ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/hopm/trunk/doc/reference.conf
Revision: 5221
Committed: Wed Dec 31 13:13:45 2014 UTC (9 years, 2 months ago) by michael
File size: 20290 byte(s)
Log Message:
- Update reference.conf

File Contents

# Content
1 /*
2 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 *
4 * $Id$
5 */
6
7 /*
8 * Shell style (#), C++ style (//) and C style comments are supported.
9 *
10 * Times/durations are written as:
11 * 12 hours 30 minutes 1 second
12 *
13 * Valid units of time:
14 * year, month, week, day, hour, minute, second
15 *
16 * Valid units of size:
17 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
18 *
19 * Sizes and times may be singular or plural.
20 */
21
22 options {
23 /*
24 * Full path and filename for storing the process ID of the running
25 * HOPM.
26 */
27 pidfile = "/some/path/var/hopm.pid";
28
29 /*
30 * How long to store the IP address of hosts which are confirmed
31 * (by previous scans) to be secure. New users from these
32 * IP addresses will not be scanned again until this amount of time
33 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
34 * DIRECTIVE, but it is provided due to demand.
35 *
36 * The main reason for not using this feature is that anyone capable
37 * of running a proxy can get abusers onto your network - all they
38 * need do is shut the proxy down, connect themselves, restart the
39 * proxy, and tell their friends to come flood.
40 *
41 * Keep this directive commented out to disable negative caching.
42 */
43 # negcache = 1 hour;
44
45 /*
46 * Amount of file descriptors to allocate to asynchronous DNS. 64
47 * should be plenty for almost anyone.
48 */
49 dns_fdlimit = 64;
50
51 /*
52 * Put the full path and filename of a logfile here if you wish to log
53 * every scan done. Normally HOPM only logs successfully detected
54 * proxies in the hopm.log, but you may get abuse reports to your ISP
55 * about portscanning. Being able to show that it was HOPM that did
56 * the scan in question can be useful. Leave commented for no
57 * logging.
58 */
59 # scanlog = "/some/path/var/scan.log";
60 };
61
62
63 irc {
64 /*
65 * IP to bind to for the IRC connection. You only need to use this if
66 * you wish HOPM to use a particular interface (virtual host, IP
67 * alias, ...) when connecting to the IRC server. There is another
68 * "vhost" setting in the scan {} block below for the actual
69 * portscans. Note that this directive expects an IP address, not a
70 * hostname. Please leave this commented out if you do not
71 * understand what it does, as most people don't need it.
72 */
73 # vhost = "0.0.0.0";
74
75 /*
76 * Nickname for HOPM to use.
77 */
78 nick = "MyHopm";
79
80 /*
81 * Text to appear in the "realname" field of HOPM's /whois output.
82 */
83 realname = "Hybrid Open Proxy Monitor";
84
85 /*
86 * If you don't have an identd running, what username to use.
87 */
88 username = "hopm";
89
90 /*
91 * Hostname (or IP) of the IRC server which HOPM will monitor
92 * connections on.
93 */
94 server = "irc.example.org";
95
96 /*
97 * Password used to connect to the IRC server (PASS)
98 */
99 # password = "secret";
100
101 /*
102 * Port of the above server to connect to. This is what HOPM uses to
103 * get onto IRC itself, it is nothing to do with what ports/protocols
104 * are scanned, nor do you need to list every port your ircd listens
105 * on.
106 */
107 port = 6667;
108
109
110 /*
111 * Defines time in which bot will timeout if no data is received
112 */
113 readtimeout = 15 minutes;
114
115 /*
116 * Command to execute to identify to NickServ (if your network uses
117 * it). This is the raw IRC command text, and the below example
118 * corresponds to "/msg nickserv identify password" in a client. If
119 * you don't understand, just edit "password" in the line below to be
120 * your HOPM's nick password. Leave commented out if you don't need
121 * to identify to NickServ.
122 */
123 # nickserv = "NS IDENTIFY password";
124
125 /*
126 * The username and password needed for HOPM to oper up.
127 */
128 oper = "hopm operpass";
129
130 /*
131 * Mode string that HOPM needs to set on itself as soon as it opers
132 * up. This needs to include the mode for seeing connection notices,
133 * otherwise HOPM won't scan anyone (that's usually umode +c).
