/[svn]/hopm/trunk/doc/reference.conf
ViewVC logotype

Contents of /hopm/trunk/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 5056 - (show annotations)
Mon Dec 22 13:29:14 2014 UTC (7 years, 11 months ago) by michael
File size: 20536 byte(s)
- Update reference.conf

1 /*
2
3 HOPM sample configuration
4
5 */
6
7 options {
8 /*
9 * Full path and filename for storing the process ID of the running
10 * HOPM.
11 */
12 pidfile = "/some/path/hopm.pid";
13
14 /*
15 * How many seconds to store the IP address of hosts which are
16 * confirmed (by previous scans) to be secure. New users from these
17 * IP addresses will not be scanned again until this amount of time
18 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
19 * DIRECTIVE, but it is provided due to demand.
20 *
21 * The main reason for not using this feature is that anyone capable
22 * of running a proxy can get abusers onto your network - all they
23 * need do is shut the proxy down, connect themselves, restart the
24 * proxy, and tell their friends to come flood.
25 *
26 * Keep this directive commented out to disable negative caching.
27 */
28 # negcache = 3600;
29
30 /*
31 * Amount of file descriptors to allocate to asynchronous DNS. 64
32 * should be plenty for almost anyone.
33 */
34 dns_fdlimit = 64;
35
36 /*
37 * Put the full path and filename of a logfile here if you wish to log
38 * every scan done. Normally HOPM only logs successfully detected
39 * proxies in the hopm.log, but you may get abuse reports to your ISP
40 * about portscanning. Being able to show that it was HOPM that did
41 * the scan in question can be useful. Leave commented for no
42 * logging.
43 */
44 # scanlog = "/some/path/scan.log";
45 };
46
47
48 IRC {
49 /*
50 * IP to bind to for the IRC connection. You only need to use this if
51 * you wish HOPM to use a particular interface (virtual host, IP
52 * alias, ...) when connecting to the IRC server. There is another
53 * "vhost" setting in the scan {} block below for the actual
54 * portscans. Note that this directive expects an IP address, not a
55 * hostname. Please leave this commented out if you do not
56 * understand what it does, as most people don't need it.
57 */
58 # vhost = "0.0.0.0";
59
60 /*
61 * Nickname for HOPM to use.
62 */
63 nick = "MyHopm";
64
65 /*
66 * Text to appear in the "realname" field of HOPM's /whois output.
67 */
68 realname = "Hybrid Open Proxy Monitor";
69
70 /*
71 * If you don't have an identd running, what username to use.
72 */
73 username = "hopm";
74
75 /*
76 * Hostname (or IP) of the IRC server which HOPM will monitor
77 * connections on.
78 */
79 server = "myserver.somenetwork.org";
80
81 /*
82 * Password used to connect to the IRC server (PASS)
83 */
84 # password = "secret";
85
86 /*
87 * Port of the above server to connect to. This is what HOPM uses to
88 * get onto IRC itself, it is nothing to do with what ports/protocols
89 * are scanned, nor do you need to list every port your ircd listens
90 * on.
91 */
92 port = 6667;
93
94 /*
95 * Command to execute to identify to NickServ (if your network uses
96 * it). This is the raw IRC command text, and the below example
97 * corresponds to "/msg nickserv identify password" in a client. If
98 * you don't understand, just edit "password" in the line below to be
99 * your HOPM's nick password. Leave commented out if you don't need
100 * to identify to NickServ.
101 */
102 # nickserv = "NS IDENTIFY password";
103
104 /*
105 * The username and password needed for HOPM to oper up.
106 */
107 oper = "hopm operpass";
108
109 /*
110 * Mode string that HOPM needs to set on itself as soon as it opers
111 * up. This needs to include the mode for seeing connection notices,
112 * otherwise HOPM won't scan anyone (that's usually umode +c).
113 */
114 mode = "+c";
115
116 /*
117 * If this is set then HOPM will use it as an /away message as soon as
118 * it connects.
119 */
120 away = "I'm a bot. Your messages will be ignored.";
121
122 /*
123 * Info about channels you wish HOPM to join in order to accept
124 * commands. HOPM will also print messages in these channels every
125 * time it detects a proxy. Only IRC operators can command HOPM to do
126 * anything, but some of the things HOPM reports to these channels
127 * could be soncidered sensitive, so it's best not to put HOPM into
128 * public channels.
