Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Hybrid Open Proxy Monitor - HOPM sample configuration
- *
- * Copyright (c) 2014-2016 ircd-hybrid development team
- *
- * $Id: reference.conf 7200 2016-01-30 21:56:48Z michael $
- */
- /*
- * Shell style (#), C++ style (//) and C style comments are supported.
- *
- * Times/durations are written as:
- * 12 hours 30 minutes 1 second
- *
- * Valid units of time:
- * year, month, week, day, hour, minute, second
- *
- * Valid units of size:
- * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
- *
- * Sizes and times may be singular or plural.
- */
- options {
- /*
- * Full path and filename for storing the process ID of the running
- * HOPM.
- */
- pidfile = "var/run/hopm.pid";
- /*
- * Maximum commands to queue. Set to 0 if you don't want HOPM
- * to process commands.
- */
- command_queue_size = 64;
- /*
- * Interval to check command queue for timed out commands.
- */
- command_interval = 10 seconds;
- /*
- * Timeout of commands.
- */
- command_timeout = 180 seconds;
- /*
- * How long to store the IP address of hosts which are confirmed
- * (by previous scans) to be secure. New users from these
- * IP addresses will not be scanned again until this amount of time
- * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
- * DIRECTIVE, but it is provided due to demand.
- *
- * The main reason for not using this feature is that anyone capable
- * of running a proxy can get abusers onto your network - all they
- * need do is shut the proxy down, connect themselves, restart the
- * proxy, and tell their friends to come flood.
- *
- * Keep this directive commented out to disable negative caching.
- */
- # negcache = 1 hour;
- /*
- * How long between rebuilds of the negative cache. The negcache
- * is only rebuilt to free up memory used by entries that are too old.
- * You probably don't need to tweak this unless you have huge amounts
- * of people connecting (hundreds per minute). Default is 12 hours.
- */
- negcache_rebuild = 12 hours;
- /*
- * Amount of file descriptors to allocate to asynchronous DNS. 64
- * should be plenty for almost anyone.
- */
- dns_fdlimit = 64;
- /*
- * Amount of time the resolver waits until a response is received
- * from a name server.
- */
- dns_timeout = 5 seconds;
- /*
- * Put the full path and filename of a logfile here if you wish to log
- * every scan done. Normally HOPM only logs successfully detected
- * proxies in the hopm.log, but you may get abuse reports to your ISP
- * about portscanning. Being able to show that it was HOPM that did
- * the scan in question can be useful. Leave commented for no
- * logging.
- */
- scanlog = "var/log/scan.log";
- };
- irc {
- /*
- * IP address to bind to for the IRC connection. You only need to
- * use this if you wish HOPM to use a particular interface
- * (virtual host, IP alias, ...) when connecting to the IRC server.
- * There is another "vhost" setting in the scan {} block below for
- * the actual portscans. Note that this directive expects an IP address,
- * not a hostname. Please leave this commented out if you do not
- * understand what it does, as most people don't need it.
- */
- # vhost = "0.0.0.0";
- /*
- * Nickname for HOPM to use.
- */
- nick = "MyHopm";
- /*
- * Text to appear in the "realname" field of HOPM's /whois output.
- */
- realname = "Hybrid Open Proxy Monitor";
- /*
- * If you don't have an identd running, what username to use.
- */
- username = "Hopm";
- /*
- * Hostname (or IP address) of the IRC server which HOPM will monitor
- * connections on. IPv6 is now supported.
- */
- server = "irc.stream01.nl";
- /*
- * Password used to connect to the IRC server (PASS)
- */
- # password = "secret";
- /*
- * Port of the above server to connect to. This is what HOPM uses to
- * get onto IRC itself, it is nothing to do with what ports/protocols
- * are scanned, nor do you need to list every port your ircd listens
- * on.
- */
- port = 6667;
- /*
- * Defines time in which bot will timeout if no data is received
- */
- readtimeout = 15 minutes;
- /*
- * Interval in how often we try to reconnect to the IRC server
- */
- reconnectinterval = 30 seconds;
- /*
- * Command to execute to identify to NickServ (if your network uses
- * it). This is the raw IRC command text, and the below example
- * corresponds to "/msg nickserv identify password" in a client. If
- * you don't understand, just edit "password" in the line below to be
- * your HOPM's nick password. Leave commented out if you don't need
- * to identify to NickServ.
- */
- nickserv = "NS IDENTIFY xxxxxxxx";
- /*
- * The username and password needed for HOPM to oper up.