134 */
135 mode = "+c";
136
137 /*
138 * If this is set then HOPM will use it as an /away message as soon as
139 * it connects.
140 */
141 away = "I'm a bot. Your messages will be ignored.";
142
143 /*
144 * Info about channels you wish HOPM to join in order to accept
145 * commands. HOPM will also print messages in these channels every
146 * time it detects a proxy. Only IRC operators can command HOPM to do
147 * anything, but some of the things HOPM reports to these channels
148 * could be considered sensitive, so it's best not to put HOPM into
149 * public channels.
150 */
151 channel {
152 /*
153 * Channel name. Local ("&") channels are supported if your ircd
154 * supports them.
155 */
156 name = "#hopm";
157
158 /*
159 * If HOPM will need to use a key to enter this channel, this is
160 * where you specify it.
161 */
162 # key = "somekey";
163
164 /*
165 * If you use ChanServ then maybe you want to set the channel
166 * invite-only and have each HOPM do "/msg ChanServ invite" to get
167 * itself in. Leave commented if you don't, or if this makes no
168 * sense to you.
169 */
170 # invite = "CS INVITE #hopm";
171 };
172
173 /*
174 * You can define a bunch of channels if you want:
175 *
176 * channel { name = "#other"; }; channel { name="#channel"; }
177 */
178
179 /*
180 * connregex is a POSIX regular expression used to parse connection
181 * (+c) notices from the ircd. The complexity of the expression should
182 * be kept to a minimum.
183 *
184 * Items in order MUST be: nick user host IP
185 *
186 * HOPM will not work with ircds which do not send an IP in the
187 * connection notice.
188 *
189 * This is fairly complicated stuff, and the consequences of getting
190 * it wrong are the HOPM does not scan anyone. Unless you know
191 * absolutely what you are doing, please just uncomment the example
192 * below that best matches the type of ircd you use.
193 */
194 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
195
196 /*
197 * "kline" controls the command used when an open proxy is confirmed.
198 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
199 *
200 * <WARNING>
201 * Make sure if you need to change this string you also change the
202 * kline command for every DNSBL you enable below.
203 *
204 * Also note that some servers do not allow you to include ':' characters
205 * inside the KLINE message (e.g. for a http:// address).
206 *
207 * Users rewriting this message into something that isn't even a valid
208 * IRC command is the single most common cause of support requests and
209 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
210 * KLINE COMMANDS BELOW.
211 * </WARNING>
212 *
213 * That said, should you wish to customise this text, several
214 * printf-like placeholders are available:
215 *
216 * %n User's nick
217 * %u User's username
218 * %h User's irc hostname
219 * %i User's IP address
220 *
221 */
222 kline = "KLINE 180 *@%h :Open proxy found on your host.";
223
224 /*
225 * An AKILL example for services with OperServ. Your HOPM must have permission to
226 * AKILL for this to work!
227 */
228 # kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";
229
230 /*
231 * Text to send on connection, these can be stacked and will be sent in this order.
232 */
233 # perform = "TIME";
234 };
235
236
237 /*
238 * OPM Block defines blacklists and information required to report new proxies
239 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
240 * file. There are several blacklist that list IP addresses known to be open
241 * proxies or other forms of IRC abuse. By checking against these blacklists,
242 * HOPMs are able to ban known sources of abuse without completely scanning them.
243 */
244 #opm {
245 /*
246 * Blacklist zones to check IPs against. If you would rather not
247 * trust a remotely managed blacklist, you could set up your own, or
248 * leave these commented out in which case every user will be
249 * scanned. The use of at least one open proxy DNSBL is recommended
250 * however.
251 *
252 * Please check the policies of each blacklist you use to check you
253 * are comfortable with using them to block access to your server
254 * (and that you are allowed to use them).
255 */
256
257
258 /* dnsbl.dronebl.org - http://dronebl.org */
259 # blacklist {
260 /* The DNS name of the blacklist */
261 # name = "dnsbl.dronebl.org";
262
263 /*
264 * There are only two values that are valid for this
265 * "A record bitmask" and "A record reply"
266 * These options affect how the values specified to reply
267 * below will be interpreted, a bitmask is where the reply
268 * values are 2^n and more than one is added up, a reply is
269 * simply where the last octet of the IP is that number.
