port to tell the proxy to connect to. This is usually
586     * something like 6667. Basically any client-usable port.
587 michael 5052 */
588 michael 5056 target_port = 6667;
589 michael 5052
590 michael 5104 /*
591 michael 5052 * Target string we check for in the data read back by the scanner.
592     * This should be some string out of the data that your ircd usually
593 michael 5686 * sends on connect. Multiple target strings are allowed.
594 michael 5052 *
595     * NOTE: Try to keep the number of target strings to a minimum. Two
596     * should be fine. One for normal connections and one for throttled
597     * connections. Comment out any others for efficiency.
598     */
599    
600 michael 5056 /*
601 michael 5104 * Usually first line sent to client on connection to ircd.
602 michael 5052 * If your ircd supports a more specific line (see below),
603     * using it will reduce false positives.
604     */
605 michael 5109 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
606 michael 5052
607 michael 5056 /*
608     * If you try to connect too fast, you'll be throttled by your own
609 michael 5146 * ircd. Here's what a hybrid throttle message looks like:
610 michael 5052 */
611     target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
612     };
613    
614 michael 5056
615 michael 5052 scanner {
616     name = "extended";
617    
618     protocol = HTTP:81;
619     protocol = HTTP:8000;
620     protocol = HTTP:8001;
621     protocol = HTTP:8081;
622    
623     protocol = HTTPPOST:81;
624     protocol = HTTPPOST:6588;
625 michael 6235 protocol = HTTPPOST:4480;
626 michael 5052 protocol = HTTPPOST:8000;
627     protocol = HTTPPOST:8001;
628     protocol = HTTPPOST:8080;
629     protocol = HTTPPOST:8081;
630    
631     /*
632     * IRCnet have seen many socks5 on these ports, more than on the
633     * standard ports even.
634     */
635     protocol = SOCKS4:4914;
636     protocol = SOCKS4:6826;
637     protocol = SOCKS4:7198;
638     protocol = SOCKS4:7366;
639     protocol = SOCKS4:9036;
640    
641     protocol = SOCKS5:4438;
642     protocol = SOCKS5:5104;
643     protocol = SOCKS5:5113;
644     protocol = SOCKS5:5262;
645     protocol = SOCKS5:5634;
646     protocol = SOCKS5:6552;
647     protocol = SOCKS5:6561;
648     protocol = SOCKS5:7464;
649     protocol = SOCKS5:7810;
650     protocol = SOCKS5:8130;
651     protocol = SOCKS5:8148;
652     protocol = SOCKS5:8520;
653     protocol = SOCKS5:8814;
654     protocol = SOCKS5:9100;
655     protocol = SOCKS5:9186;
656     protocol = SOCKS5:9447;
657     protocol = SOCKS5:9578;
658 michael 6967 protocol = SOCKS5:64101;
659 michael 5052
660     /*
661     * These came courtsey of Keith Dunnett from a bunch of public open
662     * proxy lists.
663     */
664     protocol = SOCKS4:29992;
665     protocol = SOCKS4:38884;
666     protocol = SOCKS4:18844;
667     protocol = SOCKS4:17771;
668     protocol = SOCKS4:31121;
669    
670     fd = 400;
671    
672 michael 5298 /*
673     * If required you can add settings such as target_ip here
674 michael 5052 * they will override the defaults set in the first scanner
675     * for this and subsequent scanners defined in the config file
676     * This affects the following options:
677     * fd, vhost, target_ip, target_port, target_string, timeout and
678     * max_read.
679     */
680     };
681    
682    
683     /*
684 michael 5298 * User blocks define what scanners will be used to scan which hostmasks.
685     * When a user connects they will be scanned on every scanner {} (above)
686     * that matches their host.
687 michael 5052 */
688     user {
689     /*
690     * Users matching this host mask will be scanned with all the
691     * protocols in the scanner named.
692     */
693     mask = "*!*@*";
694     scanner = "default";
695     };
696    
697     user {
698 michael 5056 /*
699     * Connections without ident will match on a vast number of connections
700     * very few proxies run ident though
701     */
702 michael 5052 # mask = "*!~*@*";
703     mask = "*!squid@*";
704     mask = "*!nobody@*";
705     mask = "*!www-data@*";
706     mask = "*!cache@*";
707     mask = "*!CacheFlowS@*";
708     mask = "*!*@*www*";
709     mask = "*!*@*proxy*";
710     mask = "*!*@*cache*";
711    
712     scanner = "extended";
713     };
714    
715    
716     /*
717     * Exempt hosts matching certain strings from any form of scanning or dnsbl.
718 michael 5056 * HOPM will check each string against both the hostname and the IP address of
719 michael 5052 * the user.
720     *
721 michael 5146 * There are very few valid reasons to actually use "exempt". HOPM should
722 michael 5052 * never get false positives, and we would like to know very much if it does.
723 michael 5056 * One possible scenario is that the machine HOPM runs from is specifically
724 michael 5052 * authorized to use certain hosts as proxies, and users from those hosts use
725 michael 5146 * your network. In this case, without exempt, HOPM will scan these hosts,
726 michael 5052 * find itself able to use them as proxies, and ban them.
727     */
728     exempt {
729     mask = "*!*@127.0.0.1";
730     };

Properties

Name Value
svn:eol-style native
svn:keywords Id