129 */
130 channel {
131 /*
132 * Channel name. Local ("&") channels are supported if your ircd
133 * supports them.
134 */
135 name = "#hopm";
136
137 /*
138 * If HOPM will need to use a key to enter this channel, this is
139 * where you specify it.
140 */
141 # key = "somekey";
142
143 /*
144 * If you use ChanServ then maybe you want to set the channel
145 * invite-only and have each HOPM do "/msg ChanServ invite" to get
146 * itself in. Leave commented if you don't, or if this makes no
147 * sense to you.
148 */
149 # invite = "CS INVITE #hopm";
150 };
151
152 /*
153 * You can define a bunch of channels if you want:
154 *
155 * channel { name = "#other"; }; channel { name="#channel"; }
156 */
157
158 /*
159 * connregex is a POSIX regular expression used to parse connection
160 * (+c) notices from the ircd. The complexity of the expression should
161 * be kept to a minimum.
162 *
163 * Items in order MUST be: nick user host IP
164 *
165 * HOPM will not work with ircds which do not send an IP in the
166 * connection notice.
167 *
168 * This is fairly complicated stuff, and the consequences of getting
169 * it wrong are the HOPM does not scan anyone. Unless you know
170 * absolutely what you are doing, please just uncomment the example
171 * below that best matches the type of ircd you use.
172 */
173 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
174
175 /*
176 * "kline" controls the command used when an open proxy is confirmed.
177 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
178 *
179 * <WARNING>
180 * Make sure if you need to change this string you also change the
181 * kline command for every DNSBL you enable below.
182 *
183 * Also note that some servers do not allow you to include ':' characters
184 * inside the KLINE message (e.g. for a http:// address).
185 *
186 * Users rewriting this message into something that isn't even a valid
187 * IRC command is the single most common cause of support requests and
188 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
189 * KLINE COMMANDS BELOW.
190 * </WARNING>
191 *
192 * That said, should you wish to customise this text, several
193 * printf-like placeholders are available:
194 *
195 * %n User's nick
196 * %u User's username
197 * %h User's irc hostname
198 * %i User's IP address
199 *
200 */
201 kline = "KLINE *@%h :Open Proxy found on your host.";
202
203 /*
204 * An AKILL example for services with OperServ. Your HOPM must have permission to
205 * AKILL for this to work!
206 */
207 # kline = "OS AKILL +3h *@%h Open proxy found on your host.";
208
209 /*
210 * Text to send on connection, these can be stacked and will be sent in this order.
211 */
212 # perform = "TIME";
213 };
214
215
216 /*
217 * OPM Block defines blacklists and information required to report new proxies
218 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
219 * file. There are several blacklist that list IP addresses known to be open
220 * proxies or other forms of IRC abuse. By checking against these blacklists,
221 * HOPMs are able to ban known sources of abuse without completely scanning them.
222 */
223
224 OPM {
225 /*
226 * Blacklist zones to check IPs against. If you would rather not
227 * trust a remotely managed blacklist, you could set up your own, or
228 * leave these commented out in which case every user will be
229 * scanned. The use of at least one open proxy DNSBL is recommended
230 * however.
231 *
232 * Please check the policies of each blacklist you use to check you
233 * are comfortable with using them to block access to your server
234 * (and that you are allowed to use them).
235 */
236
237 /* DroneBL - http://dronebl.org */
238 # blacklist {
239 # /* The DNS name of the blacklist */
240 # name = "dnsbl.dronebl.org";
241 #
242 # /*
243 # * There are only two values that are valid for this
244 # * "A record bitmask" and "A record reply"
245 # * These options affect how the values specified to reply
246 # * below will be interpreted, a bitmask is where the reply
247 # * values are 2^n and more than one is added up, a reply is
248 # * simply where the last octet of the IP is that number.
249 # * If you are not sure then the values set for dnsbl.dronebl.org
250 # * will work without any changes.
251 # */
252 # type = "A record reply";
253 #
254 # /* Kline types not listed in the reply list below.
255 # *
256 # * For DNSBLs that are not IRC specific and you just wish to kline
257 # * certain types this can be disabled.
