trunk/doc/reference.conf

/*
 * Hybrid Open Proxy Monitor - HOPM sample configuration
 *
 * $Id$
 */

/*
 * Shell style (#), C++ style (//) and C style comments are supported.
 *
 * Times/durations are written as:
 *        12 hours 30 minutes 1 second
 *
 * Valid units of time:
 *        year, month, week, day, hour, minute, second
 *
 * Valid units of size:
 *        megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
 *
 * Sizes and times may be singular or plural.
 */

options {
        /*
         * Full path and filename for storing the process ID of the running
         * HOPM.
         */
        pidfile = "/some/path/var/hopm.pid";

        /*
         * How long to store the IP address of hosts which are confirmed
         * (by previous scans) to be secure. New users from these
         * IP addresses will not be scanned again until this amount of time
         * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
         * DIRECTIVE, but it is provided due to demand.
         *
         * The main reason for not using this feature is that anyone capable
         * of running a proxy can get abusers onto your network - all they
         * need do is shut the proxy down, connect themselves, restart the
         * proxy, and tell their friends to come flood.
         *
         * Keep this directive commented out to disable negative caching.
         */
#       negcache = 1 hour;

        /*
         * How long between rebuilds of the negative cache. The negcache
         * is only rebuilt to free up memory used by entries that are too old.
         * You probably don't need to tweak this unless you have huge amounts
         * of people connecting (hundreds per minute). Default is 12 hours.
         */
        negcache_rebuild = 12 hours;

        /*
         * Amount of file descriptors to allocate to asynchronous DNS. 64
         * should be plenty for almost anyone.
         */
        dns_fdlimit = 64;

        /*
         * Put the full path and filename of a logfile here if you wish to log
         * every scan done. Normally HOPM only logs successfully detected
         * proxies in the hopm.log, but you may get abuse reports to your ISP
         * about portscanning. Being able to show that it was HOPM that did
         * the scan in question can be useful. Leave commented for no
         * logging.
         */
#       scanlog = "/some/path/var/scan.log";
};


irc {
        /*
         * IP to bind to for the IRC connection. You only need to use this if
         * you wish HOPM to use a particular interface (virtual host, IP
         * alias, ...) when connecting to the IRC server. There is another
         * "vhost" setting in the scan {} block below for the actual
         * portscans. Note that this directive expects an IP address, not a
         * hostname. Please leave this commented out if you do not
         * understand what it does, as most people don't need it.
         */
#       vhost = "0.0.0.0";

        /*
         * Nickname for HOPM to use.
         */
        nick = "MyHopm";

        /*
         * Text to appear in the "realname" field of HOPM's /whois output.
         */
        realname = "Hybrid Open Proxy Monitor";

        /*
         * If you don't have an identd running, what username to use.
         */
        username = "hopm";

        /*
         * Hostname (or IP) of the IRC server which HOPM will monitor
         * connections on.
         */
        server = "irc.example.org";

        /*
         * Password used to connect to the IRC server (PASS)
         */
#       password = "secret";

        /*
         * Port of the above server to connect to. This is what HOPM uses to
         * get onto IRC itself, it is nothing to do with what ports/protocols
         * are scanned, nor do you need to list every port your ircd listens
         * on.
         */
        port = 6667;

        /*
         * Defines time in which bot will timeout if no data is received
         */
        readtimeout = 15 minutes;

        /*
         * Command to execute to identify to NickServ (if your network uses
         * it). This is the raw IRC command text, and the below example
         * corresponds to "/msg nickserv identify password" in a client. If
         * you don't understand, just edit "password" in the line below to be
         * your HOPM's nick password. Leave commented out if you don't need
         * to identify to NickServ.
         */
#       nickserv = "NS IDENTIFY password";

        /*
         * The username and password needed for HOPM to oper up.
         */
        oper = "hopm operpass";

        /*
         * Mode string that HOPM needs to set on itself as soon as it opers
         * up. This needs to include the mode for seeing connection notices,
         * otherwise HOPM won't scan anyone (that's usually umode +c).
         */
        mode = "+c";

