/[svn]/hopm/trunk/doc/reference.conf
ViewVC logotype

Contents of /hopm/trunk/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 5052 - (show annotations)
Mon Dec 22 11:56:03 2014 UTC (7 years, 11 months ago) by michael
Original Path: hopm/trunk/bopm.conf.sample
File size: 23034 byte(s)
- Initial import of bopm 3.1.3
1 /*
2
3 BOPM sample configuration
4
5 */
6
7 options {
8 /*
9 * Full path and filename for storing the process ID of the running
10 * BOPM.
11 */
12 pidfile = "/some/path/bopm.pid";
13
14 /*
15 * How many seconds to store the IP address of hosts which are
16 * confirmed (by previous scans) to be secure. New users from these
17 * IP addresses will not be scanned again until this amount of time
18 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
19 * DIRECTIVE, but it is provided due to demand.
20 *
21 * The main reason for not using this feature is that anyone capable
22 * of running a proxy can get abusers onto your network - all they
23 * need do is shut the proxy down, connect themselves, restart the
24 * proxy, and tell their friends to come flood.
25 *
26 * Keep this directive commented out to disable negative caching.
27 */
28 # negcache = 3600;
29
30 /*
31 * Amount of file descriptors to allocate to asynchronous DNS. 64
32 * should be plenty for almost anyone - previous versions of BOPM only
33 * did one at a time!
34 */
35 dns_fdlimit = 64;
36
37 /*
38 * Put the full path and filename of a logfile here if you wish to log
39 * every scan done. Normally BOPM only logs successfully detected
40 * proxies in the bopm.log, but you may get abuse reports to your ISP
41 * about portscanning. Being able to show that it was BOPM that did
42 * the scan in question can be useful. Leave commented for no
43 * logging.
44 */
45 # scanlog = "/some/path/scan.log";
46 };
47
48
49 IRC {
50 /*
51 * IP to bind to for the IRC connection. You only need to use this if
52 * you wish BOPM to use a particular interface (virtual host, IP
53 * alias, ...) when connecting to the IRC server. There is another
54 * "vhost" setting in the scan {} block below for the actual
55 * portscans. Note that this directive expects an IP address, not a
56 * hostname. Please leave this commented out if you do not
57 * understand what it does, as most people don't need it.
58 */
59 # vhost = "0.0.0.0";
60
61 /*
62 * Nickname for BOPM to use.
63 */
64 nick = "MyBopm";
65
66 /*
67 * Text to appear in the "realname" field of BOPM's /whois output.
68 */
69 realname = "Blitzed Open Proxy Monitor";
70
71 /*
72 * If you don't have an identd running, what username to use.
73 */
74 username = "bopm";
75
76 /*
77 * Hostname (or IP) of the IRC server which BOPM will monitor
78 * connections on.
79 */
80 server = "myserver.somenetwork.org";
81
82
83 /*
84 * Password used to connect to the IRC server (PASS)
85 */
86
87 # password = "secret";
88
89
90 /*
91 * Port of the above server to connect to. This is what BOPM uses to
92 * get onto IRC itself, it is nothing to do with what ports/protocols
93 * are scanned, nor do you need to list every port your ircd listens
94 * on.
95 */
96 port = 6667;
97
98 /*
99 * Command to execute to identify to NickServ (if your network uses
100 * it). This is the raw IRC command text, and the below example
101 * corresponds to "/msg nickserv identify password" in a client. If
102 * you don't understand, just edit "password" in the line below to be
103 * your BOPM's nick password. Leave commented out if you don't need
104 * to identify to NickServ.
105 */
106 # nickserv = "privmsg nickserv :identify password";
107
108 /*
109 * The username and password needed for BOPM to oper up.
110 */
111 oper = "bopm operpass";
112
113 /*
114 * Mode string that BOPM needs to set on itself as soon as it opers
115 * up. This needs to include the mode for seeing connection notices,
116 * otherwise BOPM won't scan anyone (that's usually umode +c). It's
117 * often also a good idea to remove any helper modes so that users
118 * don't try to talk to the BOPM.