258 # */
259 # ban_unknown = yes;
260 #
261 # /* The actual values returned by the dnsbl.dronebl.org blacklist
262 # * As documented at http://www.dronebl.org/howtouse.do */
263 # reply {
264 # 2 = "Sample";
265 # 3 = "IRC Drone";
266 # 4 = "Tor";
267 # 5 = "Bottler";
268 # 6 = "Unknown spambot or drone";
269 # 7 = "DDOS Drone";
270 # 8 = "SOCKS Proxy";
271 # 9 = "HTTP Proxy";
272 # 10 = "ProxyChain";
273 # 255 = "Unknown";
274 # };
275 #
276 # /* The kline message sent for this specific blacklist, remember to put
277 # * the removal method in this.
278 # */
279 # kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=Network";
280 # };
281
282 # /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl
283 # * http://oldwww.temp.ahbl.org/docs/ircbl.php */
284 # blacklist {
285 # name = "ircbl.ahbl.org";
286 # type = "A record reply";
287 # ban_unknown = no;
288 # reply {
289 # 2 = "Open proxy";
290 # };
291 # kline = "KLINE *@%h :Listed in ircbl.ahbl.org. See http://ahbl.org/removals";
292 # };
293
294 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
295 # blacklist {
296 # name = "tor.dnsbl.sectoor.de";
297 # type = "A record reply";
298 # reply {
299 # 1 = "Tor exit server";
300 # };
301 # ban_unknown = no;
302 # kline = "KLINE *@%h :Tor exit server detected. See www.sectoor.de/tor.php?ip=%i";
303 # };
304
305 /* rbl.efnet.org - http://rbl.efnet.org/ */
306 # blacklist {
307 # name = "rbl.efnet.org";
308 # type = "A record reply";
309 # reply {
310 # 1 = "Open proxy";
311 # 2 = "Trojan spreader";
312 # 3 = "Trojan infected client";
313 # 4 = "TOR exit server";
314 # 5 = "Drones / Flooding";
315 # };
316 # ban_unknown = yes;
317 # kline = "KLINE *@%h :Listed in rbl.efnet.org. See rbl.efnet.org/?i=%i";
318 # };
319
320
321 /* example: NJABL - please read http://www.njabl.org/use.html before
322 * uncommenting */
323 # blacklist {
324 # name = "dnsbl.njabl.org";
325 # type = "A record reply";
326 # reply {
327 # 9 = "Open proxy";
328 # };
329 # ban_unknown = no;
330 # kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
331 # };
332
333 /*
334 * You can report the insecure proxies you find to a DNSBL also!
335 * The remaining directives in this section are only needed if you
336 * intend to do this. Reports are sent by email, one email per IP
337 * address. The format does support multiple addresses in one email,
338 * but we don't know of any servers that are detecting enough insecure
339 * proxies for this to be really necessary.
340 */
341
342 /*
343 * Email address to send reports FROM. If you intend to send reports,
344 * please pick an email address that we can actually send mail to
345 * should we ever need to contact you.
346 */
347 # dnsbl_from = "mybopm@myserver.org";
348
349 /*
350 * Email address to send reports TO.
351 * For example DroneBL:
352 */
353 # dnsbl_to = "bopm-report@dronebl.org";
354
355 /*
356 * Full path to your sendmail binary. Even if your system does not
357 * use sendmail, it probably does have a binary called "sendmail"
358 * present in /usr/sbin or /usr/lib. If you don't set this, no
359 * proxies will be reported.
360 */
361 # sendmail = "/usr/sbin/sendmail";
362 };
363
364
365 /*
366 * The short explanation:
367 *
368 * This is where you define what ports/protocols to check for. You can have
369 * multiple scanner blocks and then choose which users will get scanned by
370 * which scanners further down.
371 *
372 * The long explanation:
373 *
374 * Scanner defines a virtual scanner. For each user being scanned, a scanner
375 * will use a file descriptor (and subsequent connection) for each protocol.
376 * Once connecting it will negotiate the proxy to connect to
377 * target_ip:target_port (target_ip MUST be an IP).
378 *
379 * Once connected, any data passed through the proxy will be checked to see if
380 * target_string is contained within that data. If it is the proxy is
381 * considered open. If the connection is closed at any point before
382 * target_string is matched, or if at least max_read bytes are read from the
383 * connection, the negotiation is considered failed.