270 * If you are not sure then the values set for dnsbl.dronebl.org
271 * will work without any changes.
272 */
273 # type = "A record reply";
274
275 /*
276 * Kline types not listed in the reply list below.
277 *
278 * For DNSBLs that are not IRC specific and you just wish to kline
279 * certain types this can be enabled/disabled.
280 */
281 # ban_unknown = no;
282
283 /*
284 * The actual values returned by the dnsbl.dronebl.org blacklist as
285 * documented at http://dronebl.org/docs/howtouse
286 */
287 # reply {
288 # 2 = "Sample";
289 # 3 = "IRC Drone";
290 # 5 = "Bottler";
291 # 6 = "Unknown spambot or drone";
292 # 7 = "DDOS Drone";
293 # 8 = "SOCKS Proxy";
294 # 9 = "HTTP Proxy";
295 # 10 = "ProxyChain";
296 # 13 = "Brute force attackers";
297 # 14 = "Open Wingate Proxy";
298 # 15 = "Compromised router / gateway";
299 # 17 = "Automatically determined botnet IPs (experimental)";
300 # 255 = "Unknown";
301 # };
302
303 /*
304 * The kline message sent for this specific blacklist, remember to put
305 * the removal method in this.
306 */
307 # kline = "KLINE 180 *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
308 # }
309
310
311 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
312 # blacklist {
313 # name = "tor.dnsbl.sectoor.de";
314 # type = "A record reply";
315 # ban_unknown = no;
316
317 # reply {
318 # 1 = "Tor exit server";
319 # };
320
321 # kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
322 # };
323
324 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
325 # blacklist {
326 # name = "rbl.efnetrbl.org";
327 # type = "A record reply";
328 # ban_unknown = no;
329
330 # reply {
331 # 1 = "Open proxy";
332 # 2 = "spamtrap666";
333 # 3 = "spamtrap50";
334 # 4 = "TOR";
335 # 5 = "Drones / Flooding";
336 # };
337
338 # kline = "KLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
339 # };
340
341
342
343 /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
344 # blacklist {
345 # name = "tor.efnetrbl.org";
346 # type = "A record reply";
347 # ban_unknown = no;
348
349 # reply {
350 # 1 = "TOR";
351 # };
352
353 # kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
354 # };
355
356 /*
357 * You can report the insecure proxies you find to a DNSBL also!
358 * The remaining directives in this section are only needed if you
359 * intend to do this. Reports are sent by email, one email per IP
360 * address. The format does support multiple addresses in one email,
361 * but we don't know of any servers that are detecting enough insecure
362 * proxies for this to be really necessary.
363 */
364
365 /*
366 * Email address to send reports FROM. If you intend to send reports,
367 * please pick an email address that we can actually send mail to
368 * should we ever need to contact you.
369 */
370 # dnsbl_from = "mybopm@myserver.org";
371
372 /*
373 * Email address to send reports TO.
374 * For example DroneBL:
375 */
376 # dnsbl_to = "bopm-report@dronebl.org";
377
378 /*
379 * Full path to your sendmail binary. Even if your system does not
380 * use sendmail, it probably does have a binary called "sendmail"
381 * present in /usr/sbin or /usr/lib. If you don't set this, no
382 * proxies will be reported.
383 */
384 # sendmail = "/usr/sbin/sendmail";
385 #};
386
387
388 /*
389 * The short explanation:
390 *
391 * This is where you define what ports/protocols to check for. You can have
392 * multiple scanner blocks and then choose which users will get scanned by
393 * which scanners further down.
394 *
395 * The long explanation:
396 *
397 * Scanner defines a virtual scanner. For each user being scanned, a scanner
398 * will use a file descriptor (and subsequent connection) for each protocol.
399 * Once connecting it will negotiate the proxy to connect to
400 * target_ip:target_port (target_ip MUST be an IP).
401 *
402 * Once connected, any data passed through the proxy will be checked to see if
403 * target_string is contained within that data. If it is the proxy is
404 * considered open. If the connection is closed at any point before
405 * target_string is matched, or if at least max_read bytes are read from the
406 * connection, the negotiation is considered failed.
407 */
408 scanner {
409
410 /*
411 * Unique name of this scanner. This is used further down in the
412 * user {} blocks to decide which users get affected by which
413 * scanners.