- */
- oper = "hopm xxxxxxxxxxxx";
- /*
- * Mode string that HOPM needs to set on itself as soon as it opers
- * up. This needs to include the mode for seeing connection notices,
- * otherwise HOPM won't scan anyone (that's usually umode +c).
- */
- mode = "+s +cF -h";
- /*
- * If this is set then HOPM will use it as an /away message as soon as
- * it connects.
- */
- away = "I'm a bot. Your messages will be ignored.";
- /*
- * Info about channels you wish HOPM to join in order to accept
- * commands. HOPM will also print messages in these channels every
- * time it detects a proxy. Only IRC operators can command HOPM to do
- * anything, but some of the things HOPM reports to these channels
- * could be considered sensitive, so it's best not to put HOPM into
- * public channels.
- */
- channel {
- /*
- * Channel name. Local ("&") channels are supported if your ircd
- * supports them.
- */
- name = "#Opers,#Services";
- /*
- * If HOPM will need to use a key to enter this channel, this is
- * where you specify it.
- */
- # key = "somekey";
- /*
- * If you use ChanServ then maybe you want to set the channel
- * invite-only and have each HOPM do "/msg ChanServ invite" to get
- * itself in. Leave commented if you don't, or if this makes no
- * sense to you.
- */
- # invite = "CS INVITE #hopm";
- };
- /*
- * You can define a bunch of channels if you want:
- *
- * channel { name = "#other"; }; channel { name= "#channel"; }
- */
- /*
- * connregex is a POSIX regular expression used to parse connection
- * notices from the ircd. The complexity of the expression should
- * be kept to a minimum.
- *
- * Items in order MUST be: nick user host IP
- *
- * HOPM will not work with ircds which do not send an IP address in the
- * connection notice.
- *
- * This is fairly complicated stuff, and the consequences of getting
- * it wrong are the HOPM does not scan anyone. Unless you know
- * absolutely what you are doing, please just uncomment the example
- * below that best matches the type of ircd you use.
- */
- /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
- # connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
- /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
- # connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
- /* UnrealIRCd 4.0.x */
- connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
- /* InspIRCd */
- # connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]";
- /* ngIRCd */
- # connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
- /*
- * "kline" controls the command used when an open proxy is confirmed.
- * We suggest applying a temporary (no more than a few hours) KLINE on the host.
- *
- * <WARNING>
- * Make sure if you need to change this string you also change the
- * kline command for every DNSBL you enable below.
- *
- * Also note that some servers do not allow you to include ':' characters
- * inside the KLINE message (e.g. for a http:// address).
- *
- * Users rewriting this message into something that isn't even a valid
- * IRC command is the single most common cause of support requests and
- * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
- * KLINE COMMANDS BELOW.
- * </WARNING>
- *
- * That said, should you wish to customise this text, several
- * printf-like placeholders are available:
- *
- * %n User's nick
- * %u User's username
- * %h User's irc hostname
- * %i User's IP address
- * %t Protocol type which has triggered a positive scan
- */
- kline = "KLINE 180 *@%h :Open proxy found on your host.";
- /* A GLINE example for ircu */
- # kline = "GLINE +*@%i 1800 :Open proxy found on your host.";
- /*
- * An AKILL example for services with OperServ. Your HOPM must have permission to
- * AKILL for this to work!
- */
- kline = "OS AKILL ADD +3h *@%h Open proxy is gevonden op Uw host.";
- /*
- * Text to send on connection, these can be stacked and will be sent in this order.
- *
- * !!! UNREAL USERS PLEASE NOTE !!!
- * Unreal users will need PROTOCTL HCN to force hybrid connect
- * notices.
- *
- * Yes Unreal users! That means you! That means you need the line
- * below! See that thing at the start of the line? That's what we
- * call a comment! Remove it to UNcomment the line.
- *
- * Note that this is no longer needed as of UnrealIRCd 4.0.0.
- */
- # perform = "PROTOCTL HCN";
- /*
- * Text to send, via NOTICE, immediately when a new client connects. These can be
- * stacked and will be sent in this order.
- */
- notice = "Uw host wordt nu gescand op open proxies. Helaas maar een noodzakelijke beveiliging. Bedankt voot Uw begrip.";
- };
- /*
- * OPM Block defines blacklists and information required to report new proxies
- * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
- * file. There are several blacklist that list IP addresses known to be open
- * proxies or other forms of IRC abuse. By checking against these blacklists,
- * HOPMs are able to ban known sources of abuse without completely scanning them.
