3 BOPM sample configuration
9 * Full path and filename for storing the process ID of the running
12 pidfile = "/var/run/bopm/bopm.pid";
15 * How many seconds to store the IP address of hosts which are
16 * confirmed (by previous scans) to be secure. New users from these
17 * IP addresses will not be scanned again until this amount of time
18 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
19 * DIRECTIVE, but it is provided due to demand.
21 * The main reason for not using this feature is that anyone capable
22 * of running a proxy can get abusers onto your network - all they
23 * need do is shut the proxy down, connect themselves, restart the
24 * proxy, and tell their friends to come flood.
26 * Keep this directive commented out to disable negative caching.
31 * Amount of file descriptors to allocate to asynchronous DNS. 64
32 * should be plenty for almost anyone - previous versions of BOPM only
38 * Put the full path and filename of a logfile here if you wish to log
39 * every scan done. Normally BOPM only logs successfully detected
40 * proxies in the bopm.log, but you may get abuse reports to your ISP
41 * about portscanning. Being able to show that it was BOPM that did
42 * the scan in question can be useful. Leave commented for no
45 scanlog = "/var/log/bopm/scan.log";
51 * IP to bind to for the IRC connection. You only need to use this if
52 * you wish BOPM to use a particular interface (virtual host, IP
53 * alias, ...) when connecting to the IRC server. There is another
54 * "vhost" setting in the scan {} block below for the actual
55 * portscans. Note that this directive expects an IP address, not a
56 * hostname. Please leave this commented out if you do not
57 * understand what it does, as most people don't need it.
62 * Nickname for BOPM to use.
67 * Text to appear in the "realname" field of BOPM's /whois output.
69 realname = "Blitzed Open Proxy Monitor";
72 * If you don't have an identd running, what username to use.
77 * Hostname (or IP) of the IRC server which BOPM will monitor
84 * Password used to connect to the IRC server (PASS)
87 # password = "secret";
91 * Port of the above server to connect to. This is what BOPM uses to
92 * get onto IRC itself, it is nothing to do with what ports/protocols
93 * are scanned, nor do you need to list every port your ircd listens
99 * Command to execute to identify to NickServ (if your network uses
100 * it). This is the raw IRC command text, and the below example
101 * corresponds to "/msg nickserv identify password" in a client. If
102 * you don't understand, just edit "password" in the line below to be
103 * your BOPM's nick password. Leave commented out if you don't need
104 * to identify to NickServ.
106 # nickserv = "privmsg nickserv :identify password";
109 * The username and password needed for BOPM to oper up.
111 oper = "bopm operpass";
114 * Mode string that BOPM needs to set on itself as soon as it opers
115 * up. This needs to include the mode for seeing connection notices,
116 * otherwise BOPM won't scan anyone (that's usually umode +c). It's
117 * often also a good idea to remove any helper modes so that users
118 * don't try to talk to the BOPM.
120 * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
125 /* Example for Bahamut; +F gives BOPM relaxed flood limits */
129 * If this is set then BOPM will use it as an /away message as soon as
132 away = "I'm a bot. Your messages will be ignored.";
135 * Info about channels you wish BOPM to join in order to accept
136 * commands. BOPM will also print messages in these channels every
137 * time it detects a proxy. Only IRC operators can command BOPM to do
138 * anything, but some of the things BOPM reports to these channels
139 * could be soncidered sensitive, so it's best not to put BOPM into
144 * Channel name. Local ("&") channels are supported if your ircd
150 * If BOPM will need to use a key to enter this channel, this is
151 * where you specify it.
156 * If you use ChanServ then maybe you want to set the channel
157 * invite-only and have each BOPM do "/msg ChanServ invite" to get
158 * itself in. Leave commented if you don't, or if this makes no
161 # invite = "privmsg chanserv :invite #bopm";
165 * You can define a bunch of channels if you want:
167 * channel { name = "#other"; }; channel { name="#channel"; }
171 * connregex is a POSIX regular expression used to parse connection
172 * (+c) notices from the ircd. The complexity of the expression should
173 * be kept to a minimum.
175 * Items in order MUST be: nick user host IP
177 * BOPM will not work with ircds which do not send an IP in the
180 * This is fairly complicated stuff, and the consequences of getting
181 * it wrong are the BOPM does not scan anyone. Unless you know
182 * absolutely what you are doing, please just uncomment the example
183 * below that best matches the type of ircd you use.
185 * !!! NOTE !!! If a connregex for your ircd does not appear here and the
186 * hybrid connregex does not appear to work, check the BOPM FAQ at
187 * http://blitzed.org/bopm/faq.phtml before contacting our lists for help.
191 /* Hybrid / Bahamut / Unreal (in HCN mode) */
192 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
195 * Ultimate ircd - note the control-B characters around Connect/Exit,
196 * that is because that text appears in bold in the actual connect
197 * notice. Be very careful when editing this, do it as you would put
198 * bold characters into IRC MOTDs.
200 # connregex = "\\*\\*\\*
\ 2Connect/Exit
\ 2 -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
203 * SorIRCd 1.3.4+ / StarIRCd 5.26+.
205 # connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
209 * "kline" controls the command used when an open proxy is confirmed.
210 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
213 * Please note that if you are matching against our DNSBL
214 * opm.blitzed.org (see further below), then you will need some way to
215 * let users know how they can be removed from this DNSBL. That is
216 * the purpose of the blitzed.org URL in the example message, so
217 * please do not remove it unless you also disable DNSBL lookups (or
218 * if you use a different DNSBL).
220 * Also note that you cannot include ':' characters actually inside
221 * the KLINE message (e.g. for a http:// address).
223 * Users rewriting this message into something that isn't even a valid
224 * IRC command is the single most common cause of support requests and
225 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
226 * KLINE COMMANDS BELOW.
229 * That said, should you wish to customise this text, several
230 * printf-like placeholders are available:
234 * %h User's irc hostname
235 * %i User's IP address
238 kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
241 * If you would prefer very plain pages then try this one. There's
242 * also an index3.phtml which is even more plain, useful for parsing
243 * via your own pages if you are trying to make your own interface to
244 * it. If you know XML though, talk to webmaster@blitzed.org about
245 * use of the XML interface to it.
247 # kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information.";
249 /* A GLINE example for IRCu: */
250 # kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
253 * Text to send on connection, these can be stacked and will be sent in this order
255 * !!! UNREAL USERS PLEASE NOTE !!!
256 * Unreal users will need PROTOCTL HCN to force hybrid connect
259 * Yes Unreal users! That means you! That means you need the line
260 * below! See that thing at the start of the line? That's what we
261 * call a comment! Remove it to UNcomment the line.
263 # perform = "PROTOCTL HCN";
269 * OPM Block defines blacklists and information required to report new proxies
270 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
271 * file. In the case of opm.blitzed.org, we store the IP addresses of known
272 * insecure proxy servers. By checking against this blacklist, BOPMs are able
273 * to ban known proxies without having to scan them all.
275 * If you still don't underdstand what a DNSBL is, have a look at
276 * http://www.blitzed.org/opm.
281 * Blacklist zones to check IPs against. If you would rather not
282 * trust a remotely managed blacklist, you could set up your own, or
283 * you could comment this out in which case every user will be
286 * If you DO intend to send reports, please contact us first at
287 * opm-bopm@blitzed.org and let us know what you have set for
288 * "dnsbl_from" and your server name (or network name if you're
289 * reporting for a whole network). Until you do, all reports will be
292 * Those who report should subscribe to the opm-announce mailing list.
293 * This is an extremely low volume read-only mailing list that we use
294 * to inform our reporters about important details relating to our
295 * DNSBL. You can subscribe from:
297 * http://lists.blitzed.org/listinfo/opm-announce
299 * You may also be interested in opm-talk. That list is for user
300 * discussion of our DNSBL service, feature requests etc.. Weekly
301 * stats about our DNSBL such as how many addresses are in it, who
302 * reports the most, etc. are also posted there. You can subscribe
305 * http://lists.blitzed.org/listinfo/opm-talk
309 /* The DNS name of the blacklist */
310 name = "opm.blitzed.org";
313 * There are only two values that are valid for this
314 * "A record bitmask" and "A record reply"
315 * These options affect how the values specified to reply
316 * below will be interpreted, a bitmask is where the reply
317 * values are 2^n and more than one is added up, a reply is
318 * simply where the last octet of the IP is that number.
319 * If you are not sure then the values set for opm.blitzed.org
320 * will work without any changes.
322 type = "A record bitmask";
324 /* Kline types not set in the proxy types below, we might add
325 * other proxy types in the future, unless you want to exclude
326 * specific types of proxies it is recommended you leave this set.
327 * For DNSBLs that do not contain just open proxies this must be
328 * disabled (opm.blitzed.org is just an open proxy blacklist).
332 /* The actual values returned by the opm.blitzed.org blacklist
333 * As documented at http://opm.blitzed.org/info
343 /* The kline message sent for this specific blacklist, remember to put
344 * the removal method in this.
345 * By default this is commented out the KLINE command in the IRC
348 # kline = "KLINE *@%h :Open proxy found on your host, please visit www.blitzed.org/proxy?ip=%i";
352 * You can specify multiple DNSBLs. Some people see "opm.blitzed.org"
353 * and mindlessly change the "blitzed.org" part to be their own
354 * domain. Please don't do this unless you really do run your own
355 * DNSBL, all you will accomplish is filling your channels with DNS
356 * error messages. opm.blitzed.org should be adequate for most
360 /* example: NJABL - please read http://www.njabl.org/use.html before
363 # name = "dnsbl.njabl.org";
364 # type = "A record reply";
369 # kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
373 name = "dynablock.easynet.nl";
377 type = "A record reply";
379 2 = "Dynamic address";
384 * You can report the insecure proxies you find to our DNSBL also!
385 * The remaining directives in this section are only needed if you
386 * intend to do this. Reports are sent by email, one email per IP
387 * address. The format does support multiple addresses in one email,
388 * but we don't know of any servers that are detecting enough insecure
389 * proxies for this to be really necessary.
393 * Email address to send reports FROM. If you intend to send reports,
394 * please pick an email address that we can actually send mail to
395 * should we ever need to contact you.
397 # dnsbl_from = "mybopm@myserver.org";
400 * Email address to send reports TO.
402 # dnsbl_to = "bopm@reports.blitzed.org";
405 * Full path to your sendmail binary. Even if your system does not
406 * use sendmail, it probably does have a binary called "sendmail"
407 * present in /usr/sbin or /usr/lib. If you don't set this, no
408 * proxies will be reported.
410 # sendmail = "/usr/sbin/sendmail";
415 * The short explanation:
417 * This is where you define what ports/protocols to check for. You can have
418 * multiple scanner blocks and then choose which users will get scanned by
419 * which scanners further down.
421 * The long explanation:
423 * Scanner defines a virtual scanner. For each user being scanned, a scanner
424 * will use a file descriptor (and subsequent connection) for each protocol.
425 * Once connecting it will negotiate the proxy to connect to
426 * target_ip:target_port (target_ip MUST be an IP).
428 * Once connected, any data passed through the proxy will be checked to see if
429 * target_string is contained within that data. If it is the proxy is
430 * considered open. If the connection is closed at any point before
431 * target_string is matched, or if at least max_read bytes are read from the
432 * connection, the negotiation is considered failed.
438 * Unique name of this scanner. This is used further down in the
439 * user {} blocks to decide which users get affected by which
445 * HTTP CONNECT - very common proxy protocol supported by widely known
446 * software such as Squid and Apache. The most common sort of
447 * insecure proxy and found on a multitude of weird ports too. Offers
448 * transparent two way TCP connections.
451 protocol = HTTP:8080;
452 protocol = HTTP:3128;
453 protocol = HTTP:6588;
456 * SOCKS4/5 - well known proxy protocols, probably the second most
457 * common for insecure proxies, also offers transparent two way TCP
458 * connections. Fortunately largely confined to port 1080.
460 protocol = SOCKS4:1080;
461 protocol = SOCKS5:1080;
464 * Cisco routers with a default password (yes, it really does happen).
465 * Also pretty much anything else that will let you telnet to anywhere
466 * else on the internet. Fortunately these are always on port 23.
468 protocol = ROUTER:23;
471 * WinGate is commercial windows proxy software which is now not so
472 * common, but still to be found, and helpfully presents an interface
473 * that can be used to telnet out, on port 23.
475 protocol = WINGATE:23;
478 * The HTTP POST protocol, often dismissed when writing the access
479 * controls for proxies, but sadly can still be used to abused.
480 * Offers only the opportunity to send a single block of data, but
481 * enough of them at once can still make for a devastating flood.
482 * Found on the same ports that HTTP CONNECT proxies inhabit.
484 * Note that if your ircd has "ping cookies" then clients from HTTP
485 * POST proxies cannot actually ever get onto your network anyway. If
486 * you leave the checks in then you'll still find some (because some
487 * people IRC from boxes that run them), but if you use BOPM purely as
488 * a protective measure and you have ping cookies, you need not scan
491 protocol = HTTPPOST:80;
494 * IP this scanner will bind to. Use this if you need your scans to
495 * come FROM a particular interface on the machine you run BOPM from.
496 * If you don't understand what this means, please leave this
497 * commented out, as this is a major source of support queries!
499 # vhost = "127.0.0.1";
501 /* Maximum file descriptors this scanner can use. Remember that there
502 * will be one FD for each protocol listed above. As this example
503 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
504 * limit, this scanner can be used on 64 users _at the same time_.
505 * That should be adequate for most servers.
510 * Maximum data read from a proxy before considering it closed. Don't
511 * set this too high, some people have fun setting up lots of ports
512 * that send endless data to tie up your scanner. 4KB is plenty for
518 * Amount of time (in seconds) before a test is considered timed out.
519 * Again, all but the poorest slowest proxies will be detected within
520 * 30 seconds, and this helps keep resource usage low.
