/[svn]/hopm/trunk/doc/reference.conf
ViewVC logotype

Contents of /hopm/trunk/doc/reference.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 9920 - (show annotations)
Wed Feb 3 16:43:47 2021 UTC (21 months, 3 weeks ago) by michael
File size: 25330 byte(s)
- Add `irc::tls_disable_certificate_verification` configuration option as requested in github issue #43

1 /*
2 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 *
4 * Copyright (c) 2014-2021 ircd-hybrid development team
5 *
6 * $Id$
7 */
8
9 /*
10 * Shell style (#), C++ style (//) and C style comments are supported.
11 *
12 * Files may be included by either:
13 * .include "filename"
14 * .include <filename>
15 *
16 * Times/durations are written as:
17 * 12 hours 30 minutes 1 second
18 *
19 * Valid units of time:
20 * year, month, week, day, hour, minute, second
21 *
22 * Valid units of size:
23 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
24 *
25 * Sizes and times may be singular or plural.
26 */
27
28 options {
29 /*
30 * Full path and filename for storing the process ID of the running
31 * HOPM.
32 */
33 pidfile = "var/run/hopm.pid";
34
35 /*
36 * Maximum commands to queue. Set to 0 if you don't want HOPM
37 * to process commands.
38 */
39 command_queue_size = 64;
40
41 /*
42 * Interval to check command queue for timed out commands.
43 */
44 command_interval = 10 seconds;
45
46 /*
47 * Timeout of commands.
48 */
49 command_timeout = 180 seconds;
50
51 /*
52 * How long to store the IP address of hosts which are confirmed
53 * (by previous scans) to be secure. New users from these
54 * IP addresses will not be scanned again until this amount of time
55 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
56 * DIRECTIVE, but it is provided due to demand.
57 *
58 * The main reason for not using this feature is that anyone capable
59 * of running a proxy can get abusers onto your network - all they
60 * need do is shut the proxy down, connect themselves, restart the
61 * proxy, and tell their friends to come flood.
62 *
63 * Keep this directive commented out to disable negative caching.
64 */
65 # negcache = 1 hour;
66
67 /*
68 * How long between rebuilds of the negative cache. The negcache
69 * is only rebuilt to free up memory used by entries that are too old.
70 * You probably don't need to tweak this unless you have huge amounts
71 * of people connecting (hundreds per minute). Default is 12 hours.
72 */
73 negcache_rebuild = 12 hours;
74
75 /*
76 * Amount of file descriptors to allocate to asynchronous DNS. 64
77 * should be plenty for almost anyone.
78 */
79 dns_fdlimit = 64;
80
81 /*
82 * Amount of time the resolver waits until a response is received
83 * from a name server.
84 */
85 dns_timeout = 5 seconds;
86
87 /*
88 * Put the full path and filename of a logfile here if you wish to log
89 * every scan done. Normally HOPM only logs successfully detected
90 * proxies in the hopm.log, but you may get abuse reports to your ISP
91 * about portscanning. Being able to show that it was HOPM that did
92 * the scan in question can be useful. Leave commented for no
93 * logging.
94 */
95 # scanlog = "var/log/scan.log";
96 };
97
98
99 irc {
100 /*
101 * IP address to bind to for the IRC connection. You only need to
102 * use this if you wish HOPM to use a particular interface
103 * (virtual host, IP alias, ...) when connecting to the IRC server.
104 * There is another "bind" setting in the scan {} block below for
105 * the actual portscans. Note that this directive expects an IP address,
106 * not a hostname. Please leave this commented out if you do not
107 * understand what it does, as most people don't need it.
108 */
109 # bind = "0.0.0.0";
110
111 /*
112 * Nickname for HOPM to use.
113 */
114 nick = "MyHopm";
115
116 /*
117 * Text to appear in the "realname" field of HOPM's /whois output.
118 */
119 realname = "Hybrid Open Proxy Monitor";
120
121 /*
122 * If you don't have an identd running, what username to use.