414 */
415 name = "default";
416
417 /*
418 * HTTP CONNECT - very common proxy protocol supported by widely known
419 * software such as Squid and Apache. The most common sort of
420 * insecure proxy and found on a multitude of weird ports too. Offers
421 * transparent two way TCP connections.
422 */
423 protocol = HTTP:80;
424 protocol = HTTP:8080;
425 protocol = HTTP:3128;
426 protocol = HTTP:6588;
427
428 /*
429 * SOCKS4/5 - well known proxy protocols, probably the second most
430 * common for insecure proxies, also offers transparent two way TCP
431 * connections. Fortunately largely confined to port 1080.
432 */
433 protocol = SOCKS4:1080;
434 protocol = SOCKS5:1080;
435
436 /*
437 * Cisco routers with a default password (yes, it really does happen).
438 * Also pretty much anything else that will let you telnet to anywhere
439 * else on the internet. Fortunately these are always on port 23.
440 */
441 protocol = ROUTER:23;
442
443 /*
444 * WinGate is commercial windows proxy software which is now not so
445 * common, but still to be found, and helpfully presents an interface
446 * that can be used to telnet out, on port 23.
447 */
448 protocol = WINGATE:23;
449
450 /*
451 * The HTTP POST protocol, often dismissed when writing the access
452 * controls for proxies, but sadly can still be used to abused.
453 * Offers only the opportunity to send a single block of data, but
454 * enough of them at once can still make for a devastating flood.
455 * Found on the same ports that HTTP CONNECT proxies inhabit.
456 *
457 * Note that if your ircd has "ping cookies" then clients from HTTP
458 * POST proxies cannot actually ever get onto your network anyway. If
459 * you leave the checks in then you'll still find some (because some
460 * people IRC from boxes that run them), but if you use HOPM purely as
461 * a protective measure and you have ping cookies, you need not scan
462 * for HTTP POST.
463 */
464 protocol = HTTPPOST:80;
465
466 /*
467 * IP this scanner will bind to. Use this if you need your scans to
468 * come FROM a particular interface on the machine you run HOPM from.
469 * If you don't understand what this means, please leave this
470 * commented out, as this is a major source of support queries!
471 */
472 # vhost = "127.0.0.1";
473
474 /* Maximum file descriptors this scanner can use. Remember that there
475 * will be one FD for each protocol listed above. As this example
476 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
477 * limit, this scanner can be used on 64 users _at the same time_.
478 * That should be adequate for most servers.
479 */
480 fd = 512;
481
482 /*
483 * Maximum data read from a proxy before considering it closed. Don't
484 * set this too high, some people have fun setting up lots of ports
485 * that send endless data to tie up your scanner. 4KB is plenty for
486 * any known proxy.
487 */
488 max_read = 4kb;
489
490 /*
491 * Amount of time before a test is considered timed out.
492 * Again, all but the poorest slowest proxies will be detected within
493 * 30 seconds, and this helps keep resource usage low.
494 */
495 timeout = 30 seconds;
496
497 /*
498 * Target IP to tell the proxy to connect to
499 *
500 * !!! THIS MUST BE CHANGED !!!
501 *
502 * You cannot instruct the proxy to connect to itself! The easiest
503 * thing to do would be to set this to the IP of your ircd and then
504 * keep the default target_strings.
505 *
506 * Please use an IP that is publically reachable from anywhere on the
507 * Internet, because you have no way of knowing where the insecure
508 * proxies will be located. Just because you and your HOPM can
509 * connect to your ircd on some private IP like 192.168.0.1, does not
510 * mean that the insecure proxies out there on the Internet will be
511 * able to. And if they never connect, you will never detect them.
512 *
513 * Remember to change this setting for every scanner you configure.
514 */
515 target_ip = "127.0.0.1";
516
517 /*
518 * Target port to tell the proxy to connect to. This is usually
519 * something like 6667. Basically any client-usable port.
520 */
521 target_port = 6667;
522
523 /*
524 * Target string we check for in the data read back by the scanner.
525 * This should be some string out of the data that your ircd usually
526 * sends on connect. The example below will work on most
527 * hybrid/bahamut ircds. Multiple target strings are allowed.
528 *
529 * NOTE: Try to keep the number of target strings to a minimum. Two
530 * should be fine. One for normal connections and one for throttled
531 * connections. Comment out any others for efficiency.
532 */
533
534 /*
535 * Usually first line sent to client on connection to ircd.
536 * If your ircd supports a more specific line (see below),
537 * using it will reduce false positives.
538 */
539 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
540
541 /*
542 * If you try to connect too fast, you'll be throttled by your own
543 * ircd. Here's what a hybrid throttle message looks like:
544 */
545 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
546 };
547
548
549 scanner {
550 name = "extended";
551
552 protocol = HTTP:81;
553 protocol = HTTP:8000;
554 protocol = HTTP:8001;
555 protocol = HTTP:8081;
556
557 protocol = HTTPPOST:81;
558 protocol = HTTPPOST:6588;
559 # protocol = HTTPPOST:4480;
560 protocol = HTTPPOST:8000;
561 protocol = HTTPPOST:8001;
562 protocol = HTTPPOST:8080;
563 protocol = HTTPPOST:8081;
564
565 /*
566 * IRCnet have seen many socks5 on these ports, more than on the
567 * standard ports even.
568 */
569 protocol = SOCKS4:4914;
570 protocol = SOCKS4:6826;
571 protocol = SOCKS4:7198;
572 protocol = SOCKS4:7366;
573 protocol = SOCKS4:9036;
574
575 protocol = SOCKS5:4438;
576 protocol = SOCKS5:5104;
577 protocol = SOCKS5:5113;
578 protocol = SOCKS5:5262;
579 protocol = SOCKS5:5634;
580 protocol = SOCKS5:6552;
581 protocol = SOCKS5:6561;
582 protocol = SOCKS5:7464;
583 protocol = SOCKS5:7810;
584 protocol = SOCKS5:8130;
585 protocol = SOCKS5:8148;
586 protocol = SOCKS5:8520;
587 protocol = SOCKS5:8814;
588 protocol = SOCKS5:9100;
589 protocol = SOCKS5:9186;
590 protocol = SOCKS5:9447;
591 protocol = SOCKS5:9578;
592
593 /*
594 * These came courtsey of Keith Dunnett from a bunch of public open
595 * proxy lists.
596 */
597 protocol = SOCKS4:29992;
598 protocol = SOCKS4:38884;
599 protocol = SOCKS4:18844;
600 protocol = SOCKS4:17771;
601 protocol = SOCKS4:31121;
602
603 fd = 400;
604
605 /* If required you can add settings such as target_ip here
606 * they will override the defaults set in the first scanner
607 * for this and subsequent scanners defined in the config file
608 * This affects the following options:
609 * fd, vhost, target_ip, target_port, target_string, timeout and
610 * max_read.
611 */
612 };
613
614
615 /*
616 * User blocks define what scanners will be used to scan which hostmasks. When
617 * a user connects they will be scanned on every scanner {} (above) that
618 * matches their host.
619 */
620 user {
621 /*
622 * Users matching this host mask will be scanned with all the
623 * protocols in the scanner named.
624 */
625 mask = "*!*@*";
626 scanner = "default";
627 };
628
629 user {
630 /*
631 * Connections without ident will match on a vast number of connections
632 * very few proxies run ident though
633 */
634 # mask = "*!~*@*";
635 mask = "*!squid@*";
636 mask = "*!nobody@*";
637 mask = "*!www-data@*";
638 mask = "*!cache@*";
639 mask = "*!CacheFlowS@*";
640 mask = "*!*@*www*";
641 mask = "*!*@*proxy*";
642 mask = "*!*@*cache*";
643
644 scanner = "extended";
645 };
646
647
648 /*
649 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
650 * HOPM will check each string against both the hostname and the IP address of
651 * the user.
652 *
653 * There are very few valid reasons to actually use "exempt". HOPM should
654 * never get false positives, and we would like to know very much if it does.
655 * One possible scenario is that the machine HOPM runs from is specifically
656 * authorized to use certain hosts as proxies, and users from those hosts use
657 * your network. In this case, without exempt, HOPM will scan these hosts,
658 * find itself able to use them as proxies, and ban them.
659 */
660 exempt {
661 mask = "*!*@127.0.0.1";
662 };

Properties

Name Value
svn:eol-style native
svn:keywords Id