525 * Target IP to tell the proxy to connect to
527 * !!! THIS MUST BE CHANGED !!!
529 * You cannot instruct the proxy to connect to itself! The easiest
530 * thing to do would be to set this to the IP of your ircd and then
531 * keep the default target_strings.
533 * Please use an IP that is publically reachable from anywhere on the
534 * Internet, because you have no way of knowing where the insecure
535 * proxies will be located. Just because you and your BOPM can
536 * connect to your ircd on some private IP like 192.168.0.1, does not
537 * mean that the insecure proxies out there on the Internet will be
538 * able to. And if they never connect, you will never detect them.
540 * Remember to change this setting for every scanner you configure.
543 target_ip = "127.0.0.1";
546 * Target port to tell the proxy to connect to. This is usually
547 * something like 6667. Basically any client-usable port.
552 * Target string we check for in the data read back by the scanner.
553 * This should be some string out of the data that your ircd usually
554 * sends on connect. The example below will work on most
555 * hybrid/bahamut ircds. Multiple target strings are allowed.
557 * NOTE: Try to keep the number of target strings to a minimum. Two
558 * should be fine. One for normal connections and one for throttled
559 * connections. Comment out any others for efficiency.
562 /* Usually first line sent to client on connection to ircd.
563 * If your ircd supports a more specific line (see below),
564 * using it will reduce false positives.
566 target_string = "*** Looking up your hostname...";
568 /* Some ircds give a source for the NOTICE AUTH (bahamut for example).
569 * It is recommended you use the following instead of the generic
570 * "*** Looking up your hostname..." if your ircd supports it.
571 * This will reduce the chances of false positives.
573 # target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname...";
575 /* If you try to connect too fast, you'll be throttled by your own
576 * ircd. Here's what a hybrid throttle message looks like:
578 target_string = "ERROR :Trying to reconnect too fast.";
580 /* And the same for bahamut (comment this out if you're not using bahamut): */
581 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
588 protocol = HTTP:8000;
589 protocol = HTTP:8001;
590 protocol = HTTP:8081;
592 protocol = HTTPPOST:81;
593 protocol = HTTPPOST:6588;
594 # protocol = HTTPPOST:4480;
595 protocol = HTTPPOST:8000;
596 protocol = HTTPPOST:8001;
597 protocol = HTTPPOST:8080;
598 protocol = HTTPPOST:8081;
601 * IRCnet have seen many socks5 on these ports, more than on the
602 * standard ports even.
604 protocol = SOCKS4:4914;
605 protocol = SOCKS4:6826;
606 protocol = SOCKS4:7198;
607 protocol = SOCKS4:7366;
608 protocol = SOCKS4:9036;
610 protocol = SOCKS5:4438;
611 protocol = SOCKS5:5104;
612 protocol = SOCKS5:5113;
613 protocol = SOCKS5:5262;
614 protocol = SOCKS5:5634;
615 protocol = SOCKS5:6552;
616 protocol = SOCKS5:6561;
617 protocol = SOCKS5:7464;
618 protocol = SOCKS5:7810;
619 protocol = SOCKS5:8130;
620 protocol = SOCKS5:8148;
621 protocol = SOCKS5:8520;
622 protocol = SOCKS5:8814;
623 protocol = SOCKS5:9100;
624 protocol = SOCKS5:9186;
625 protocol = SOCKS5:9447;
626 protocol = SOCKS5:9578;
630 /* If required you can add settings such as target_ip here
631 * they will override the defaults set in the first scanner
632 * for this and subsequent scanners defined in the config file
633 * This affects the following options:
634 * fd, vhost, target_ip, target_port, target_string, timeout and
642 * User blocks define what scanners will be used to scan which hostmasks. When
643 * a user connects they will be scanned on every scanner {} (above) that
644 * matches their host.
649 * Users matching this host mask will be scanned with all the
650 * protocols in the scanner named.
657 /* Connections without ident will match on a vast number of connections
658 * very few proxies run ident though */
662 mask = "*!www-data@*";
664 mask = "*!CacheFlowS@*";
666 mask = "*!*@*proxy*";
667 mask = "*!*@*cache*";
669 scanner = "extended";
674 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
675 * BOPM will check each string against both the hostname and the IP address of
678 * There are very few valid reasons to actually use "exempt". BOPM should
679 * never get false positives, and we would like to know very much if it does.
680 * One possible scenario is that the machine BOPM runs from is specifically
681 * authorized to use certain hosts as proxies, and users from those hosts use
682 * your network. In this case, without exempt, BOPM will scan these hosts,
683 * find itself able to use them as proxies, and ban them.
686 mask = "*!*@127.0.0.1";