119 *
120 * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
121 * +c !!
122 */
123 mode = "+c-h";
124
125 /* Example for Bahamut; +F gives BOPM relaxed flood limits */
126 # mode = "+Fc-h";
127
128 /*
129 * If this is set then BOPM will use it as an /away message as soon as
130 * it connects.
131 */
132 away = "I'm a bot. Your messages will be ignored.";
133
134 /*
135 * Info about channels you wish BOPM to join in order to accept
136 * commands. BOPM will also print messages in these channels every
137 * time it detects a proxy. Only IRC operators can command BOPM to do
138 * anything, but some of the things BOPM reports to these channels
139 * could be soncidered sensitive, so it's best not to put BOPM into
140 * public channels.
141 */
142 channel {
143 /*
144 * Channel name. Local ("&") channels are supported if your ircd
145 * supports them.
146 */
147 name = "#bopm";
148
149 /*
150 * If BOPM will need to use a key to enter this channel, this is
151 * where you specify it.
152 */
153 # key = "somekey";
154
155 /*
156 * If you use ChanServ then maybe you want to set the channel
157 * invite-only and have each BOPM do "/msg ChanServ invite" to get
158 * itself in. Leave commented if you don't, or if this makes no
159 * sense to you.
160 */
161 # invite = "privmsg chanserv :invite #bopm";
162 };
163
164 /*
165 * You can define a bunch of channels if you want:
166 *
167 * channel { name = "#other"; }; channel { name="#channel"; }
168 */
169
170 /*
171 * connregex is a POSIX regular expression used to parse connection
172 * (+c) notices from the ircd. The complexity of the expression should
173 * be kept to a minimum.
174 *
175 * Items in order MUST be: nick user host IP
176 *
177 * BOPM will not work with ircds which do not send an IP in the
178 * connection notice.
179 *
180 * This is fairly complicated stuff, and the consequences of getting
181 * it wrong are the BOPM does not scan anyone. Unless you know
182 * absolutely what you are doing, please just uncomment the example
183 * below that best matches the type of ircd you use.
184 *
185 * !!! NOTE !!! If a connregex for your ircd does not appear here and the
186 * hybrid connregex does not appear to work, check the BOPM FAQ at
187 * http://wiki.blitzed.org/BOPM before contacting our lists for help.
188 *
189 */
190
191 /* Hybrid / Bahamut / Unreal (in HCN mode) */
192 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
193
194 /*
195 * Ultimate ircd - note the control-B characters around Connect/Exit,
196 * that is because that text appears in bold in the actual connect
197 * notice. Be very careful when editing this, do it as you would put
198 * bold characters into IRC MOTDs.
199 */
200 # connregex = "\\*\\*\\* Connect/Exit -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
201
202 /*
203 * SorIRCd 1.3.4+ / StarIRCd 5.26+.
204 */
205 # connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
206
207
208 /*
209 * "kline" controls the command used when an open proxy is confirmed.
210 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
211 *
212 * <WARNING>
213 * Make sure if you need to change this string you also change the
214 * kline command for every DNSBL you enable below.
215 *
216 * Also note that some servers do not allow you to include ':' characters
217 * inside the KLINE message (e.g. for a http:// address).
218 *
219 * Users rewriting this message into something that isn't even a valid
220 * IRC command is the single most common cause of support requests and
221 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
222 * KLINE COMMANDS BELOW.
223 * </WARNING>
224 *
225 * That said, should you wish to customise this text, several
226 * printf-like placeholders are available:
227 *
228 * %n User's nick
229 * %u User's username
230 * %h User's irc hostname
231 * %i User's IP address
232 *
233 */
234 kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
235
236 /* A GLINE example for IRCu: */
237 # kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
238
239 /* An AKILL example for services with OperServ
240 * Your BOPM must have permission to AKILL for this to work! */
241
242 # kline = "PRIVMSG OpenServ :AKILL +3h *@%h Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
243
244 /*
245 * Text to send on connection, these can be stacked and will be sent in this order
246 *
247 * !!! UNREAL USERS PLEASE NOTE !!!
