ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/hopm/trunk/doc/reference.conf
Revision: 5104
Committed: Wed Dec 24 12:25:37 2014 UTC (9 years, 3 months ago) by michael
File size: 20207 byte(s)
Log Message:
- Update documents

File Contents

# Content
1 /*
2 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 */
4
5 /*
6 * Shell style (#), C++ style (//) and C style comments are supported.
7 *
8 * Times/durations are written as:
9 * 12 hours 30 minutes 1 second
10 *
11 * Valid units of time:
12 * year, month, week, day, hour, minute, second
13 *
14 * Valid units of size:
15 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
16 *
17 * Sizes and times may be singular or plural.
18 */
19
20 options {
21 /*
22 * Full path and filename for storing the process ID of the running
23 * HOPM.
24 */
25 pidfile = "/some/path/hopm.pid";
26
27 /*
28 * How long to store the IP address of hosts which are confirmed
29 * (by previous scans) to be secure. New users from these
30 * IP addresses will not be scanned again until this amount of time
31 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
32 * DIRECTIVE, but it is provided due to demand.
33 *
34 * The main reason for not using this feature is that anyone capable
35 * of running a proxy can get abusers onto your network - all they
36 * need do is shut the proxy down, connect themselves, restart the
37 * proxy, and tell their friends to come flood.
38 *
39 * Keep this directive commented out to disable negative caching.
40 */
41 # negcache = 1 hour;
42
43 /*
44 * Amount of file descriptors to allocate to asynchronous DNS. 64
45 * should be plenty for almost anyone.
46 */
47 dns_fdlimit = 64;
48
49 /*
50 * Put the full path and filename of a logfile here if you wish to log
51 * every scan done. Normally HOPM only logs successfully detected
52 * proxies in the hopm.log, but you may get abuse reports to your ISP
53 * about portscanning. Being able to show that it was HOPM that did
54 * the scan in question can be useful. Leave commented for no
55 * logging.
56 */
57 # scanlog = "/some/path/scan.log";
58 };
59
60
61 irc {
62 /*
63 * IP to bind to for the IRC connection. You only need to use this if
64 * you wish HOPM to use a particular interface (virtual host, IP
65 * alias, ...) when connecting to the IRC server. There is another
66 * "vhost" setting in the scan {} block below for the actual
67 * portscans. Note that this directive expects an IP address, not a
68 * hostname. Please leave this commented out if you do not
69 * understand what it does, as most people don't need it.
70 */
71 # vhost = "0.0.0.0";
72
73 /*
74 * Nickname for HOPM to use.
75 */
76 nick = "MyHopm";
77
78 /*
79 * Text to appear in the "realname" field of HOPM's /whois output.
80 */
81 realname = "Hybrid Open Proxy Monitor";
82
83 /*
84 * If you don't have an identd running, what username to use.
85 */
86 username = "hopm";
87
88 /*
89 * Hostname (or IP) of the IRC server which HOPM will monitor
90 * connections on.
91 */
92 server = "myserver.somenetwork.org";
93
94 /*
95 * Password used to connect to the IRC server (PASS)
96 */
97 # password = "secret";
98
99 /*
100 * Port of the above server to connect to. This is what HOPM uses to
101 * get onto IRC itself, it is nothing to do with what ports/protocols
102 * are scanned, nor do you need to list every port your ircd listens
103 * on.
104 */
105 port = 6667;
106
107 /*
108 * Command to execute to identify to NickServ (if your network uses
109 * it). This is the raw IRC command text, and the below example
110 * corresponds to "/msg nickserv identify password" in a client. If
111 * you don't understand, just edit "password" in the line below to be
112 * your HOPM's nick password. Leave commented out if you don't need
113 * to identify to NickServ.
114 */
115 # nickserv = "NS IDENTIFY password";
116
117 /*
118 * The username and password needed for HOPM to oper up.
119 */
120 oper = "hopm operpass";
121
122 /*
123 * Mode string that HOPM needs to set on itself as soon as it opers
124 * up. This needs to include the mode for seeing connection notices,
125 * otherwise HOPM won't scan anyone (that's usually umode +c).
126 */
127 mode = "+c";
128
129 /*
130 * If this is set then HOPM will use it as an /away message as soon as
131 * it connects.