        /*
         * If this is set then HOPM will use it as an /away message as soon as
         * it connects.
         */
        away = "I'm a bot. Your messages will be ignored.";

        /*
         * Info about channels you wish HOPM to join in order to accept
         * commands. HOPM will also print messages in these channels every
         * time it detects a proxy. Only IRC operators can command HOPM to do
         * anything, but some of the things HOPM reports to these channels
         * could be considered sensitive, so it's best not to put HOPM into
         * public channels.
         */
        channel {
                /*
                 * Channel name. Local ("&") channels are supported if your ircd
                 * supports them.
                 */
                name = "#hopm";

                /*
                 * If HOPM will need to use a key to enter this channel, this is
                 * where you specify it.
                 */
#               key = "somekey";

                /*
                 * If you use ChanServ then maybe you want to set the channel
                 * invite-only and have each HOPM do "/msg ChanServ invite" to get
                 * itself in. Leave commented if you don't, or if this makes no
                 * sense to you.
                 */
#               invite = "CS INVITE #hopm";
        };

        /*
         * You can define a bunch of channels if you want:
         *
         * channel { name = "#other"; }; channel { name="#channel"; }
         */

        /*
         * connregex is a POSIX regular expression used to parse connection
         * (+c) notices from the ircd. The complexity of the expression should
         * be kept to a minimum.
         *
         * Items in order MUST be: nick user host IP
         *
         * HOPM will not work with ircds which do not send an IP in the
         * connection notice.
         *
         * This is fairly complicated stuff, and the consequences of getting
         * it wrong are the HOPM does not scan anyone. Unless you know
         * absolutely what you are doing, please just uncomment the example
         * below that best matches the type of ircd you use.
         */

  /* ircd-hybrid */
        connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";

  /* InspIRCd */
# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]";

        /*
         * "kline" controls the command used when an open proxy is confirmed.
         * We suggest applying a temporary (no more than a few hours) KLINE on the host.
         *
         * <WARNING>
         * Make sure if you need to change this string you also change the
         * kline command for every DNSBL you enable below.
         *
         * Also note that some servers do not allow you to include ':' characters
         * inside the KLINE message (e.g. for a http:// address).
         *
         * Users rewriting this message into something that isn't even a valid
         * IRC command is the single most common cause of support requests and
         * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
         * KLINE COMMANDS BELOW.
         * </WARNING>
         *
         * That said, should you wish to customise this text, several
         * printf-like placeholders are available:
         *
         *  %n     User's nick
         *  %u     User's username
         *  %h     User's irc hostname
         *  %i     User's IP address
         *
         */
        kline = "KLINE 180 *@%h :Open proxy found on your host.";

        /*
         * An AKILL example for services with OperServ. Your HOPM must have permission to
         * AKILL for this to work!
         */
#       kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";

        /*
         * Text to send on connection, these can be stacked and will be sent in this order.
         */
#       perform = "TIME";

        /*
         * Text to send, via NOTICE, immediately when a new client connects. These can be
         * stacked and will be sent in this order.
         */
#       notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
};


/*
 * OPM Block defines blacklists and information required to report new proxies
 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
 * file. There are several blacklist that list IP addresses known to be open
 * proxies or other forms of IRC abuse. By checking against these blacklists,
 * HOPMs are able to ban known sources of abuse without completely scanning them.
 */
#opm {
        /*
         * Blacklist zones to check IPs against. If you would rather not
         * trust a remotely managed blacklist, you could set up your own, or
         * leave these commented out in which case every user will be
         * scanned. The use of at least one open proxy DNSBL is recommended
         * however.
         *
         * Please check the policies of each blacklist you use to check you
         * are comfortable with using them to block access to your server
         * (and that you are allowed to use them).
         */


        /* dnsbl.dronebl.org - http://dronebl.org */
#       blacklist {
                /* The DNS name of the blacklist */
#               name = "dnsbl.dronebl.org";