123 */
124 username = "hopm";
125
126 /*
127 * Hostname (or IP address) of the IRC server which HOPM will monitor
128 * connections on. IPv6 is now supported.
129 */
130 server = "irc.example.org";
131
132 /*
133 * Password used to connect to the IRC server (PASS)
134 */
135 # password = "secret";
136
137 /*
138 * Port of the above server to connect to. This is what HOPM uses to
139 * get onto IRC itself, it is nothing to do with what ports/protocols
140 * are scanned, nor do you need to list every port your ircd listens
141 * on.
142 */
143 port = 6667;
144
145 /*
146 * Whether to use TLS when connecting to the above server.
147 */
148 tls = no;
149
150 /*
151 * rsa_private_key_file: the path to the file containing the RSA key.
152 *
153 * Once the RSA key is generated, it is highly recommended to lock down
154 * its file permissions:
155 *
156 * chown <ircd-user>.<ircd.group> rsa.key
157 * chmod 0600 rsa.key
158 */
159 # rsa_private_key_file = "etc/rsa.key";
160
161 /*
162 * tls_certificate_file: the path to the file containing our
163 * TLS certificate for encrypted client connection.
164 */
165 # tls_certificate_file = "etc/cert.pem";
166
167 /*
168 * Checks if the host name defined above matches the identity in the
169 * certificate.
170 */
171 tls_hostname_verification = yes;
172
173 /*
174 * tls_disable_certificate_verification: setting this to 'yes' turns off
175 * verification of the remote peer's certificate. Turning off certificate
176 * verification is generally discouraged and should be done only for
177 * experimental purposes.
178 */
179 tls_disable_certificate_verification = no;
180
181 /*
182 * Defines time in which bot will timeout if no data is received
183 */
184 readtimeout = 15 minutes;
185
186 /*
187 * Interval in how often we try to reconnect to the IRC server
188 */
189 reconnectinterval = 30 seconds;
190
191 /*
192 * Command to execute to identify to NickServ (if your network uses
193 * it). This is the raw IRC command text, and the below example
194 * corresponds to "/msg nickserv identify password" in a client. If
195 * you don't understand, just edit "password" in the line below to be
196 * your HOPM's nick password. Leave commented out if you don't need
197 * to identify to NickServ.
198 */
199 # nickserv = "NS IDENTIFY password";
200
201 /*
202 * The username and password needed for HOPM to oper up.
203 */
204 oper = "hopm operpass";
205
206 /*
207 * Mode string that HOPM needs to set on itself as soon as it opers
208 * up. This needs to include the mode for seeing connection notices,
209 * otherwise HOPM won't scan anyone (that's usually umode +c).
210 */
211 mode = "+c";
212
213 /*
214 * If this is set then HOPM will use it as an /away message as soon as
215 * it connects.
216 */
217 away = "I'm a bot. Your messages will be ignored.";
218
219 /*
220 * Info about channels you wish HOPM to join in order to accept
221 * commands. HOPM will also print messages in these channels every
222 * time it detects a proxy. Only IRC operators can command HOPM to do
223 * anything, but some of the things HOPM reports to these channels
224 * could be considered sensitive, so it's best not to put HOPM into
225 * public channels.
226 */
227 channel {
228 /*
229 * Channel name. Local ("&") channels are supported if your ircd
230 * supports them.
231 */
232 name = "#hopm";
233
234 /*
235 * If HOPM will need to use a key to enter this channel, this is
236 * where you specify it.
237 */
238 # key = "somekey";
239
240 /*
241 * If you use ChanServ then maybe you want to set the channel
242 * invite-only and have each HOPM do "/msg ChanServ invite" to get
243 * itself in. Leave commented if you don't, or if this makes no
244 * sense to you.