132 */
133 away = "I'm a bot. Your messages will be ignored.";
134
135 /*
136 * Info about channels you wish HOPM to join in order to accept
137 * commands. HOPM will also print messages in these channels every
138 * time it detects a proxy. Only IRC operators can command HOPM to do
139 * anything, but some of the things HOPM reports to these channels
140 * could be considered sensitive, so it's best not to put HOPM into
141 * public channels.
142 */
143 channel {
144 /*
145 * Channel name. Local ("&") channels are supported if your ircd
146 * supports them.
147 */
148 name = "#hopm";
149
150 /*
151 * If HOPM will need to use a key to enter this channel, this is
152 * where you specify it.
153 */
154 # key = "somekey";
155
156 /*
157 * If you use ChanServ then maybe you want to set the channel
158 * invite-only and have each HOPM do "/msg ChanServ invite" to get
159 * itself in. Leave commented if you don't, or if this makes no
160 * sense to you.
161 */
162 # invite = "CS INVITE #hopm";
163 };
164
165 /*
166 * You can define a bunch of channels if you want:
167 *
168 * channel { name = "#other"; }; channel { name="#channel"; }
169 */
170
171 /*
172 * connregex is a POSIX regular expression used to parse connection
173 * (+c) notices from the ircd. The complexity of the expression should
174 * be kept to a minimum.
175 *
176 * Items in order MUST be: nick user host IP
177 *
178 * HOPM will not work with ircds which do not send an IP in the
179 * connection notice.
180 *
181 * This is fairly complicated stuff, and the consequences of getting
182 * it wrong are the HOPM does not scan anyone. Unless you know
183 * absolutely what you are doing, please just uncomment the example
184 * below that best matches the type of ircd you use.
185 */
186 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
187
188 /*
189 * "kline" controls the command used when an open proxy is confirmed.
190 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
191 *
192 * <WARNING>
193 * Make sure if you need to change this string you also change the
194 * kline command for every DNSBL you enable below.
195 *
196 * Also note that some servers do not allow you to include ':' characters
197 * inside the KLINE message (e.g. for a http:// address).
198 *
199 * Users rewriting this message into something that isn't even a valid
200 * IRC command is the single most common cause of support requests and
201 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
202 * KLINE COMMANDS BELOW.
203 * </WARNING>
204 *
205 * That said, should you wish to customise this text, several
206 * printf-like placeholders are available:
207 *
208 * %n User's nick
209 * %u User's username
210 * %h User's irc hostname
211 * %i User's IP address
212 *
213 */
214 kline = "KLINE *@%h :Open Proxy found on your host.";
215
216 /*
217 * An AKILL example for services with OperServ. Your HOPM must have permission to
218 * AKILL for this to work!
219 */
220 # kline = "OS AKILL +3h *@%h Open proxy found on your host.";
221
222 /*
223 * Text to send on connection, these can be stacked and will be sent in this order.
224 */
225 # perform = "TIME";
226 };
227
228
229 /*
230 * OPM Block defines blacklists and information required to report new proxies
231 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
232 * file. There are several blacklist that list IP addresses known to be open
233 * proxies or other forms of IRC abuse. By checking against these blacklists,
234 * HOPMs are able to ban known sources of abuse without completely scanning them.
235 */
236 opm {
237 /*
238 * Blacklist zones to check IPs against. If you would rather not
239 * trust a remotely managed blacklist, you could set up your own, or
240 * leave these commented out in which case every user will be
241 * scanned. The use of at least one open proxy DNSBL is recommended
242 * however.
243 *
244 * Please check the policies of each blacklist you use to check you
245 * are comfortable with using them to block access to your server
246 * (and that you are allowed to use them).
247 */
248
249
250 /* dnsbl.dronebl.org - http://dronebl.org */
251 # blacklist {
252 /* The DNS name of the blacklist */
253 # name = "dnsbl.dronebl.org";
254
255 /*
256 * There are only two values that are valid for this
257 * "A record bitmask" and "A record reply"
258 * These options affect how the values specified to reply
259 * below will be interpreted, a bitmask is where the reply
260 * values are 2^n and more than one is added up, a reply is
261 * simply where the last octet of the IP is that number.
262 * If you are not sure then the values set for dnsbl.dronebl.org
263 * will work without any changes.