248 * Unreal users will need PROTOCTL HCN to force hybrid connect
249 * notices.
250 *
251 * Yes Unreal users! That means you! That means you need the line
252 * below! See that thing at the start of the line? That's what we
253 * call a comment! Remove it to UNcomment the line.
254 */
255 # perform = "PROTOCTL HCN";
256
257 };
258
259
260 /*
261 * OPM Block defines blacklists and information required to report new proxies
262 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
263 * file. There are several blacklist that list IP addresses known to be open
264 * proxies or other forms of IRC abuse. By checking against these blacklists,
265 * BOPMs are able to ban known sources of abuse without completely scanning them.
266 */
267
268 OPM {
269 /*
270 * Blacklist zones to check IPs against. If you would rather not
271 * trust a remotely managed blacklist, you could set up your own, or
272 * leave these commented out in which case every user will be
273 * scanned. The use of at least one open proxy DNSBL is recommended
274 * however.
275 *
276 * Blitzed is not associated with any of these DNSBLs, please check
277 * the policies of each blacklist you use to check you are comfortable
278 * with using them to block access to your server (and that you are
279 * allowed to use them).
280 */
281
282 /* DroneBL - http://dronebl.org */
283 # blacklist {
284 # /* The DNS name of the blacklist */
285 # name = "dnsbl.dronebl.org";
286 #
287 # /*
288 # * There are only two values that are valid for this
289 # * "A record bitmask" and "A record reply"
290 # * These options affect how the values specified to reply
291 # * below will be interpreted, a bitmask is where the reply
292 # * values are 2^n and more than one is added up, a reply is
293 # * simply where the last octet of the IP is that number.
294 # * If you are not sure then the values set for dnsbl.dronebl.org
295 # * will work without any changes.
296 # */
297 # type = "A record reply";
298 #
299 # /* Kline types not listed in the reply list below.
300 # *
301 # * For DNSBLs that are not IRC specific and you just wish to kline
302 # * certain types this can be disabled.
303 # */
304 # ban_unknown = yes;
305 #
306 # /* The actual values returned by the dnsbl.dronebl.org blacklist
307 # * As documented at http://www.dronebl.org/howtouse.do */
308 # reply {
309 # 2 = "Sample";
310 # 3 = "IRC Drone";
311 # 4 = "Tor";
312 # 5 = "Bottler";
313 # 6 = "Unknown spambot or drone";
314 # 7 = "DDOS Drone";
315 # 8 = "SOCKS Proxy";
316 # 9 = "HTTP Proxy";
317 # 10 = "ProxyChain";
318 # 255 = "Unknown";
319 # };
320 #
321 # /* The kline message sent for this specific blacklist, remember to put
322 # * the removal method in this.