384 */
385
386 scanner {
387
388 /*
389 * Unique name of this scanner. This is used further down in the
390 * user {} blocks to decide which users get affected by which
391 * scanners.
392 */
393 name="default";
394
395 /*
396 * HTTP CONNECT - very common proxy protocol supported by widely known
397 * software such as Squid and Apache. The most common sort of
398 * insecure proxy and found on a multitude of weird ports too. Offers
399 * transparent two way TCP connections.
400 */
401 protocol = HTTP:80;
402 protocol = HTTP:8080;
403 protocol = HTTP:3128;
404 protocol = HTTP:6588;
405
406 /*
407 * SOCKS4/5 - well known proxy protocols, probably the second most
408 * common for insecure proxies, also offers transparent two way TCP
409 * connections. Fortunately largely confined to port 1080.
410 */
411 protocol = SOCKS4:1080;
412 protocol = SOCKS5:1080;
413
414 /*
415 * Cisco routers with a default password (yes, it really does happen).
416 * Also pretty much anything else that will let you telnet to anywhere
417 * else on the internet. Fortunately these are always on port 23.
418 */
419 protocol = ROUTER:23;
420
421 /*
422 * WinGate is commercial windows proxy software which is now not so
423 * common, but still to be found, and helpfully presents an interface
424 * that can be used to telnet out, on port 23.
425 */
426 protocol = WINGATE:23;
427
428 /*
429 * The HTTP POST protocol, often dismissed when writing the access
430 * controls for proxies, but sadly can still be used to abused.
431 * Offers only the opportunity to send a single block of data, but
432 * enough of them at once can still make for a devastating flood.
433 * Found on the same ports that HTTP CONNECT proxies inhabit.
434 *
435 * Note that if your ircd has "ping cookies" then clients from HTTP
436 * POST proxies cannot actually ever get onto your network anyway. If
437 * you leave the checks in then you'll still find some (because some
438 * people IRC from boxes that run them), but if you use HOPM purely as
439 * a protective measure and you have ping cookies, you need not scan
440 * for HTTP POST.
441 */
442 protocol = HTTPPOST:80;
443
444 /*
445 * IP this scanner will bind to. Use this if you need your scans to
446 * come FROM a particular interface on the machine you run HOPM from.
447 * If you don't understand what this means, please leave this
448 * commented out, as this is a major source of support queries!
449 */
450 # vhost = "127.0.0.1";
451
452 /* Maximum file descriptors this scanner can use. Remember that there
453 * will be one FD for each protocol listed above. As this example
454 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
455 * limit, this scanner can be used on 64 users _at the same time_.
456 * That should be adequate for most servers.
457 */
458 fd = 512;
459
460 /*
461 * Maximum data read from a proxy before considering it closed. Don't
462 * set this too high, some people have fun setting up lots of ports
463 * that send endless data to tie up your scanner. 4KB is plenty for
464 * any known proxy.
465 */
466 max_read = 4096;
467
468 /*
469 * Amount of time (in seconds) before a test is considered timed out.
470 * Again, all but the poorest slowest proxies will be detected within
471 * 30 seconds, and this helps keep resource usage low.
472 */
473 timeout = 30;
474
475 /*
476 * Target IP to tell the proxy to connect to
477 *
478 * !!! THIS MUST BE CHANGED !!!
479 *
480 * You cannot instruct the proxy to connect to itself! The easiest
481 * thing to do would be to set this to the IP of your ircd and then
482 * keep the default target_strings.
483 *
484 * Please use an IP that is publically reachable from anywhere on the
485 * Internet, because you have no way of knowing where the insecure
486 * proxies will be located. Just because you and your HOPM can
487 * connect to your ircd on some private IP like 192.168.0.1, does not
488 * mean that the insecure proxies out there on the Internet will be
489 * able to. And if they never connect, you will never detect them.
490 *
491 * Remember to change this setting for every scanner you configure.
492 */
493 target_ip = "127.0.0.1";
494
495 /*
496 * Target port to tell the proxy to connect to. This is usually
497 * something like 6667. Basically any client-usable port.
498 */
499 target_port = 6667;
500
501 /*
502 * Target string we check for in the data read back by the scanner.
503 * This should be some string out of the data that your ircd usually
504 * sends on connect. The example below will work on most
505 * hybrid/bahamut ircds. Multiple target strings are allowed.