264 */
265 # type = "A record reply";
266
267 /*
268 * Kline types not listed in the reply list below.
269 *
270 * For DNSBLs that are not IRC specific and you just wish to kline
271 * certain types this can be enabled/disabled.
272 */
273 # ban_unknown = no;
274
275 /*
276 * The actual values returned by the dnsbl.dronebl.org blacklist as
277 * documented at http://dronebl.org/docs/howtouse
278 */
279 # reply {
280 # 2 = "Sample";
281 # 3 = "IRC Drone";
282 # 5 = "Bottler";
283 # 6 = "Unknown spambot or drone";
284 # 7 = "DDOS Drone";
285 # 8 = "SOCKS Proxy";
286 # 9 = "HTTP Proxy";
287 # 10 = "ProxyChain";
288 # 13 = "Brute force attackers";
289 # 14 = "Open Wingate Proxy";
290 # 15 = "Compromised router / gateway";
291 # 17 = "Automatically determined botnet IPs (experimental)";
292 # 255 = "Unknown";
293 # };
294
295 /*
296 * The kline message sent for this specific blacklist, remember to put
297 * the removal method in this.
298 */
299 # kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
300 # }
301
302
303 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
304 # blacklist {
305 # name = "tor.dnsbl.sectoor.de";
306 # type = "A record reply";
307 # ban_unknown = no;
308
309 # reply {
310 # 1 = "Tor exit server";
311 # };
312
313 # kline = "KLINE *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
314 # };
315
316 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
317 # blacklist {
318 # name = "rbl.efnetrbl.org";
319 # type = "A record reply";
320 # ban_unknown = no;
321
322 # reply {
323 # 1 = "Open proxy";
324 # 2 = "spamtrap666";
325 # 3 = "spamtrap50";
326 # 4 = "TOR";
327 # 5 = "Drones / Flooding";
328 # };
329
330 # kline = "KLINE *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
331 # };
332
333
334
335 /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
336 # blacklist {
337 # name = "tor.efnetrbl.org";
338 # type = "A record reply";
339 # ban_unknown = no;
340
341 # reply {
342 # 1 = "TOR";
343 # };
344
345 # kline = "KLINE *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
346 # };
347
348 /*
349 * You can report the insecure proxies you find to a DNSBL also!
350 * The remaining directives in this section are only needed if you
351 * intend to do this. Reports are sent by email, one email per IP
352 * address. The format does support multiple addresses in one email,
353 * but we don't know of any servers that are detecting enough insecure
354 * proxies for this to be really necessary.
355 */
356
357 /*
358 * Email address to send reports FROM. If you intend to send reports,
359 * please pick an email address that we can actually send mail to
360 * should we ever need to contact you.
361 */
362 # dnsbl_from = "mybopm@myserver.org";
363
364 /*
365 * Email address to send reports TO.
366 * For example DroneBL:
367 */
368 # dnsbl_to = "bopm-report@dronebl.org";
369
370 /*
371 * Full path to your sendmail binary. Even if your system does not
372 * use sendmail, it probably does have a binary called "sendmail"
373 * present in /usr/sbin or /usr/lib. If you don't set this, no
374 * proxies will be reported.
375 */
376 # sendmail = "/usr/sbin/sendmail";
377 };
378
379
380 /*
381 * The short explanation:
382 *
383 * This is where you define what ports/protocols to check for. You can have
384 * multiple scanner blocks and then choose which users will get scanned by
385 * which scanners further down.
386 *
387 * The long explanation:
388 *
389 * Scanner defines a virtual scanner. For each user being scanned, a scanner
390 * will use a file descriptor (and subsequent connection) for each protocol.
391 * Once connecting it will negotiate the proxy to connect to
392 * target_ip:target_port (target_ip MUST be an IP).
393 *
394 * Once connected, any data passed through the proxy will be checked to see if
395 * target_string is contained within that data. If it is the proxy is
396 * considered open. If the connection is closed at any point before
397 * target_string is matched, or if at least max_read bytes are read from the
398 * connection, the negotiation is considered failed.
399 */
400 scanner {
401
402 /*
403 * Unique name of this scanner. This is used further down in the
404 * user {} blocks to decide which users get affected by which
405 * scanners.