245 */
246 # invite = "CS INVITE #hopm";
247 };
248
249 /*
250 * You can define a bunch of channels if you want:
251 *
252 * channel { name = "#other"; }; channel { name= "#channel"; }
253 */
254
255 /*
256 * connregex is a POSIX regular expression used to parse connection
257 * notices from the ircd. The complexity of the expression should
258 * be kept to a minimum.
259 *
260 * Items in order MUST be: nick user host IP
261 *
262 * HOPM will not work with ircds which do not send an IP address in the
263 * connection notice.
264 *
265 * This is fairly complicated stuff, and the consequences of getting
266 * it wrong are the HOPM does not scan anyone. Unless you know
267 * absolutely what you are doing, please just uncomment the example
268 * below that best matches the type of ircd you use.
269 */
270
271 /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
272 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
273
274 /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
275 # connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
276
277 /* UnrealIRCd 4.0.x */
278 # connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
279
280 /* InspIRCd */
281 # connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-f\\.:]+)\\) \\[.*\\]";
282
283 /* ngIRCd */
284 # connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
285
286 /*
287 * "kline" controls the command used when an open proxy is confirmed.
288 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
289 *
290 * <WARNING>
291 * Make sure if you need to change this string you also change the
292 * kline command for every DNSBL you enable below.
293 *
294 * Also note that some servers do not allow you to include ':' characters
295 * inside the KLINE message (e.g. for a http:// address).
296 *
297 * Users rewriting this message into something that isn't even a valid
298 * IRC command is the single most common cause of support requests and
299 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
300 * KLINE COMMANDS BELOW.
301 * </WARNING>
302 *
303 * That said, should you wish to customise this text, several
304 * printf-like placeholders are available:
305 *
306 * %n User's nick
307 * %u User's username
308 * %h User's irc hostname
309 * %i User's IP address
310 * %t Protocol type which has triggered a positive scan
311 */
312
313 /* A KLINE example for bahamut / charybdis / ircd-hybrid / ircd-ratbox */
314 kline = "KLINE 180 *@%i :Open proxy found on your host.";
315
316 /* A KLINE example for InspIRCd */
317 # kline = "KLINE *@%i 3h :Open proxy found on your host.";
318
319 /* A KLINE example for ngIRCd */
320 # kline = "KLINE *@%i 10800 :Open proxy found on your host.";
321
322 /* A GLINE example for ircu */
323 # kline = "GLINE +*@%i 10800 :Open proxy found on your host.";
324
325 /* A ZLINE example for UnrealIRCd */
326 # kline = "ZLINE *@%i 3h :Open proxy found on your host.";
327
328 /*
329 * An AKILL example for services with OperServ. Your HOPM must have permission to
330 * AKILL for this to work!
331 */
332 # kline = "OS AKILL ADD +3h *@%i Open proxy found on your host.";
333
334 /*
335 * Text to send on connection, these can be stacked and will be sent in this order.
336 *
337 * !!! UNREAL USERS PLEASE NOTE !!!
338 * Unreal users will need PROTOCTL HCN to force hybrid connect
339 * notices.
340 *
341 * Yes Unreal users! That means you! That means you need the line
342 * below! See that thing at the start of the line? That's what we
343 * call a comment! Remove it to UNcomment the line.
344 *
345 * Note that this is no longer needed as of UnrealIRCd 4.0.0.
346 */
347 # perform = "PROTOCTL HCN";
348
349 /*
350 * Text to send, via NOTICE, immediately when a new client connects. These can be
351 * stacked and will be sent in this order.
352 */
353 # notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
354 };
355
356
357 /*
358 * OPM Block defines blacklists and information required to report new proxies
359 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
360 * file. There are several blacklist that list IP addresses known to be open
361 * proxies or other forms of IRC abuse. By checking against these blacklists,
362 * HOPMs are able to ban known sources of abuse without completely scanning them.
363 */
364 #opm {
365 /*
366 * Blacklist zones to check IPs against. If you would rather not
367 * trust a remotely managed blacklist, you could set up your own, or
368 * leave these commented out in which case every user will be
369 * scanned. The use of at least one open proxy DNSBL is recommended
370 * however.