                /*
                 * There are only two values that are valid for this
                 * "A record bitmask" and "A record reply"
                 * These options affect how the values specified to reply
                 * below will be interpreted, a bitmask is where the reply
                 * values are 2^n and more than one is added up, a reply is
                 * simply where the last octet of the IP is that number.
                 * If you are not sure then the values set for dnsbl.dronebl.org
                 * will work without any changes.
                 */
#               type = "A record reply";

                /*
                 * Kline types not listed in the reply list below.
                 *
                 * For DNSBLs that are not IRC specific and you just wish to kline
                 * certain types this can be enabled/disabled.
                 */
#               ban_unknown = no;

                /*
                 * The actual values returned by the dnsbl.dronebl.org blacklist as
                 * documented at http://dronebl.org/docs/howtouse
                 */
#               reply {
#                       2 = "Sample";
#                       3 = "IRC Drone";
#                       5 = "Bottler";
#                       6 = "Unknown spambot or drone";
#                       7 = "DDOS Drone";
#                       8 = "SOCKS Proxy";
#                       9 = "HTTP Proxy";
#                       10 = "ProxyChain";
#                       13 = "Brute force attackers";
#                       14 = "Open Wingate Proxy";
#                       15 = "Compromised router / gateway";
#                       17 = "Automatically determined botnet IPs (experimental)";
#                       255 = "Unknown";
#               };

                /*
                 * The kline message sent for this specific blacklist, remember to put
                 * the removal method in this.
                 */
#               kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
#       };


        /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
#       blacklist {
#               name = "tor.dnsbl.sectoor.de";
#               type = "A record reply";
#               ban_unknown = no;

#               reply {
#                       1 = "Tor exit server";
#               };

#               kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
#       };

        /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
#       blacklist {
#               name = "rbl.efnetrbl.org";
#               type = "A record reply";
#               ban_unknown = no;

#               reply {
#                       1 = "Open proxy";
#                       2 = "spamtrap666";
#                       3 = "spamtrap50";
#                       4 = "TOR";
#                       5 = "Drones / Flooding";
#               };

#               kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
#       };


        /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
#       blacklist {
#               name = "tor.efnetrbl.org";
#               type = "A record reply";
#               ban_unknown = no;

#               reply {
#                       1 = "TOR";
#               };

#               kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
#       };

        /*
         * You can report the insecure proxies you find to a DNSBL also!
         * The remaining directives in this section are only needed if you
         * intend to do this. Reports are sent by email, one email per IP
         * address. The format does support multiple addresses in one email,
         * but we don't know of any servers that are detecting enough insecure
         * proxies for this to be really necessary.
         */

        /*
         * Email address to send reports FROM. If you intend to send reports,
         * please pick an email address that we can actually send mail to
         * should we ever need to contact you.
         */
#       dnsbl_from = "mybopm@myserver.org";

        /*
         * Email address to send reports TO.
         * For example DroneBL:
         */
#       dnsbl_to = "bopm-report@dronebl.org";

        /*
         * Full path to your sendmail binary. Even if your system does not
         * use sendmail, it probably does have a binary called "sendmail"
         * present in /usr/sbin or /usr/lib. If you don't set this, no
         * proxies will be reported.
         */
#       sendmail = "/usr/sbin/sendmail";
#};


/*
 * The short explanation:
 *
 * This is where you define what ports/protocols to check for. You can have
 * multiple scanner blocks and then choose which users will get scanned by
 * which scanners further down.
 *
 * The long explanation:
 *
 * Scanner defines a virtual scanner. For each user being scanned, a scanner
 * will use a file descriptor (and subsequent connection) for each protocol.
 * Once connecting it will negotiate the proxy to connect to
 * target_ip:target_port (target_ip MUST be an IP).
 *
 * Once connected, any data passed through the proxy will be checked to see if
 * target_string is contained within that data. If it is the proxy is
 * considered open. If the connection is closed at any point before
 * target_string is matched, or if at least max_read bytes are read from the
 * connection, the negotiation is considered failed.
 */
scanner {