323 # */
324 # kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=Network";
325 # };
326
327 # /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl
328 # * http://oldwww.temp.ahbl.org/docs/ircbl.php */
329 # blacklist {
330 # name = "ircbl.ahbl.org";
331 # type = "A record reply";
332 # ban_unknown = no;
333 # reply {
334 # 2 = "Open proxy";
335 # };
336 # kline = "KLINE *@%h :Listed in ircbl.ahbl.org. See http://ahbl.org/removals";
337 # };
338
339 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
340 # blacklist {
341 # name = "tor.dnsbl.sectoor.de";
342 # type = "A record reply";
343 # reply {
344 # 1 = "Tor exit server";
345 # };
346 # ban_unknown = no;
347 # kline = "KLINE *@%h :Tor exit server detected. See www.sectoor.de/tor.php?ip=%i";
348 # };
349
350 /* rbl.efnet.org - http://rbl.efnet.org/ */
351 # blacklist {
352 # name = "rbl.efnet.org";
353 # type = "A record reply";
354 # reply {
355 # 1 = "Open proxy";
356 # 2 = "Trojan spreader";
357 # 3 = "Trojan infected client";
358 # 4 = "TOR exit server";
359 # 5 = "Drones / Flooding";
360 # };
361 # ban_unknown = yes;
362 # kline = "KLINE *@%h :Listed in rbl.efnet.org. See rbl.efnet.org/?i=%i";
363 # };
364
365
366 /* example: NJABL - please read http://www.njabl.org/use.html before
367 * uncommenting */
368 # blacklist {
369 # name = "dnsbl.njabl.org";
370 # type = "A record reply";
371 # reply {
372 # 9 = "Open proxy";
373 # };
374 # ban_unknown = no;
375 # kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
376 # };
377
378 /*
379 * You can report the insecure proxies you find to a DNSBL also!
380 * The remaining directives in this section are only needed if you
381 * intend to do this. Reports are sent by email, one email per IP
382 * address. The format does support multiple addresses in one email,
383 * but we don't know of any servers that are detecting enough insecure
384 * proxies for this to be really necessary.
385 */
386
387 /*
388 * Email address to send reports FROM. If you intend to send reports,
389 * please pick an email address that we can actually send mail to
390 * should we ever need to contact you.
391 */
392 # dnsbl_from = "mybopm@myserver.org";
393
394 /*
395 * Email address to send reports TO.
396 * For example DroneBL:
397 */
398 # dnsbl_to = "bopm-report@dronebl.org";
399
400 /*
401 * Full path to your sendmail binary. Even if your system does not
402 * use sendmail, it probably does have a binary called "sendmail"
403 * present in /usr/sbin or /usr/lib. If you don't set this, no
404 * proxies will be reported.
405 */
406 # sendmail = "/usr/sbin/sendmail";
407 };
408
409
410 /*
411 * The short explanation:
412 *
413 * This is where you define what ports/protocols to check for. You can have
414 * multiple scanner blocks and then choose which users will get scanned by
415 * which scanners further down.
416 *
417 * The long explanation:
418 *
419 * Scanner defines a virtual scanner. For each user being scanned, a scanner
420 * will use a file descriptor (and subsequent connection) for each protocol.
421 * Once connecting it will negotiate the proxy to connect to
422 * target_ip:target_port (target_ip MUST be an IP).
423 *
424 * Once connected, any data passed through the proxy will be checked to see if
425 * target_string is contained within that data. If it is the proxy is
426 * considered open. If the connection is closed at any point before
427 * target_string is matched, or if at least max_read bytes are read from the
428 * connection, the negotiation is considered failed.
429 */
430
431 scanner {
432
433 /*
434 * Unique name of this scanner. This is used further down in the
435 * user {} blocks to decide which users get affected by which
436 * scanners.
437 */
438 name="default";
439
440 /*
441 * HTTP CONNECT - very common proxy protocol supported by widely known
442 * software such as Squid and Apache. The most common sort of
443 * insecure proxy and found on a multitude of weird ports too. Offers
444 * transparent two way TCP connections.
445 */
446 protocol = HTTP:80;
447 protocol = HTTP:8080;
448 protocol = HTTP:3128;
449 protocol = HTTP:6588;
450
451 /*
452 * SOCKS4/5 - well known proxy protocols, probably the second most
453 * common for insecure proxies, also offers transparent two way TCP
454 * connections. Fortunately largely confined to port 1080.
455 */
456 protocol = SOCKS4:1080;
457 protocol = SOCKS5:1080;
458
459 /*
460 * Cisco routers with a default password (yes, it really does happen).
461 * Also pretty much anything else that will let you telnet to anywhere
462 * else on the internet. Fortunately these are always on port 23.