371 *
372 * Please check the policies of each blacklist you use to check you
373 * are comfortable with using them to block access to your server
374 * (and that you are allowed to use them).
375 */
376
377
378 /* dnsbl.dronebl.org - https://dronebl.org */
379 # blacklist {
380 /* The DNS name of the blacklist */
381 # name = "dnsbl.dronebl.org";
382
383 /*
384 * Address families that are supported by the blacklist. Default is 'ipv4'.
385 */
386 # address_family = ipv4, ipv6;
387
388 /*
389 * There are only two values that are valid for this
390 * "A record bitmask" and "A record reply"
391 * These options affect how the values specified to reply
392 * below will be interpreted, a bitmask is where the reply
393 * values are 2^n and more than one is added up, a reply is
394 * simply where the last octet of the IP address is that number.
395 * If you are not sure then the values set for dnsbl.dronebl.org
396 * will work without any changes.
397 */
398 # type = "A record reply";
399
400 /*
401 * Kline types not listed in the reply list below.
402 *
403 * For DNSBLs that are not IRC specific and you just wish to kline
404 * certain types this can be enabled/disabled.
405 */
406 # ban_unknown = no;
407
408 /*
409 * The actual values returned by the dnsbl.dronebl.org blacklist as
410 * documented at https://dronebl.org/docs/howtouse
411 */
412 # reply {
413 # 2 = "Sample data used for heuristical analysis";
414 # 3 = "IRC spam drone (litmus/sdbot/fyle)";
415 # 5 = "Bottler (experimental)";
416 # 6 = "Unknown worm or spambot";
417 # 7 = "DDoS drone";
418 # 8 = "Open SOCKS proxy";
419 # 9 = "Open HTTP proxy";
420 # 10 = "ProxyChain";
421 # 11 = "Web Page Proxy";
422 # 12 = "Open DNS Resolver";
423 # 13 = "Automated dictionary attacks";
424 # 14 = "Open WINGATE proxy";
425 # 15 = "Compromised router / gateway";
426 # 16 = "Autorooting worms";
427 # 17 = "Automatically determined botnet IPs (experimental)";
428 # 18 = "Possibly compromised DNS/MX type hostname detected on IRC";
429 # 19 = "Abused VPN Service";
430 # 255 = "Uncategorized threat class";
431 # };
432
433 /*
434 * The kline message sent for this specific blacklist, remember to put
435 * the removal method in this.
436 */
437 # kline = "KLINE 180 *@%i :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%i&network=Network";
438 # };
439
440
441 /* rbl.efnetrbl.org - https://rbl.efnetrbl.org/ */
442 # blacklist {
443 # name = "rbl.efnetrbl.org";
444 # type = "A record reply";
445 # ban_unknown = no;
446
447 # reply {
448 # 1 = "Open proxy";
449 # 2 = "spamtrap666";
450 # 3 = "spamtrap50";
451 # 4 = "TOR";
452 # 5 = "Drones / Flooding";
453 # };
454
455 # kline = "KLINE 180 *@%i :Blacklisted proxy found. For more information, visit https://rbl.efnetrbl.org/?i=%i";
456 # };
457
458
459
460 /* tor.efnetrbl.org - https://rbl.efnetrbl.org/ */
461 # blacklist {
462 # name = "tor.efnetrbl.org";
463 # type = "A record reply";
464 # ban_unknown = no;
465
466 # reply {
467 # 1 = "TOR";
468 # };
469
470 # kline = "KLINE 180 *@%i :TOR exit node found. For more information, visit https://rbl.efnetrbl.org/?i=%i";
471 # };
472
473 /*
474 * You can report the insecure proxies you find to a DNSBL also!
475 * The remaining directives in this section are only needed if you
476 * intend to do this. Reports are sent by email, one email per IP
477 * address. The format does support multiple addresses in one email,
478 * but we don't know of any servers that are detecting enough insecure
479 * proxies for this to be really necessary.
480 */
481
482 /*
483 * Email address to send reports FROM. If you intend to send reports,
484 * please pick an email address that we can actually send mail to
485 * should we ever need to contact you.
486 */
487 # dnsbl_from = "mybopm@myserver.org";
488
489 /*
490 * Email address to send reports TO.
491 * For example DroneBL:
492 */
493 # dnsbl_to = "bopm-report@dronebl.org";
494
495 /*
496 * Full path to your sendmail binary. Even if your system does not
497 * use sendmail, it probably does have a binary called "sendmail"
498 * present in /usr/sbin or /usr/lib. If you don't set this, no
499 * proxies will be reported.
500 */
501 # sendmail = "/usr/sbin/sendmail";
502 #};
503
504
505 /*
506 * The short explanation:
507 *
508 * This is where you define what ports/protocols to check for. You can have
509 * multiple scanner blocks and then choose which users will get scanned by
510 * which scanners further down.
511 *
512 * The long explanation:
513 *
514 * Scanner defines a virtual scanner. For each user being scanned, a scanner
515 * will use a file descriptor (and subsequent connection) for each protocol.
516 * Once connecting it will negotiate the proxy to connect to
517 * target_ip:target_port (target_ip MUST be an IP address).
518 *
519 * Once connected, any data passed through the proxy will be checked to see if
520 * target_string is contained within that data. If it is the proxy is
521 * considered open. If the connection is closed at any point before
522 * target_string is matched, or if at least max_read bytes are read from the
523 * connection, the negotiation is considered failed.
524 */
525 scanner {
526 /*
527 * Unique name of this scanner. This is used further down in the
528 * user {} blocks to decide which users get affected by which
529 * scanners.
530 */
531 name = "default";
532
533 /*
534 * HTTP CONNECT - very common proxy protocol supported by widely known
535 * software such as Squid and Apache. The most common sort of
536 * insecure proxy and found on a multitude of weird ports too. Offers
537 * transparent two way TCP connections.
538 */
539 protocol = HTTP:80;
540 protocol = HTTP:8080;
541 protocol = HTTP:3128;
542 protocol = HTTP:6588;
543
544 /*
545 * The SSL/TLS variant of HTTP
546 */
547 # protocol = HTTPS:443;
548 # protocol = HTTPS:8443;
549
550 /*
551 * SOCKS4/5 - well known proxy protocols, probably the second most
552 * common for insecure proxies, also offers transparent two way TCP
553 * connections. Fortunately largely confined to port 1080.
554 */
555 protocol = SOCKS4:1080;
556 protocol = SOCKS5:1080;
557
558 /*
559 * Cisco routers with a default password (yes, it really does happen).
560 * Also pretty much anything else that will let you telnet to anywhere
561 * else on the Internet. Fortunately these are always on port 23.
562 */
563 protocol = ROUTER:23;
564
565 /*
566 * WinGate is commercial windows proxy software which is now not so
567 * common, but still to be found, and helpfully presents an interface
568 * that can be used to telnet out, on port 23.
569 */
570 protocol = WINGATE:23;
571
572 /*
573 * Dreambox DVB receivers with a default password allowing
574 * full root access to telnet or install bouncers.
575 */
576 protocol = DREAMBOX:23;
577
578 /*
579 * The HTTP POST protocol, often dismissed when writing the access
580 * controls for proxies, but sadly can still be used to abused.
581 * Offers only the opportunity to send a single block of data, but
582 * enough of them at once can still make for a devastating flood.
583 * Found on the same ports that HTTP CONNECT proxies inhabit.
584 *
585 * Note that if your ircd has "ping cookies" then clients from HTTP
586 * POST proxies cannot actually ever get onto your network anyway. If
587 * you leave the checks in then you'll still find some (because some
588 * people IRC from boxes that run them), but if you use HOPM purely as
589 * a protective measure and you have ping cookies, you need not scan
590 * for HTTP POST.