        /*
         * Unique name of this scanner. This is used further down in the
         * user {} blocks to decide which users get affected by which
         * scanners.
         */
        name = "default";

        /*
         * HTTP CONNECT - very common proxy protocol supported by widely known
         * software such as Squid and Apache. The most common sort of
         * insecure proxy and found on a multitude of weird ports too. Offers
         * transparent two way TCP connections.
         */
        protocol = HTTP:80;
        protocol = HTTP:8080;
        protocol = HTTP:3128;
        protocol = HTTP:6588;

        /*
         * SOCKS4/5 - well known proxy protocols, probably the second most
         * common for insecure proxies, also offers transparent two way TCP
         * connections. Fortunately largely confined to port 1080.
         */
        protocol = SOCKS4:1080;
        protocol = SOCKS5:1080;

        /*
         * Cisco routers with a default password (yes, it really does happen).
         * Also pretty much anything else that will let you telnet to anywhere
         * else on the internet. Fortunately these are always on port 23.
         */
        protocol = ROUTER:23;

        /*
         * WinGate is commercial windows proxy software which is now not so
         * common, but still to be found, and helpfully presents an interface
         * that can be used to telnet out, on port 23.
         */
        protocol = WINGATE:23;

        /*
         * The HTTP POST protocol, often dismissed when writing the access
         * controls for proxies, but sadly can still be used to abused.
         * Offers only the opportunity to send a single block of data, but
         * enough of them at once can still make for a devastating flood.
         * Found on the same ports that HTTP CONNECT proxies inhabit.
         *
         * Note that if your ircd has "ping cookies" then clients from HTTP
         * POST proxies cannot actually ever get onto your network anyway. If
         * you leave the checks in then you'll still find some (because some
         * people IRC from boxes that run them), but if you use HOPM purely as
         * a protective measure and you have ping cookies, you need not scan
         * for HTTP POST.
         */
        protocol = HTTPPOST:80;

        /*
         * IP this scanner will bind to. Use this if you need your scans to
         * come FROM a particular interface on the machine you run HOPM from.
         * If you don't understand what this means, please leave this
         * commented out, as this is a major source of support queries!
         */
#       vhost = "127.0.0.1";

        /*
         * Maximum file descriptors this scanner can use. Remember that there
         * will be one FD for each protocol listed above. As this example
         * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
         * limit, this scanner can be used on 64 users _at the same time_.
         * That should be adequate for most servers.
         */
        fd = 512;

        /*
         * Maximum data read from a proxy before considering it closed. Don't
         * set this too high, some people have fun setting up lots of ports
         * that send endless data to tie up your scanner. 4KB is plenty for
         * any known proxy.
         */
        max_read = 4kb;

        /*
         * Amount of time before a test is considered timed out.
         * Again, all but the poorest slowest proxies will be detected within
         * 30 seconds, and this helps keep resource usage low.
         */
        timeout = 30 seconds;

        /*
         * Target IP to tell the proxy to connect to
         *
         * !!! THIS MUST BE CHANGED !!!
         *
         * You cannot instruct the proxy to connect to itself! The easiest
         * thing to do would be to set this to the IP of your ircd and then
         * keep the default target_strings.
         *
         * Please use an IP that is publically reachable from anywhere on the
         * Internet, because you have no way of knowing where the insecure
         * proxies will be located. Just because you and your HOPM can
         * connect to your ircd on some private IP like 192.168.0.1, does not
         * mean that the insecure proxies out there on the Internet will be
         * able to. And if they never connect, you will never detect them.
         *
         * Remember to change this setting for every scanner you configure.
         */
        target_ip = "127.0.0.1";

        /*
         * Target port to tell the proxy to connect to. This is usually
         * something like 6667. Basically any client-usable port.
         */
        target_port = 6667;

        /*
         * Target string we check for in the data read back by the scanner.
         * This should be some string out of the data that your ircd usually
         * sends on connect. The example below will work on most
         * hybrid/bahamut ircds. Multiple target strings are allowed.
         *
         * NOTE: Try to keep the number of target strings to a minimum. Two
         *       should be fine. One for normal connections and one for throttled
         *       connections. Comment out any others for efficiency.
         */

        /*
         * Usually first line sent to client on connection to ircd.
         * If your ircd supports a more specific line (see below),
         * using it will reduce false positives.
         */
        target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";

        /*
         * If you try to connect too fast, you'll be throttled by your own
         * ircd. Here's what a hybrid throttle message looks like:
         */
        target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};


scanner {
        name = "extended";

        protocol = HTTP:81;
        protocol = HTTP:8000;
        protocol = HTTP:8001;
        protocol = HTTP:8081;

        protocol = HTTPPOST:81;
        protocol = HTTPPOST:6588;
#       protocol = HTTPPOST:4480;
        protocol = HTTPPOST:8000;
        protocol = HTTPPOST:8001;
        protocol = HTTPPOST:8080;
        protocol = HTTPPOST:8081;

        /*
         * IRCnet have seen many socks5 on these ports, more than on the
         * standard ports even.
         */
        protocol = SOCKS4:4914;
        protocol = SOCKS4:6826;
        protocol = SOCKS4:7198;
        protocol = SOCKS4:7366;
        protocol = SOCKS4:9036;

        protocol = SOCKS5:4438;
        protocol = SOCKS5:5104;
        protocol = SOCKS5:5113;
        protocol = SOCKS5:5262;
        protocol = SOCKS5:5634;
        protocol = SOCKS5:6552;
        protocol = SOCKS5:6561;
        protocol = SOCKS5:7464;
        protocol = SOCKS5:7810;
        protocol = SOCKS5:8130;
        protocol = SOCKS5:8148;
        protocol = SOCKS5:8520;
        protocol = SOCKS5:8814;
        protocol = SOCKS5:9100;
        protocol = SOCKS5:9186;
        protocol = SOCKS5:9447;
        protocol = SOCKS5:9578;

        /*
         * These came courtsey of Keith Dunnett from a bunch of public open
         * proxy lists.
         */
        protocol = SOCKS4:29992;
        protocol = SOCKS4:38884;
        protocol = SOCKS4:18844;
        protocol = SOCKS4:17771;
        protocol = SOCKS4:31121;

        fd = 400;

        /*
         * If required you can add settings such as target_ip here
         * they will override the defaults set in the first scanner
         * for this and subsequent scanners defined in the config file
         * This affects the following options:
         * fd, vhost, target_ip, target_port, target_string, timeout and
         * max_read.
         */
};


/*
 * User blocks define what scanners will be used to scan which hostmasks.
 * When a user connects they will be scanned on every scanner {} (above)
 * that matches their host.
 */
user {
        /*
         * Users matching this host mask will be scanned with all the
         * protocols in the scanner named.
         */
        mask = "*!*@*";
        scanner = "default";
};

user {
        /*
         * Connections without ident will match on a vast number of connections
         * very few proxies run ident though
         */
#       mask = "*!~*@*";
        mask = "*!squid@*";
        mask = "*!nobody@*";
        mask = "*!www-data@*";
        mask = "*!cache@*";
        mask = "*!CacheFlowS@*";
        mask = "*!*@*www*";
        mask = "*!*@*proxy*";
        mask = "*!*@*cache*";

        scanner = "extended";
};


/*
 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
 * HOPM will check each string against both the hostname and the IP address of
 * the user.
 *
 * There are very few valid reasons to actually use "exempt". HOPM should
 * never get false positives, and we would like to know very much if it does.
 * One possible scenario is that the machine HOPM runs from is specifically
 * authorized to use certain hosts as proxies, and users from those hosts use
 * your network. In this case, without exempt, HOPM will scan these hosts,
 * find itself able to use them as proxies, and ban them.
 */
exempt {
        mask = "*!*@127.0.0.1";
};
Revision:	5437
Committed:	Wed Jan 28 18:50:03 2015 UTC (9 years, 2 months ago) by michael
File size:	21017 byte(s)
Log Message:	- reference.conf: added connregex for InspIRCd provided by Attila