- */
- opm {
- /*
- * Blacklist zones to check IPs against. If you would rather not
- * trust a remotely managed blacklist, you could set up your own, or
- * leave these commented out in which case every user will be
- * scanned. The use of at least one open proxy DNSBL is recommended
- * however.
- *
- * Please check the policies of each blacklist you use to check you
- * are comfortable with using them to block access to your server
- * (and that you are allowed to use them).
- */
- /* dnsbl.dronebl.org - http://dronebl.org */
- blacklist {
- /* The DNS name of the blacklist */
- name = "dnsbl.dronebl.org";
- /*
- * There are only two values that are valid for this
- * "A record bitmask" and "A record reply"
- * These options affect how the values specified to reply
- * below will be interpreted, a bitmask is where the reply
- * values are 2^n and more than one is added up, a reply is
- * simply where the last octet of the IP address is that number.
- * If you are not sure then the values set for dnsbl.dronebl.org
- * will work without any changes.
- */
- type = "A record reply";
- /*
- * Kline types not listed in the reply list below.
- *
- * For DNSBLs that are not IRC specific and you just wish to kline
- * certain types this can be enabled/disabled.
- */
- ban_unknown = yes;
- /*
- * The actual values returned by the dnsbl.dronebl.org blacklist as
- * documented at http://dronebl.org/docs/howtouse
- */
- reply {
- 2 = "Sample";
- 3 = "IRC Drone";
- 5 = "Bottler";
- 6 = "Unknown spambot or drone";
- 7 = "DDOS Drone";
- 8 = "SOCKS Proxy";
- 9 = "HTTP Proxy";
- 10 = "ProxyChain";
- 13 = "Brute force attackers";
- 14 = "Open Wingate Proxy";
- 15 = "Compromised router / gateway";
- 17 = "Automatically determined botnet IPs (experimental)";
- 255 = "Unknown";
- };
- /*
- * The kline message sent for this specific blacklist, remember to put
- * the removal method in this.
- */
- kline = "KLINE 180 *@%h :U heeft een host die geregistreerd staat in de DroneBL. Voor meer informatie, bezoek http://dronebl.org/lookup_branded?ip=%i&network=Network";
- };
- /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
- blacklist {
- name = "tor.dnsbl.sectoor.de";
- type = "A record reply";
- ban_unknown = no;
- reply {
- 1 = "Tor exit server";
- };
- kline = "KLINE 180 *@%h :Tor exit server gedetecteerd. Voor meer informatie, bezoek http://www.sectoor.de/tor.php?ip=%i";
- };
- /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
- blacklist {
- name = "rbl.efnetrbl.org";
- type = "A record reply";
- ban_unknown = no;
- reply {
- 1 = "Open proxy";
- 2 = "spamtrap666";
- 3 = "spamtrap50";
- 4 = "TOR";
- 5 = "Drones / Flooding";
- };
- kline = "KLINE 180 *@%h :Ge-blackliste proxy werd gevonden. Voor meer informatie, bezoek http://rbl.efnetrbl.org/?i=%i";
- };
- /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
- blacklist {
- name = "tor.efnetrbl.org";
- type = "A record reply";
- ban_unknown = no;
- reply {
- 1 = "TOR";
- };
- kline = "KLINE 180 *@%h :TOR exit node werd gevonden. Voor meer informatie, bezoek http://rbl.efnetrbl.org/?i=%i";
- };
- /*
- * You can report the insecure proxies you find to a DNSBL also!
- * The remaining directives in this section are only needed if you
- * intend to do this. Reports are sent by email, one email per IP
- * address. The format does support multiple addresses in one email,
- * but we don't know of any servers that are detecting enough insecure
- * proxies for this to be really necessary.
- */
- /*
- * Email address to send reports FROM. If you intend to send reports,
- * please pick an email address that we can actually send mail to
- * should we ever need to contact you.
- */
- # dnsbl_from = "mybopm@myserver.org";
- /*
- * Email address to send reports TO.
- * For example DroneBL:
- */
- # dnsbl_to = "bopm-report@dronebl.org";
- /*
- * Full path to your sendmail binary. Even if your system does not
- * use sendmail, it probably does have a binary called "sendmail"
- * present in /usr/sbin or /usr/lib. If you don't set this, no
- * proxies will be reported.
- */
- # sendmail = "/usr/sbin/sendmail";
- #};
- /*
- * The short explanation:
- *
- * This is where you define what ports/protocols to check for. You can have
- * multiple scanner blocks and then choose which users will get scanned by
- * which scanners further down.