591 */
592 protocol = HTTPPOST:80;
593
594 /*
595 * The SSL/TLS variant of HTTPPOST
596 */
597 # protocol = HTTPSPOST:443;
598 # protocol = HTTPSPOST:8443;
599
600 /*
601 * IP address this scanner will bind to. Use this if you need your scans to
602 * come FROM a particular interface on the machine you run HOPM from.
603 * If you don't understand what this means, please leave this
604 * commented out, as this is a major source of support queries!
605 */
606 # bind = "127.0.0.1";
607
608 /*
609 * Maximum file descriptors this scanner can use. Remember that there
610 * will be one FD for each protocol listed above. As this example
611 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
612 * limit, this scanner can be used on 64 users _at the same time_.
613 * That should be adequate for most servers.
614 */
615 fd = 512;
616
617 /*
618 * Maximum data read from a proxy before considering it closed. Don't
619 * set this too high, some people have fun setting up lots of ports
620 * that send endless data to tie up your scanner. 4KB is plenty for
621 * any known proxy.
622 */
623 max_read = 4 kbytes;
624
625 /*
626 * Amount of time before a test is considered timed out.
627 * Again, all but the poorest slowest proxies will be detected within
628 * 30 seconds, and this helps keep resource usage low.
629 */
630 timeout = 30 seconds;
631
632 /*
633 * Target IP to tell the proxy to connect to
634 *
635 * !!! THIS MUST BE CHANGED !!!
636 *
637 * You cannot instruct the proxy to connect to itself! The easiest
638 * thing to do would be to set this to the IP address of your ircd
639 * and then keep the default target_strings.
640 *
641 * Please use an IP address that is publically reachable from anywhere
642 * on the Internet, because you have no way of knowing where the insecure
643 * proxies will be located. Just because you and your HOPM can
644 * connect to your ircd on some private IP address like 192.168.0.1,
645 * does not mean that the insecure proxies out there on the Internet will be
646 * able to. And if they never connect, you will never detect them.
647 *
648 * Remember to change this setting for every scanner you configure.
649 */
650 target_ip = "127.0.0.1";
651
652 /*
653 * Target port to tell the proxy to connect to. This is usually
654 * something like 6667. Basically any client-usable port.
655 */
656 target_port = 6667;
657
658 /*
659 * Target string we check for in the data read back by the scanner.
660 * This should be some string out of the data that your ircd usually
661 * sends on connect. Multiple target strings are allowed.
662 *
663 * NOTE: Try to keep the number of target strings to a minimum. Two
664 * should be fine. One for normal connections and one for throttled
665 * connections. Comment out any others for efficiency.
666 */
667
668 /*
669 * Usually first line sent to client on connection to ircd.
670 * If your ircd supports a more specific line (see below),
671 * using it will reduce false positives.
672 */
673 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
674
675 /*
676 * If you try to connect too fast, you'll be throttled by your own
677 * ircd. Here's what a hybrid throttle message looks like:
678 */
679 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
680 };
681
682
683 scanner {
684 name = "extended";
685
686 protocol = HTTP:81;
687 protocol = HTTP:8000;
688 protocol = HTTP:8001;
689 protocol = HTTP:8081;
690
691 protocol = HTTPPOST:81;
692 protocol = HTTPPOST:6588;
693 protocol = HTTPPOST:4480;
694 protocol = HTTPPOST:8000;
695 protocol = HTTPPOST:8001;
696 protocol = HTTPPOST:8080;
697 protocol = HTTPPOST:8081;
698
699 /*
700 * IRCnet have seen many socks5 on these ports, more than on the
701 * standard ports even.