506 *
507 * NOTE: Try to keep the number of target strings to a minimum. Two
508 * should be fine. One for normal connections and one for throttled
509 * connections. Comment out any others for efficiency.
510 */
511
512 /*
513 * Usually first line sent to client on connection to ircd.
514 * If your ircd supports a more specific line (see below),
515 * using it will reduce false positives.
516 */
517 target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname";
518
519 /*
520 * If you try to connect too fast, you'll be throttled by your own
521 * ircd. Here's what a hybrid throttle message looks like:
522 */
523 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
524 };
525
526
527 scanner {
528 name = "extended";
529
530 protocol = HTTP:81;
531 protocol = HTTP:8000;
532 protocol = HTTP:8001;
533 protocol = HTTP:8081;
534
535 protocol = HTTPPOST:81;
536 protocol = HTTPPOST:6588;
537 # protocol = HTTPPOST:4480;
538 protocol = HTTPPOST:8000;
539 protocol = HTTPPOST:8001;
540 protocol = HTTPPOST:8080;
541 protocol = HTTPPOST:8081;
542
543 /*
544 * IRCnet have seen many socks5 on these ports, more than on the
545 * standard ports even.
546 */
547 protocol = SOCKS4:4914;
548 protocol = SOCKS4:6826;
549 protocol = SOCKS4:7198;
550 protocol = SOCKS4:7366;
551 protocol = SOCKS4:9036;
552
553 protocol = SOCKS5:4438;
554 protocol = SOCKS5:5104;
555 protocol = SOCKS5:5113;
556 protocol = SOCKS5:5262;
557 protocol = SOCKS5:5634;
558 protocol = SOCKS5:6552;
559 protocol = SOCKS5:6561;
560 protocol = SOCKS5:7464;
561 protocol = SOCKS5:7810;
562 protocol = SOCKS5:8130;
563 protocol = SOCKS5:8148;
564 protocol = SOCKS5:8520;
565 protocol = SOCKS5:8814;
566 protocol = SOCKS5:9100;
567 protocol = SOCKS5:9186;
568 protocol = SOCKS5:9447;
569 protocol = SOCKS5:9578;
570
571 /*
572 * These came courtsey of Keith Dunnett from a bunch of public open
573 * proxy lists.
574 */
575 protocol = SOCKS4:29992;
576 protocol = SOCKS4:38884;
577 protocol = SOCKS4:18844;
578 protocol = SOCKS4:17771;
579 protocol = SOCKS4:31121;
580
581 fd = 400;
582
583 /* If required you can add settings such as target_ip here
584 * they will override the defaults set in the first scanner
585 * for this and subsequent scanners defined in the config file
586 * This affects the following options:
587 * fd, vhost, target_ip, target_port, target_string, timeout and
588 * max_read.
589 */
590 };
591
592
593 /*
594 * User blocks define what scanners will be used to scan which hostmasks. When
595 * a user connects they will be scanned on every scanner {} (above) that
596 * matches their host.
597 */
598 user {
599 /*
600 * Users matching this host mask will be scanned with all the
601 * protocols in the scanner named.
602 */
603 mask = "*!*@*";
604 scanner = "default";
605 };
606
607 user {
608 /*
609 * Connections without ident will match on a vast number of connections
610 * very few proxies run ident though
611 */
612 # mask = "*!~*@*";
613 mask = "*!squid@*";
614 mask = "*!nobody@*";
615 mask = "*!www-data@*";
616 mask = "*!cache@*";
617 mask = "*!CacheFlowS@*";
618 mask = "*!*@*www*";
619 mask = "*!*@*proxy*";
620 mask = "*!*@*cache*";
621
622 scanner = "extended";
623 };
624
625
626 /*
627 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
628 * HOPM will check each string against both the hostname and the IP address of
629 * the user.
630 *
631 * There are very few valid reasons to actually use "exempt". HOPM should
632 * never get false positives, and we would like to know very much if it does.
633 * One possible scenario is that the machine HOPM runs from is specifically
634 * authorized to use certain hosts as proxies, and users from those hosts use
635 * your network. In this case, without exempt, HOPM will scan these hosts,
636 * find itself able to use them as proxies, and ban them.
637 */
638 exempt {
639 mask = "*!*@127.0.0.1";
640 };

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28