463 */
464 protocol = ROUTER:23;
465
466 /*
467 * WinGate is commercial windows proxy software which is now not so
468 * common, but still to be found, and helpfully presents an interface
469 * that can be used to telnet out, on port 23.
470 */
471 protocol = WINGATE:23;
472
473 /*
474 * The HTTP POST protocol, often dismissed when writing the access
475 * controls for proxies, but sadly can still be used to abused.
476 * Offers only the opportunity to send a single block of data, but
477 * enough of them at once can still make for a devastating flood.
478 * Found on the same ports that HTTP CONNECT proxies inhabit.
479 *
480 * Note that if your ircd has "ping cookies" then clients from HTTP
481 * POST proxies cannot actually ever get onto your network anyway. If
482 * you leave the checks in then you'll still find some (because some
483 * people IRC from boxes that run them), but if you use BOPM purely as
484 * a protective measure and you have ping cookies, you need not scan
485 * for HTTP POST.
486 */
487 protocol = HTTPPOST:80;
488
489 /*
490 * IP this scanner will bind to. Use this if you need your scans to
491 * come FROM a particular interface on the machine you run BOPM from.
492 * If you don't understand what this means, please leave this
493 * commented out, as this is a major source of support queries!
494 */
495 # vhost = "127.0.0.1";
496
497 /* Maximum file descriptors this scanner can use. Remember that there
498 * will be one FD for each protocol listed above. As this example
499 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
500 * limit, this scanner can be used on 64 users _at the same time_.
501 * That should be adequate for most servers.
502 */
503 fd = 512;
504
505 /*
506 * Maximum data read from a proxy before considering it closed. Don't
507 * set this too high, some people have fun setting up lots of ports
508 * that send endless data to tie up your scanner. 4KB is plenty for
509 * any known proxy.
510 */
511 max_read = 4096;
512
513 /*
514 * Amount of time (in seconds) before a test is considered timed out.
515 * Again, all but the poorest slowest proxies will be detected within
516 * 30 seconds, and this helps keep resource usage low.
517 */
518 timeout = 30;
519
520 /*
521 * Target IP to tell the proxy to connect to
522 *
523 * !!! THIS MUST BE CHANGED !!!
524 *
525 * You cannot instruct the proxy to connect to itself! The easiest
526 * thing to do would be to set this to the IP of your ircd and then
527 * keep the default target_strings.
528 *
529 * Please use an IP that is publically reachable from anywhere on the
530 * Internet, because you have no way of knowing where the insecure
531 * proxies will be located. Just because you and your BOPM can
532 * connect to your ircd on some private IP like 192.168.0.1, does not
533 * mean that the insecure proxies out there on the Internet will be
534 * able to. And if they never connect, you will never detect them.
535 *
536 * Remember to change this setting for every scanner you configure.
537 *
538 */
539 target_ip = "127.0.0.1";
540
541 /*
542 * Target port to tell the proxy to connect to. This is usually
543 * something like 6667. Basically any client-usable port.
544 */
545 target_port = 6667;
546
547 /*
548 * Target string we check for in the data read back by the scanner.
549 * This should be some string out of the data that your ircd usually
550 * sends on connect. The example below will work on most
551 * hybrid/bahamut ircds. Multiple target strings are allowed.
552 *
553 * NOTE: Try to keep the number of target strings to a minimum. Two
554 * should be fine. One for normal connections and one for throttled
555 * connections. Comment out any others for efficiency.
556 */
557
558 /* Usually first line sent to client on connection to ircd.
559 * If your ircd supports a more specific line (see below),
560 * using it will reduce false positives.
561 */
562 target_string = "*** Looking up your hostname...";
563
564 /* Some ircds give a source for the NOTICE AUTH (bahamut for example).
565 * It is recommended you use the following instead of the generic
566 * "*** Looking up your hostname..." if your ircd supports it.
567 * This will reduce the chances of false positives.
568 */
569 # target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname...";
570
571 /* If you try to connect too fast, you'll be throttled by your own
572 * ircd. Here's what a hybrid throttle message looks like:
573 */
574 target_string = "ERROR :Trying to reconnect too fast.";
575
576 /* And the same for bahamut (comment this out if you're not using bahamut): */
577 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
578 };
579
580 scanner {
581 name = "extended";
582
583 protocol = HTTP:81;
584 protocol = HTTP:8000;
585 protocol = HTTP:8001;
586 protocol = HTTP:8081;
587
588 protocol = HTTPPOST:81;
589 protocol = HTTPPOST:6588;
590 # protocol = HTTPPOST:4480;
591 protocol = HTTPPOST:8000;
592 protocol = HTTPPOST:8001;
593 protocol = HTTPPOST:8080;
594 protocol = HTTPPOST:8081;
595
596 /*
597 * IRCnet have seen many socks5 on these ports, more than on the
598 * standard ports even.
599 */
600 protocol = SOCKS4:4914;
601 protocol = SOCKS4:6826;
602 protocol = SOCKS4:7198;
603 protocol = SOCKS4:7366;
604 protocol = SOCKS4:9036;
605
606 protocol = SOCKS5:4438;
607 protocol = SOCKS5:5104;
608 protocol = SOCKS5:5113;
609 protocol = SOCKS5:5262;
610 protocol = SOCKS5:5634;
611 protocol = SOCKS5:6552;
612 protocol = SOCKS5:6561;
613 protocol = SOCKS5:7464;
614 protocol = SOCKS5:7810;
615 protocol = SOCKS5:8130;
616 protocol = SOCKS5:8148;
617 protocol = SOCKS5:8520;
618 protocol = SOCKS5:8814;
619 protocol = SOCKS5:9100;
620 protocol = SOCKS5:9186;
621 protocol = SOCKS5:9447;
622 protocol = SOCKS5:9578;
623
624 /*
625 * These came courtsey of Keith Dunnett from a bunch of public open
626 * proxy lists.
627 */
628 protocol = SOCKS4:29992;
629 protocol = SOCKS4:38884;
630 protocol = SOCKS4:18844;
631 protocol = SOCKS4:17771;
632 protocol = SOCKS4:31121;
633
634 fd = 400;
635
636 /* If required you can add settings such as target_ip here
637 * they will override the defaults set in the first scanner
638 * for this and subsequent scanners defined in the config file
639 * This affects the following options:
640 * fd, vhost, target_ip, target_port, target_string, timeout and
641 * max_read.
642 */
643 };
644
645
646
647 /*
648 * User blocks define what scanners will be used to scan which hostmasks. When
649 * a user connects they will be scanned on every scanner {} (above) that
650 * matches their host.
651 */
652
653 user {
654 /*
655 * Users matching this host mask will be scanned with all the
656 * protocols in the scanner named.
657 */
658 mask = "*!*@*";
659 scanner = "default";
660 };
661
662 user {
663 /* Connections without ident will match on a vast number of connections
664 * very few proxies run ident though */
665 # mask = "*!~*@*";
666 mask = "*!squid@*";
667 mask = "*!nobody@*";
668 mask = "*!www-data@*";
669 mask = "*!cache@*";
670 mask = "*!CacheFlowS@*";
671 mask = "*!*@*www*";
672 mask = "*!*@*proxy*";
673 mask = "*!*@*cache*";
674
675 scanner = "extended";
676 };
677
678
679 /*
680 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
681 * BOPM will check each string against both the hostname and the IP address of
682 * the user.
683 *
684 * There are very few valid reasons to actually use "exempt". BOPM should
685 * never get false positives, and we would like to know very much if it does.
686 * One possible scenario is that the machine BOPM runs from is specifically
687 * authorized to use certain hosts as proxies, and users from those hosts use
688 * your network. In this case, without exempt, BOPM will scan these hosts,
689 * find itself able to use them as proxies, and ban them.
690 */
691 exempt {
692 mask = "*!*@127.0.0.1";
693 };

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28