702 */
703 protocol = SOCKS4:4914;
704 protocol = SOCKS4:6826;
705 protocol = SOCKS4:7198;
706 protocol = SOCKS4:7366;
707 protocol = SOCKS4:9036;
708
709 protocol = SOCKS5:4438;
710 protocol = SOCKS5:5104;
711 protocol = SOCKS5:5113;
712 protocol = SOCKS5:5262;
713 protocol = SOCKS5:5634;
714 protocol = SOCKS5:6552;
715 protocol = SOCKS5:6561;
716 protocol = SOCKS5:7464;
717 protocol = SOCKS5:7810;
718 protocol = SOCKS5:8130;
719 protocol = SOCKS5:8148;
720 protocol = SOCKS5:8520;
721 protocol = SOCKS5:8814;
722 protocol = SOCKS5:9100;
723 protocol = SOCKS5:9186;
724 protocol = SOCKS5:9447;
725 protocol = SOCKS5:9578;
726 protocol = SOCKS5:10000;
727 protocol = SOCKS5:64101;
728
729 /*
730 * These came courtsey of Keith Dunnett from a bunch of public open
731 * proxy lists.
732 */
733 protocol = SOCKS4:29992;
734 protocol = SOCKS4:38884;
735 protocol = SOCKS4:18844;
736 protocol = SOCKS4:17771;
737 protocol = SOCKS4:31121;
738
739 fd = 400;
740
741 /*
742 * If required you can add settings such as target_ip here
743 * they will override the defaults set in the first scanner
744 * for this and subsequent scanners defined in the config file
745 * This affects the following options:
746 * fd, bind, target_ip, target_port, target_string, timeout and
747 * max_read.
748 */
749 };
750
751 /*
752 * Scanner to detect vulnerable SSH versions that normally exist on hacked
753 * routers and IoT devices. Don't forget to add this scanner to a user block.
754 */
755 scanner {
756 name = "ssh";
757
758 protocol = SSH:22;
759
760 target_string = "SSH-1.99-OpenSSH_5.1";
761 target_string = "SSH-2.0-dropbear_0.51";
762 target_string = "SSH-2.0-dropbear_0.52";
763 target_string = "SSH-2.0-dropbear_0.53.1";
764 target_string = "SSH-2.0-dropbear_2012.55";
765 target_string = "SSH-2.0-dropbear_2013.62";
766 target_string = "SSH-2.0-dropbear_2014.63";
767 target_string = "SSH-2.0-OpenSSH_4.3";
768 target_string = "SSH-2.0-OpenSSH_5.1";
769 target_string = "SSH-2.0-OpenSSH_5.5p1";
770 target_string = "SSH-2.0-ROSSSH";
771 target_string = "SSH-2.0-SSH_Server";
772 };
773
774
775 /*
776 * User blocks define what scanners will be used to scan which hostmasks.
777 * When a user connects they will be scanned on every scanner {} (above)
778 * that matches their host.
779 */
780 user {
781 /*
782 * Users matching this host mask will be scanned with all the
783 * protocols in the scanner named.
784 */
785 mask = "*!*@*";
786 scanner = "default";
787 };
788
789 user {
790 /*
791 * Connections without ident will match on a vast number of connections
792 * very few proxies run ident though
793 */
794 # mask = "*!~*@*";
795 mask = "*!squid@*";
796 mask = "*!nobody@*";
797 mask = "*!www-data@*";
798 mask = "*!cache@*";
799 mask = "*!CacheFlowS@*";
800 mask = "*!*@*www*";
801 mask = "*!*@*proxy*";
802 mask = "*!*@*cache*";
803
804 scanner = "extended";
805 };
806
807
808 /*
809 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
810 * HOPM will check each string against both the hostname and the IP address of
811 * the user.
812 *
813 * There are very few valid reasons to actually use "exempt". HOPM should
814 * never get false positives, and we would like to know very much if it does.
815 * One possible scenario is that the machine HOPM runs from is specifically
816 * authorized to use certain hosts as proxies, and users from those hosts use
817 * your network. In this case, without exempt, HOPM will scan these hosts,
818 * find itself able to use them as proxies, and ban them.
819 */
820 exempt {
821 mask = "*!*@127.0.0.1";
822 };

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28