406 */
407 name = "default";
408
409 /*
410 * HTTP CONNECT - very common proxy protocol supported by widely known
411 * software such as Squid and Apache. The most common sort of
412 * insecure proxy and found on a multitude of weird ports too. Offers
413 * transparent two way TCP connections.
414 */
415 protocol = HTTP:80;
416 protocol = HTTP:8080;
417 protocol = HTTP:3128;
418 protocol = HTTP:6588;
419
420 /*
421 * SOCKS4/5 - well known proxy protocols, probably the second most
422 * common for insecure proxies, also offers transparent two way TCP
423 * connections. Fortunately largely confined to port 1080.
424 */
425 protocol = SOCKS4:1080;
426 protocol = SOCKS5:1080;
427
428 /*
429 * Cisco routers with a default password (yes, it really does happen).
430 * Also pretty much anything else that will let you telnet to anywhere
431 * else on the internet. Fortunately these are always on port 23.
432 */
433 protocol = ROUTER:23;
434
435 /*
436 * WinGate is commercial windows proxy software which is now not so
437 * common, but still to be found, and helpfully presents an interface
438 * that can be used to telnet out, on port 23.
439 */
440 protocol = WINGATE:23;
441
442 /*
443 * The HTTP POST protocol, often dismissed when writing the access
444 * controls for proxies, but sadly can still be used to abused.
445 * Offers only the opportunity to send a single block of data, but
446 * enough of them at once can still make for a devastating flood.
447 * Found on the same ports that HTTP CONNECT proxies inhabit.
448 *
449 * Note that if your ircd has "ping cookies" then clients from HTTP
450 * POST proxies cannot actually ever get onto your network anyway. If
451 * you leave the checks in then you'll still find some (because some
452 * people IRC from boxes that run them), but if you use HOPM purely as
453 * a protective measure and you have ping cookies, you need not scan
454 * for HTTP POST.
455 */
456 protocol = HTTPPOST:80;
457
458 /*
459 * IP this scanner will bind to. Use this if you need your scans to
460 * come FROM a particular interface on the machine you run HOPM from.
461 * If you don't understand what this means, please leave this
462 * commented out, as this is a major source of support queries!
463 */
464 # vhost = "127.0.0.1";
465
466 /* Maximum file descriptors this scanner can use. Remember that there
467 * will be one FD for each protocol listed above. As this example
468 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
469 * limit, this scanner can be used on 64 users _at the same time_.
470 * That should be adequate for most servers.
471 */
472 fd = 512;
473
474 /*
475 * Maximum data read from a proxy before considering it closed. Don't
476 * set this too high, some people have fun setting up lots of ports
477 * that send endless data to tie up your scanner. 4KB is plenty for
478 * any known proxy.
479 */
480 max_read = 4kb;
481
482 /*
483 * Amount of time before a test is considered timed out.
484 * Again, all but the poorest slowest proxies will be detected within
485 * 30 seconds, and this helps keep resource usage low.
486 */
487 timeout = 30 seconds;
488
489 /*
490 * Target IP to tell the proxy to connect to
491 *
492 * !!! THIS MUST BE CHANGED !!!
493 *
494 * You cannot instruct the proxy to connect to itself! The easiest
495 * thing to do would be to set this to the IP of your ircd and then
496 * keep the default target_strings.
497 *
498 * Please use an IP that is publically reachable from anywhere on the
499 * Internet, because you have no way of knowing where the insecure
500 * proxies will be located. Just because you and your HOPM can
501 * connect to your ircd on some private IP like 192.168.0.1, does not
502 * mean that the insecure proxies out there on the Internet will be
503 * able to. And if they never connect, you will never detect them.
504 *
505 * Remember to change this setting for every scanner you configure.
506 */
507 target_ip = "127.0.0.1";
508
509 /*
510 * Target port to tell the proxy to connect to. This is usually
511 * something like 6667. Basically any client-usable port.
512 */
513 target_port = 6667;
514
515 /*
516 * Target string we check for in the data read back by the scanner.
517 * This should be some string out of the data that your ircd usually
518 * sends on connect. The example below will work on most
519 * hybrid/bahamut ircds. Multiple target strings are allowed.
520 *
521 * NOTE: Try to keep the number of target strings to a minimum. Two
522 * should be fine. One for normal connections and one for throttled
523 * connections. Comment out any others for efficiency.
524 */
525
526 /*
527 * Usually first line sent to client on connection to ircd.
528 * If your ircd supports a more specific line (see below),
529 * using it will reduce false positives.
530 */
531 target_string = ":server.yournetwork.org NOTICE * :*** Looking up your hostname";
532
533 /*
534 * If you try to connect too fast, you'll be throttled by your own
535 * ircd. Here's what a hybrid throttle message looks like:
536 */
537 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
538 };
539
540
541 scanner {
542 name = "extended";
543
544 protocol = HTTP:81;
545 protocol = HTTP:8000;
546 protocol = HTTP:8001;
547 protocol = HTTP:8081;
548
549 protocol = HTTPPOST:81;
550 protocol = HTTPPOST:6588;
551 # protocol = HTTPPOST:4480;
552 protocol = HTTPPOST:8000;
553 protocol = HTTPPOST:8001;
554 protocol = HTTPPOST:8080;
555 protocol = HTTPPOST:8081;
556
557 /*
558 * IRCnet have seen many socks5 on these ports, more than on the
559 * standard ports even.
560 */
561 protocol = SOCKS4:4914;
562 protocol = SOCKS4:6826;
563 protocol = SOCKS4:7198;
564 protocol = SOCKS4:7366;
565 protocol = SOCKS4:9036;
566
567 protocol = SOCKS5:4438;
568 protocol = SOCKS5:5104;
569 protocol = SOCKS5:5113;
570 protocol = SOCKS5:5262;
571 protocol = SOCKS5:5634;
572 protocol = SOCKS5:6552;
573 protocol = SOCKS5:6561;
574 protocol = SOCKS5:7464;
575 protocol = SOCKS5:7810;
576 protocol = SOCKS5:8130;
577 protocol = SOCKS5:8148;
578 protocol = SOCKS5:8520;
579 protocol = SOCKS5:8814;
580 protocol = SOCKS5:9100;
581 protocol = SOCKS5:9186;
582 protocol = SOCKS5:9447;
583 protocol = SOCKS5:9578;
584
585 /*
586 * These came courtsey of Keith Dunnett from a bunch of public open
587 * proxy lists.
588 */
589 protocol = SOCKS4:29992;
590 protocol = SOCKS4:38884;
591 protocol = SOCKS4:18844;
592 protocol = SOCKS4:17771;
593 protocol = SOCKS4:31121;
594
595 fd = 400;
596
597 /* If required you can add settings such as target_ip here
598 * they will override the defaults set in the first scanner
599 * for this and subsequent scanners defined in the config file
600 * This affects the following options:
601 * fd, vhost, target_ip, target_port, target_string, timeout and
602 * max_read.
603 */
604 };
605
606
607 /*
608 * User blocks define what scanners will be used to scan which hostmasks. When
609 * a user connects they will be scanned on every scanner {} (above) that
610 * matches their host.
611 */
612 user {
613 /*
614 * Users matching this host mask will be scanned with all the
615 * protocols in the scanner named.
616 */
617 mask = "*!*@*";
618 scanner = "default";
619 };
620
621 user {
622 /*
623 * Connections without ident will match on a vast number of connections
624 * very few proxies run ident though
625 */
626 # mask = "*!~*@*";
627 mask = "*!squid@*";
628 mask = "*!nobody@*";
629 mask = "*!www-data@*";
630 mask = "*!cache@*";
631 mask = "*!CacheFlowS@*";
632 mask = "*!*@*www*";
633 mask = "*!*@*proxy*";
634 mask = "*!*@*cache*";
635
636 scanner = "extended";
637 };
638
639
640 /*
641 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
642 * HOPM will check each string against both the hostname and the IP address of
643 * the user.
644 *
645 * There are very few valid reasons to actually use "exempt". HOPM should
646 * never get false positives, and we would like to know very much if it does.
647 * One possible scenario is that the machine HOPM runs from is specifically
648 * authorized to use certain hosts as proxies, and users from those hosts use
649 * your network. In this case, without exempt, HOPM will scan these hosts,
650 * find itself able to use them as proxies, and ban them.
651 */
652 exempt {
653 mask = "*!*@127.0.0.1";
654 };