- *
- * The long explanation:
- *
- * Scanner defines a virtual scanner. For each user being scanned, a scanner
- * will use a file descriptor (and subsequent connection) for each protocol.
- * Once connecting it will negotiate the proxy to connect to
- * target_ip:target_port (target_ip MUST be an IP address).
- *
- * Once connected, any data passed through the proxy will be checked to see if
- * target_string is contained within that data. If it is the proxy is
- * considered open. If the connection is closed at any point before
- * target_string is matched, or if at least max_read bytes are read from the
- * connection, the negotiation is considered failed.
- */
- scanner {
- /*
- * Unique name of this scanner. This is used further down in the
- * user {} blocks to decide which users get affected by which
- * scanners.
- */
- name = "default";
- /*
- * HTTP CONNECT - very common proxy protocol supported by widely known
- * software such as Squid and Apache. The most common sort of
- * insecure proxy and found on a multitude of weird ports too. Offers
- * transparent two way TCP connections.
- */
- protocol = HTTP:80;
- protocol = HTTP:8080;
- protocol = HTTP:3128;
- protocol = HTTP:6588;
- /*
- * The SSL/TLS variant of HTTP
- */
- # protocol = HTTPS:443;
- # protocol = HTTPS:8443;
- /*
- * SOCKS4/5 - well known proxy protocols, probably the second most
- * common for insecure proxies, also offers transparent two way TCP
- * connections. Fortunately largely confined to port 1080.
- */
- protocol = SOCKS4:1080;
- protocol = SOCKS5:1080;
- /*
- * Cisco routers with a default password (yes, it really does happen).
- * Also pretty much anything else that will let you telnet to anywhere
- * else on the Internet. Fortunately these are always on port 23.
- */
- protocol = ROUTER:23;
- /*
- * WinGate is commercial windows proxy software which is now not so
- * common, but still to be found, and helpfully presents an interface
- * that can be used to telnet out, on port 23.
- */
- protocol = WINGATE:23;
- /*
- * Dreambox DVB receivers with a default password allowing
- * full root access to telnet or install bouncers.
- */
- protocol = DREAMBOX:23;
- /*
- * The HTTP POST protocol, often dismissed when writing the access
- * controls for proxies, but sadly can still be used to abused.
- * Offers only the opportunity to send a single block of data, but
- * enough of them at once can still make for a devastating flood.
- * Found on the same ports that HTTP CONNECT proxies inhabit.
- *
- * Note that if your ircd has "ping cookies" then clients from HTTP
- * POST proxies cannot actually ever get onto your network anyway. If
- * you leave the checks in then you'll still find some (because some
- * people IRC from boxes that run them), but if you use HOPM purely as
- * a protective measure and you have ping cookies, you need not scan
- * for HTTP POST.
- */
- protocol = HTTPPOST:80;
- /*
- * The SSL/TLS variant of HTTPPOST
- */
- # protocol = HTTPSPOST:443;
- # protocol = HTTPSPOST:8443;
- /*
- * IP address this scanner will bind to. Use this if you need your scans to
- * come FROM a particular interface on the machine you run HOPM from.
- * If you don't understand what this means, please leave this
- * commented out, as this is a major source of support queries!
- */
- # vhost = "127.0.0.1";
- /*
- * Maximum file descriptors this scanner can use. Remember that there
- * will be one FD for each protocol listed above. As this example
- * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
- * limit, this scanner can be used on 64 users _at the same time_.
- * That should be adequate for most servers.
- */
- fd = 512;
- /*
- * Maximum data read from a proxy before considering it closed. Don't
- * set this too high, some people have fun setting up lots of ports
- * that send endless data to tie up your scanner. 4KB is plenty for
- * any known proxy.
- */
- max_read = 4 kbytes;
- /*
- * Amount of time before a test is considered timed out.
- * Again, all but the poorest slowest proxies will be detected within
- * 30 seconds, and this helps keep resource usage low.
- */
- timeout = 30 seconds;
- /*
- * Target IP to tell the proxy to connect to
- *
- * !!! THIS MUST BE CHANGED !!!
- *
- * You cannot instruct the proxy to connect to itself! The easiest
- * thing to do would be to set this to the IP address of your ircd
- * and then keep the default target_strings.
- *
- * Please use an IP address that is publically reachable from anywhere
- * on the Internet, because you have no way of knowing where the insecure
- * proxies will be located. Just because you and your HOPM can
- * connect to your ircd on some private IP address like 192.168.0.1,
- * does not mean that the insecure proxies out there on the Internet will be
- * able to. And if they never connect, you will never detect them.
