ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/hopm/trunk/doc/reference.conf
Revision: 6565
Committed: Sat Oct 10 18:48:37 2015 UTC (8 years, 5 months ago) by michael
File size: 22256 byte(s)
Log Message:
- Update reference.conf

File Contents

# Content
1 /*
2 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 *
4 * $Id$
5 */
6
7 /*
8 * Shell style (#), C++ style (//) and C style comments are supported.
9 *
10 * Times/durations are written as:
11 * 12 hours 30 minutes 1 second
12 *
13 * Valid units of time:
14 * year, month, week, day, hour, minute, second
15 *
16 * Valid units of size:
17 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
18 *
19 * Sizes and times may be singular or plural.
20 */
21
22 options {
23 /*
24 * Full path and filename for storing the process ID of the running
25 * HOPM.
26 */
27 pidfile = "var/run/hopm.pid";
28
29 /*
30 * How long to store the IP address of hosts which are confirmed
31 * (by previous scans) to be secure. New users from these
32 * IP addresses will not be scanned again until this amount of time
33 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
34 * DIRECTIVE, but it is provided due to demand.
35 *
36 * The main reason for not using this feature is that anyone capable
37 * of running a proxy can get abusers onto your network - all they
38 * need do is shut the proxy down, connect themselves, restart the
39 * proxy, and tell their friends to come flood.
40 *
41 * Keep this directive commented out to disable negative caching.
42 */
43 # negcache = 1 hour;
44
45 /*
46 * How long between rebuilds of the negative cache. The negcache
47 * is only rebuilt to free up memory used by entries that are too old.
48 * You probably don't need to tweak this unless you have huge amounts
49 * of people connecting (hundreds per minute). Default is 12 hours.
50 */
51 negcache_rebuild = 12 hours;
52
53 /*
54 * Amount of file descriptors to allocate to asynchronous DNS. 64
55 * should be plenty for almost anyone.
56 */
57 dns_fdlimit = 64;
58
59 /*
60 * Amount of time the resolver waits until a response is received
61 * from a name server.
62 */
63 dns_timeout = 5 seconds;
64
65 /*
66 * Put the full path and filename of a logfile here if you wish to log
67 * every scan done. Normally HOPM only logs successfully detected
68 * proxies in the hopm.log, but you may get abuse reports to your ISP
69 * about portscanning. Being able to show that it was HOPM that did
70 * the scan in question can be useful. Leave commented for no
71 * logging.
72 */
73 # scanlog = "var/log/scan.log";
74 };
75
76
77 irc {
78 /*
79 * IP address to bind to for the IRC connection. You only need to
80 * use this if you wish HOPM to use a particular interface
81 * (virtual host, IP alias, ...) when connecting to the IRC server.
82 * There is another "vhost" setting in the scan {} block below for
83 * the actual portscans. Note that this directive expects an IP address,
84 * not a hostname. Please leave this commented out if you do not
85 * understand what it does, as most people don't need it.
86 */
87 # vhost = "0.0.0.0";
88
89 /*
90 * Nickname for HOPM to use.
91 */
92 nick = "MyHopm";
93
94 /*
95 * Text to appear in the "realname" field of HOPM's /whois output.
96 */
97 realname = "Hybrid Open Proxy Monitor";
98
99 /*
100 * If you don't have an identd running, what username to use.
101 */
102 username = "hopm";
103
104 /*
105 * Hostname (or IP address) of the IRC server which HOPM will monitor
106 * connections on. IPv6 is now supported.
107 */
108 server = "irc.example.org";
109
110 /*
111 * Password used to connect to the IRC server (PASS)
112 */
113 # password = "secret";
114
115 /*
116 * Port of the above server to connect to. This is what HOPM uses to
117 * get onto IRC itself, it is nothing to do with what ports/protocols
118 * are scanned, nor do you need to list every port your ircd listens
119 * on.
120 */
121 port = 6667;
122
123 /*
124 * Defines time in which bot will timeout if no data is received
125 */
126 readtimeout = 15 minutes;
127
128 /*
129 * Interval in how often we try to reconnect to the IRC server
130 */
131 reconnectinterval = 30 seconds;
132
133 /*
134 * Command to execute to identify to NickServ (if your network uses
135 * it). This is the raw IRC command text, and the below example
136 * corresponds to "/msg nickserv identify password" in a client. If
137 * you don't understand, just edit "password" in the line below to be
138 * your HOPM's nick password. Leave commented out if you don't need
139 * to identify to NickServ.
140 */
141 # nickserv = "NS IDENTIFY password";
142
143 /*
144 * The username and password needed for HOPM to oper up.
145 */
146 oper = "hopm operpass";
147
148 /*
149 * Mode string that HOPM needs to set on itself as soon as it opers
150 * up. This needs to include the mode for seeing connection notices,
151 * otherwise HOPM won't scan anyone (that's usually umode +c).
152 */
153 mode = "+c";
154
155 /*
156 * If this is set then HOPM will use it as an /away message as soon as
157 * it connects.
158 */
159 away = "I'm a bot. Your messages will be ignored.";
160
161 /*
162 * Info about channels you wish HOPM to join in order to accept
163 * commands. HOPM will also print messages in these channels every
164 * time it detects a proxy. Only IRC operators can command HOPM to do
165 * anything, but some of the things HOPM reports to these channels
166 * could be considered sensitive, so it's best not to put HOPM into
167 * public channels.
168 */
169 channel {
170 /*
171 * Channel name. Local ("&") channels are supported if your ircd
172 * supports them.
173 */
174 name = "#hopm";
175
176 /*
177 * If HOPM will need to use a key to enter this channel, this is
178 * where you specify it.
179 */
180 # key = "somekey";
181
182 /*
183 * If you use ChanServ then maybe you want to set the channel
184 * invite-only and have each HOPM do "/msg ChanServ invite" to get
185 * itself in. Leave commented if you don't, or if this makes no
186 * sense to you.
187 */
188 # invite = "CS INVITE #hopm";
189 };
190
191 /*
192 * You can define a bunch of channels if you want:
193 *
194 * channel { name = "#other"; }; channel { name= "#channel"; }
195 */
196
197 /*
198 * connregex is a POSIX regular expression used to parse connection
199 * notices from the ircd. The complexity of the expression should
200 * be kept to a minimum.
201 *
202 * Items in order MUST be: nick user host IP
203 *
204 * HOPM will not work with ircds which do not send an IP address in the
205 * connection notice.
206 *
207 * This is fairly complicated stuff, and the consequences of getting
208 * it wrong are the HOPM does not scan anyone. Unless you know
209 * absolutely what you are doing, please just uncomment the example
210 * below that best matches the type of ircd you use.
211 */
212
213 /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd (in HCN mode) */
214 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
215
216 /* InspIRCd */
217 # connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]";
218
219 /* ngIRCd */
220 # connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
221
222 /*
223 * "kline" controls the command used when an open proxy is confirmed.
224 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
225 *
226 * <WARNING>
227 * Make sure if you need to change this string you also change the
228 * kline command for every DNSBL you enable below.
229 *
230 * Also note that some servers do not allow you to include ':' characters
231 * inside the KLINE message (e.g. for a http:// address).
232 *
233 * Users rewriting this message into something that isn't even a valid
234 * IRC command is the single most common cause of support requests and
235 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
236 * KLINE COMMANDS BELOW.
237 * </WARNING>
238 *
239 * That said, should you wish to customise this text, several
240 * printf-like placeholders are available:
241 *
242 * %n User's nick
243 * %u User's username
244 * %h User's irc hostname
245 * %i User's IP address
246 * %t Protocol type which has triggered a positive scan
247 */
248 kline = "KLINE 180 *@%h :Open proxy found on your host.";
249
250 /* A GLINE example for ircu */
251 # kline = "GLINE +*@%i 1800 :Open proxy found on your host.";
252
253 /*
254 * An AKILL example for services with OperServ. Your HOPM must have permission to
255 * AKILL for this to work!
256 */
257 # kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";
258
259 /*
260 * Text to send on connection, these can be stacked and will be sent in this order.
261 *
262 * !!! UNREAL USERS PLEASE NOTE !!!
263 * Unreal users will need PROTOCTL HCN to force hybrid connect
264 * notices.
265 *
266 * Yes Unreal users! That means you! That means you need the line
267 * below! See that thing at the start of the line? That's what we
268 * call a comment! Remove it to UNcomment the line.
269 */
270 # perform = "PROTOCTL HCN";
271
272 /*
273 * Text to send, via NOTICE, immediately when a new client connects. These can be
274 * stacked and will be sent in this order.
275 */
276 # notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
277 };
278
279
280 /*
281 * OPM Block defines blacklists and information required to report new proxies
282 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
283 * file. There are several blacklist that list IP addresses known to be open
284 * proxies or other forms of IRC abuse. By checking against these blacklists,
285 * HOPMs are able to ban known sources of abuse without completely scanning them.
286 */
287 #opm {
288 /*
289 * Blacklist zones to check IPs against. If you would rather not
290 * trust a remotely managed blacklist, you could set up your own, or
291 * leave these commented out in which case every user will be
292 * scanned. The use of at least one open proxy DNSBL is recommended
293 * however.
294 *
295 * Please check the policies of each blacklist you use to check you
296 * are comfortable with using them to block access to your server
297 * (and that you are allowed to use them).
298 */
299
300
301 /* dnsbl.dronebl.org - http://dronebl.org */
302 # blacklist {
303 /* The DNS name of the blacklist */
304 # name = "dnsbl.dronebl.org";
305
306 /*
307 * There are only two values that are valid for this
308 * "A record bitmask" and "A record reply"
309 * These options affect how the values specified to reply
310 * below will be interpreted, a bitmask is where the reply
311 * values are 2^n and more than one is added up, a reply is
312 * simply where the last octet of the IP address is that number.
313 * If you are not sure then the values set for dnsbl.dronebl.org
314 * will work without any changes.
315 */
316 # type = "A record reply";
317
318 /*
319 * Kline types not listed in the reply list below.
320 *
321 * For DNSBLs that are not IRC specific and you just wish to kline
322 * certain types this can be enabled/disabled.
323 */
324 # ban_unknown = no;
325
326 /*
327 * The actual values returned by the dnsbl.dronebl.org blacklist as
328 * documented at http://dronebl.org/docs/howtouse
329 */
330 # reply {
331 # 2 = "Sample";
332 # 3 = "IRC Drone";
333 # 5 = "Bottler";
334 # 6 = "Unknown spambot or drone";
335 # 7 = "DDOS Drone";
336 # 8 = "SOCKS Proxy";
337 # 9 = "HTTP Proxy";
338 # 10 = "ProxyChain";
339 # 13 = "Brute force attackers";
340 # 14 = "Open Wingate Proxy";
341 # 15 = "Compromised router / gateway";
342 # 17 = "Automatically determined botnet IPs (experimental)";
343 # 255 = "Unknown";
344 # };
345
346 /*
347 * The kline message sent for this specific blacklist, remember to put
348 * the removal method in this.
349 */
350 # kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
351 # };
352
353
354 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
355 # blacklist {
356 # name = "tor.dnsbl.sectoor.de";
357 # type = "A record reply";
358 # ban_unknown = no;
359
360 # reply {
361 # 1 = "Tor exit server";
362 # };
363
364 # kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
365 # };
366
367 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
368 # blacklist {
369 # name = "rbl.efnetrbl.org";
370 # type = "A record reply";
371 # ban_unknown = no;
372
373 # reply {
374 # 1 = "Open proxy";
375 # 2 = "spamtrap666";
376 # 3 = "spamtrap50";
377 # 4 = "TOR";
378 # 5 = "Drones / Flooding";
379 # };
380
381 # kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
382 # };
383
384
385
386 /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
387 # blacklist {
388 # name = "tor.efnetrbl.org";
389 # type = "A record reply";
390 # ban_unknown = no;
391
392 # reply {
393 # 1 = "TOR";
394 # };
395
396 # kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
397 # };
398
399 /*
400 * You can report the insecure proxies you find to a DNSBL also!
401 * The remaining directives in this section are only needed if you
402 * intend to do this. Reports are sent by email, one email per IP
403 * address. The format does support multiple addresses in one email,
404 * but we don't know of any servers that are detecting enough insecure
405 * proxies for this to be really necessary.
406 */
407
408 /*
409 * Email address to send reports FROM. If you intend to send reports,
410 * please pick an email address that we can actually send mail to
411 * should we ever need to contact you.
412 */
413 # dnsbl_from = "mybopm@myserver.org";
414
415 /*
416 * Email address to send reports TO.
417 * For example DroneBL:
418 */
419 # dnsbl_to = "bopm-report@dronebl.org";
420
421 /*
422 * Full path to your sendmail binary. Even if your system does not
423 * use sendmail, it probably does have a binary called "sendmail"
424 * present in /usr/sbin or /usr/lib. If you don't set this, no
425 * proxies will be reported.
426 */
427 # sendmail = "/usr/sbin/sendmail";
428 #};
429
430
431 /*
432 * The short explanation:
433 *
434 * This is where you define what ports/protocols to check for. You can have
435 * multiple scanner blocks and then choose which users will get scanned by
436 * which scanners further down.
437 *
438 * The long explanation:
439 *
440 * Scanner defines a virtual scanner. For each user being scanned, a scanner
441 * will use a file descriptor (and subsequent connection) for each protocol.
442 * Once connecting it will negotiate the proxy to connect to
443 * target_ip:target_port (target_ip MUST be an IP address).
444 *
445 * Once connected, any data passed through the proxy will be checked to see if
446 * target_string is contained within that data. If it is the proxy is
447 * considered open. If the connection is closed at any point before
448 * target_string is matched, or if at least max_read bytes are read from the
449 * connection, the negotiation is considered failed.
450 */
451 scanner {
452 /*
453 * Unique name of this scanner. This is used further down in the
454 * user {} blocks to decide which users get affected by which
455 * scanners.
456 */
457 name = "default";
458
459 /*
460 * HTTP CONNECT - very common proxy protocol supported by widely known
461 * software such as Squid and Apache. The most common sort of
462 * insecure proxy and found on a multitude of weird ports too. Offers
463 * transparent two way TCP connections.
464 */
465 protocol = HTTP:80;
466 protocol = HTTP:8080;
467 protocol = HTTP:3128;
468 protocol = HTTP:6588;
469
470 /*
471 * The SSL/TLS variant of HTTP
472 */
473 # protocol = HTTPS:443;
474 # protocol = HTTPS:8443;
475
476 /*
477 * SOCKS4/5 - well known proxy protocols, probably the second most
478 * common for insecure proxies, also offers transparent two way TCP
479 * connections. Fortunately largely confined to port 1080.
480 */
481 protocol = SOCKS4:1080;
482 protocol = SOCKS5:1080;
483
484 /*
485 * Cisco routers with a default password (yes, it really does happen).
486 * Also pretty much anything else that will let you telnet to anywhere
487 * else on the Internet. Fortunately these are always on port 23.
488 */
489 protocol = ROUTER:23;
490
491 /*
492 * WinGate is commercial windows proxy software which is now not so
493 * common, but still to be found, and helpfully presents an interface
494 * that can be used to telnet out, on port 23.
495 */
496 protocol = WINGATE:23;
497
498 /*
499 * Dreambox DVB receivers with a default password allowing
500 * full root access to telnet or install bouncers.
501 */
502 protocol = DREAMBOX:23;
503
504 /*
505 * The HTTP POST protocol, often dismissed when writing the access
506 * controls for proxies, but sadly can still be used to abused.
507 * Offers only the opportunity to send a single block of data, but
508 * enough of them at once can still make for a devastating flood.
509 * Found on the same ports that HTTP CONNECT proxies inhabit.
510 *
511 * Note that if your ircd has "ping cookies" then clients from HTTP
512 * POST proxies cannot actually ever get onto your network anyway. If
513 * you leave the checks in then you'll still find some (because some
514 * people IRC from boxes that run them), but if you use HOPM purely as
515 * a protective measure and you have ping cookies, you need not scan
516 * for HTTP POST.
517 */
518 protocol = HTTPPOST:80;
519
520 /*
521 * The SSL/TLS variant of HTTPPOST
522 */
523 # protocol = HTTPSPOST:443;
524 # protocol = HTTPSPOST:8443;
525
526 /*
527 * IP address this scanner will bind to. Use this if you need your scans to
528 * come FROM a particular interface on the machine you run HOPM from.
529 * If you don't understand what this means, please leave this
530 * commented out, as this is a major source of support queries!
531 */
532 # vhost = "127.0.0.1";
533
534 /*
535 * Maximum file descriptors this scanner can use. Remember that there
536 * will be one FD for each protocol listed above. As this example
537 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
538 * limit, this scanner can be used on 64 users _at the same time_.
539 * That should be adequate for most servers.
540 */
541 fd = 512;
542
543 /*
544 * Maximum data read from a proxy before considering it closed. Don't
545 * set this too high, some people have fun setting up lots of ports
546 * that send endless data to tie up your scanner. 4KB is plenty for
547 * any known proxy.
548 */
549 max_read = 4 kbytes;
550
551 /*
552 * Amount of time before a test is considered timed out.
553 * Again, all but the poorest slowest proxies will be detected within
554 * 30 seconds, and this helps keep resource usage low.
555 */
556 timeout = 30 seconds;
557
558 /*
559 * Target IP to tell the proxy to connect to
560 *
561 * !!! THIS MUST BE CHANGED !!!
562 *
563 * You cannot instruct the proxy to connect to itself! The easiest
564 * thing to do would be to set this to the IP address of your ircd
565 * and then keep the default target_strings.
566 *
567 * Please use an IP address that is publically reachable from anywhere
568 * on the Internet, because you have no way of knowing where the insecure
569 * proxies will be located. Just because you and your HOPM can
570 * connect to your ircd on some private IP address like 192.168.0.1,
571 * does not mean that the insecure proxies out there on the Internet will be
572 * able to. And if they never connect, you will never detect them.
573 *
574 * Remember to change this setting for every scanner you configure.
575 */
576 target_ip = "127.0.0.1";
577
578 /*
579 * Target port to tell the proxy to connect to. This is usually
580 * something like 6667. Basically any client-usable port.
581 */
582 target_port = 6667;
583
584 /*
585 * Target string we check for in the data read back by the scanner.
586 * This should be some string out of the data that your ircd usually
587 * sends on connect. Multiple target strings are allowed.
588 *
589 * NOTE: Try to keep the number of target strings to a minimum. Two
590 * should be fine. One for normal connections and one for throttled
591 * connections. Comment out any others for efficiency.
592 */
593
594 /*
595 * Usually first line sent to client on connection to ircd.
596 * If your ircd supports a more specific line (see below),
597 * using it will reduce false positives.
598 */
599 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
600
601 /*
602 * If you try to connect too fast, you'll be throttled by your own
603 * ircd. Here's what a hybrid throttle message looks like:
604 */
605 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
606 };
607
608
609 scanner {
610 name = "extended";
611
612 protocol = HTTP:81;
613 protocol = HTTP:8000;
614 protocol = HTTP:8001;
615 protocol = HTTP:8081;
616
617 protocol = HTTPPOST:81;
618 protocol = HTTPPOST:6588;
619 protocol = HTTPPOST:4480;
620 protocol = HTTPPOST:8000;
621 protocol = HTTPPOST:8001;
622 protocol = HTTPPOST:8080;
623 protocol = HTTPPOST:8081;
624
625 /*
626 * IRCnet have seen many socks5 on these ports, more than on the
627 * standard ports even.
628 */
629 protocol = SOCKS4:4914;
630 protocol = SOCKS4:6826;
631 protocol = SOCKS4:7198;
632 protocol = SOCKS4:7366;
633 protocol = SOCKS4:9036;
634
635 protocol = SOCKS5:4438;
636 protocol = SOCKS5:5104;
637 protocol = SOCKS5:5113;
638 protocol = SOCKS5:5262;
639 protocol = SOCKS5:5634;
640 protocol = SOCKS5:6552;
641 protocol = SOCKS5:6561;
642 protocol = SOCKS5:7464;
643 protocol = SOCKS5:7810;
644 protocol = SOCKS5:8130;
645 protocol = SOCKS5:8148;
646 protocol = SOCKS5:8520;
647 protocol = SOCKS5:8814;
648 protocol = SOCKS5:9100;
649 protocol = SOCKS5:9186;
650 protocol = SOCKS5:9447;
651 protocol = SOCKS5:9578;
652
653 /*
654 * These came courtsey of Keith Dunnett from a bunch of public open
655 * proxy lists.
656 */
657 protocol = SOCKS4:29992;
658 protocol = SOCKS4:38884;
659 protocol = SOCKS4:18844;
660 protocol = SOCKS4:17771;
661 protocol = SOCKS4:31121;
662
663 fd = 400;
664
665 /*
666 * If required you can add settings such as target_ip here
667 * they will override the defaults set in the first scanner
668 * for this and subsequent scanners defined in the config file
669 * This affects the following options:
670 * fd, vhost, target_ip, target_port, target_string, timeout and
671 * max_read.
672 */
673 };
674
675
676 /*
677 * User blocks define what scanners will be used to scan which hostmasks.
678 * When a user connects they will be scanned on every scanner {} (above)
679 * that matches their host.
680 */
681 user {
682 /*
683 * Users matching this host mask will be scanned with all the
684 * protocols in the scanner named.
685 */
686 mask = "*!*@*";
687 scanner = "default";
688 };
689
690 user {
691 /*
692 * Connections without ident will match on a vast number of connections
693 * very few proxies run ident though
694 */
695 # mask = "*!~*@*";
696 mask = "*!squid@*";
697 mask = "*!nobody@*";
698 mask = "*!www-data@*";
699 mask = "*!cache@*";
700 mask = "*!CacheFlowS@*";
701 mask = "*!*@*www*";
702 mask = "*!*@*proxy*";
703 mask = "*!*@*cache*";
704
705 scanner = "extended";
706 };
707
708
709 /*
710 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
711 * HOPM will check each string against both the hostname and the IP address of
712 * the user.
713 *
714 * There are very few valid reasons to actually use "exempt". HOPM should
715 * never get false positives, and we would like to know very much if it does.
716 * One possible scenario is that the machine HOPM runs from is specifically
717 * authorized to use certain hosts as proxies, and users from those hosts use
718 * your network. In this case, without exempt, HOPM will scan these hosts,
719 * find itself able to use them as proxies, and ban them.
720 */
721 exempt {
722 mask = "*!*@127.0.0.1";
723 };

Properties

Name Value
svn:eol-style native
svn:keywords Id