- *
- * Remember to change this setting for every scanner you configure.
- */
- target_ip = "5.189.173.78";
- /*
- * Target port to tell the proxy to connect to. This is usually
- * something like 6667. Basically any client-usable port.
- */
- target_port = 6667;
- /*
- * Target string we check for in the data read back by the scanner.
- * This should be some string out of the data that your ircd usually
- * sends on connect. Multiple target strings are allowed.
- *
- * NOTE: Try to keep the number of target strings to a minimum. Two
- * should be fine. One for normal connections and one for throttled
- * connections. Comment out any others for efficiency.
- */
- /*
- * Usually first line sent to client on connection to ircd.
- * If your ircd supports a more specific line (see below),
- * using it will reduce false positives.
- */
- target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
- /*
- * If you try to connect too fast, you'll be throttled by your own
- * ircd. Here's what a hybrid throttle message looks like:
- */
- target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
- };
- scanner {
- name = "extended";
- protocol = HTTP:81;
- protocol = HTTP:8000;
- protocol = HTTP:8001;
- protocol = HTTP:8081;
- protocol = HTTPPOST:81;
- protocol = HTTPPOST:6588;
- protocol = HTTPPOST:4480;
- protocol = HTTPPOST:8000;
- protocol = HTTPPOST:8001;
- protocol = HTTPPOST:8080;
- protocol = HTTPPOST:8081;
- /*
- * IRCnet have seen many socks5 on these ports, more than on the
- * standard ports even.
- */
- protocol = SOCKS4:4914;
- protocol = SOCKS4:6826;
- protocol = SOCKS4:7198;
- protocol = SOCKS4:7366;
- protocol = SOCKS4:9036;
- protocol = SOCKS5:4438;
- protocol = SOCKS5:5104;
- protocol = SOCKS5:5113;
- protocol = SOCKS5:5262;
- protocol = SOCKS5:5634;
- protocol = SOCKS5:6552;
- protocol = SOCKS5:6561;
- protocol = SOCKS5:7464;
- protocol = SOCKS5:7810;
- protocol = SOCKS5:8130;
- protocol = SOCKS5:8148;
- protocol = SOCKS5:8520;
- protocol = SOCKS5:8814;
- protocol = SOCKS5:9100;
- protocol = SOCKS5:9186;
- protocol = SOCKS5:9447;
- protocol = SOCKS5:9578;
- protocol = SOCKS5:10000;
- protocol = SOCKS5:64101;
- /*
- * These came courtsey of Keith Dunnett from a bunch of public open
- * proxy lists.
- */
- protocol = SOCKS4:29992;
- protocol = SOCKS4:38884;
- protocol = SOCKS4:18844;
- protocol = SOCKS4:17771;
- protocol = SOCKS4:31121;
- fd = 400;
- /*
- * If required you can add settings such as target_ip here
- * they will override the defaults set in the first scanner
- * for this and subsequent scanners defined in the config file
- * This affects the following options:
- * fd, vhost, target_ip, target_port, target_string, timeout and
- * max_read.
- */
- };
- /*
- * User blocks define what scanners will be used to scan which hostmasks.
- * When a user connects they will be scanned on every scanner {} (above)
- * that matches their host.
- */
- user {
- /*
- * Users matching this host mask will be scanned with all the
- * protocols in the scanner named.
- */
- mask = "*!*@*";
- scanner = "default";
- };
- user {
- /*
- * Connections without ident will match on a vast number of connections
- * very few proxies run ident though
- */
- # mask = "*!~*@*";
- mask = "*!squid@*";
- mask = "*!nobody@*";
- mask = "*!www-data@*";
- mask = "*!cache@*";
- mask = "*!CacheFlowS@*";
- mask = "*!*@*www*";
- mask = "*!*@*proxy*";
- mask = "*!*@*cache*";
- scanner = "extended";
- };
- /*
- * Exempt hosts matching certain strings from any form of scanning or dnsbl.
- * HOPM will check each string against both the hostname and the IP address of
- * the user.
- *
- * There are very few valid reasons to actually use "exempt". HOPM should
- * never get false positives, and we would like to know very much if it does.
- * One possible scenario is that the machine HOPM runs from is specifically
- * authorized to use certain hosts as proxies, and users from those hosts use
- * your network. In this case, without exempt, HOPM will scan these hosts,
- * find itself able to use them as proxies, and ban them.
- */
- exempt {
- mask = "*!*@127.0.0.1";
- };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement