]>
Commit | Line | Data |
---|---|---|
c0d1b0c5 ER |
1 | /* |
2 | ||
3 | BOPM sample configuration | |
4 | ||
5 | */ | |
6 | ||
7 | options { | |
8 | /* | |
9 | * Full path and filename for storing the process ID of the running | |
10 | * BOPM. | |
11 | */ | |
12 | pidfile = "/var/run/bopm/bopm.pid"; | |
13 | ||
14 | /* | |
15 | * How many seconds to store the IP address of hosts which are | |
16 | * confirmed (by previous scans) to be secure. New users from these | |
17 | * IP addresses will not be scanned again until this amount of time | |
18 | * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS | |
19 | * DIRECTIVE, but it is provided due to demand. | |
20 | * | |
21 | * The main reason for not using this feature is that anyone capable | |
22 | * of running a proxy can get abusers onto your network - all they | |
23 | * need do is shut the proxy down, connect themselves, restart the | |
24 | * proxy, and tell their friends to come flood. | |
25 | * | |
26 | * Keep this directive commented out to disable negative caching. | |
27 | */ | |
28 | # negcache = 3600; | |
29 | ||
30 | /* | |
31 | * Amount of file descriptors to allocate to asynchronous DNS. 64 | |
32 | * should be plenty for almost anyone - previous versions of BOPM only | |
33 | * did one at a time! | |
34 | */ | |
35 | dns_fdlimit = 64; | |
36 | ||
37 | /* | |
38 | * Put the full path and filename of a logfile here if you wish to log | |
39 | * every scan done. Normally BOPM only logs successfully detected | |
40 | * proxies in the bopm.log, but you may get abuse reports to your ISP | |
41 | * about portscanning. Being able to show that it was BOPM that did | |
42 | * the scan in question can be useful. Leave commented for no | |
43 | * logging. | |
44 | */ | |
45 | scanlog = "/var/log/bopm/scan.log"; | |
46 | }; | |
47 | ||
48 | ||
49 | IRC { | |
50 | /* | |
51 | * IP to bind to for the IRC connection. You only need to use this if | |
52 | * you wish BOPM to use a particular interface (virtual host, IP | |
53 | * alias, ...) when connecting to the IRC server. There is another | |
54 | * "vhost" setting in the scan {} block below for the actual | |
55 | * portscans. Note that this directive expects an IP address, not a | |
56 | * hostname. Please leave this commented out if you do not | |
57 | * understand what it does, as most people don't need it. | |
58 | */ | |
59 | # vhost = "0.0.0.0"; | |
60 | ||
61 | /* | |
62 | * Nickname for BOPM to use. | |
63 | */ | |
64 | nick = "MyBopm"; | |
65 | ||
66 | /* | |
67 | * Text to appear in the "realname" field of BOPM's /whois output. | |
68 | */ | |
69 | realname = "Blitzed Open Proxy Monitor"; | |
70 | ||
71 | /* | |
72 | * If you don't have an identd running, what username to use. | |
73 | */ | |
74 | username = "bopm"; | |
75 | ||
76 | /* | |
77 | * Hostname (or IP) of the IRC server which BOPM will monitor | |
78 | * connections on. | |
79 | */ | |
80 | server = "localhost"; | |
81 | ||
82 | ||
83 | /* | |
84 | * Password used to connect to the IRC server (PASS) | |
85 | */ | |
86 | ||
87 | # password = "secret"; | |
88 | ||
89 | ||
90 | /* | |
91 | * Port of the above server to connect to. This is what BOPM uses to | |
92 | * get onto IRC itself, it is nothing to do with what ports/protocols | |
93 | * are scanned, nor do you need to list every port your ircd listens | |
94 | * on. | |
95 | */ | |
96 | port = 6667; | |
97 | ||
98 | /* | |
99 | * Command to execute to identify to NickServ (if your network uses | |
100 | * it). This is the raw IRC command text, and the below example | |
101 | * corresponds to "/msg nickserv identify password" in a client. If | |
102 | * you don't understand, just edit "password" in the line below to be | |
103 | * your BOPM's nick password. Leave commented out if you don't need | |
104 | * to identify to NickServ. | |
105 | */ | |
106 | # nickserv = "privmsg nickserv :identify password"; | |
107 | ||
108 | /* | |
109 | * The username and password needed for BOPM to oper up. | |
110 | */ | |
111 | oper = "bopm operpass"; | |
112 | ||
113 | /* | |
114 | * Mode string that BOPM needs to set on itself as soon as it opers | |
115 | * up. This needs to include the mode for seeing connection notices, | |
116 | * otherwise BOPM won't scan anyone (that's usually umode +c). It's | |
117 | * often also a good idea to remove any helper modes so that users | |
118 | * don't try to talk to the BOPM. | |
119 | * | |
120 | * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE | |
121 | * +c !! | |
122 | */ | |
123 | mode = "+c-h"; | |
124 | ||
125 | /* Example for Bahamut; +F gives BOPM relaxed flood limits */ | |
126 | # mode = "+Fc-h"; | |
127 | ||
128 | /* | |
129 | * If this is set then BOPM will use it as an /away message as soon as | |
130 | * it connects. | |
131 | */ | |
132 | away = "I'm a bot. Your messages will be ignored."; | |
133 | ||
134 | /* | |
135 | * Info about channels you wish BOPM to join in order to accept | |
136 | * commands. BOPM will also print messages in these channels every | |
137 | * time it detects a proxy. Only IRC operators can command BOPM to do | |
138 | * anything, but some of the things BOPM reports to these channels | |
139 | * could be soncidered sensitive, so it's best not to put BOPM into | |
140 | * public channels. | |
141 | */ | |
142 | channel { | |
143 | /* | |
144 | * Channel name. Local ("&") channels are supported if your ircd | |
145 | * supports them. | |
146 | */ | |
147 | name = "#bopm"; | |
148 | ||
149 | /* | |
150 | * If BOPM will need to use a key to enter this channel, this is | |
151 | * where you specify it. | |
152 | */ | |
153 | # key = "somekey"; | |
154 | ||
155 | /* | |
156 | * If you use ChanServ then maybe you want to set the channel | |
157 | * invite-only and have each BOPM do "/msg ChanServ invite" to get | |
158 | * itself in. Leave commented if you don't, or if this makes no | |
159 | * sense to you. | |
160 | */ | |
161 | # invite = "privmsg chanserv :invite #bopm"; | |
162 | }; | |
163 | ||
164 | /* | |
165 | * You can define a bunch of channels if you want: | |
166 | * | |
167 | * channel { name = "#other"; }; channel { name="#channel"; } | |
168 | */ | |
169 | ||
170 | /* | |
171 | * connregex is a POSIX regular expression used to parse connection | |
172 | * (+c) notices from the ircd. The complexity of the expression should | |
173 | * be kept to a minimum. | |
174 | * | |
175 | * Items in order MUST be: nick user host IP | |
176 | * | |
177 | * BOPM will not work with ircds which do not send an IP in the | |
178 | * connection notice. | |
179 | * | |
180 | * This is fairly complicated stuff, and the consequences of getting | |
181 | * it wrong are the BOPM does not scan anyone. Unless you know | |
182 | * absolutely what you are doing, please just uncomment the example | |
183 | * below that best matches the type of ircd you use. | |
184 | * | |
185 | * !!! NOTE !!! If a connregex for your ircd does not appear here and the | |
186 | * hybrid connregex does not appear to work, check the BOPM FAQ at | |
187 | * http://blitzed.org/bopm/faq.phtml before contacting our lists for help. | |
188 | * | |
189 | */ | |
190 | ||
191 | /* Hybrid / Bahamut / Unreal (in HCN mode) */ | |
192 | connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; | |
193 | ||
194 | /* | |
195 | * Ultimate ircd - note the control-B characters around Connect/Exit, | |
196 | * that is because that text appears in bold in the actual connect | |
197 | * notice. Be very careful when editing this, do it as you would put | |
198 | * bold characters into IRC MOTDs. | |
199 | */ | |
200 | # connregex = "\\*\\*\\* \ 2Connect/Exit\ 2 -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; | |
201 | ||
202 | /* | |
203 | * SorIRCd 1.3.4+ / StarIRCd 5.26+. | |
204 | */ | |
205 | # connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; | |
206 | ||
207 | ||
208 | /* | |
209 | * "kline" controls the command used when an open proxy is confirmed. | |
210 | * We suggest applying a temporary (no more than a few hours) KLINE on the host. | |
211 | * | |
212 | * <WARNING> | |
213 | * Please note that if you are matching against our DNSBL | |
214 | * opm.blitzed.org (see further below), then you will need some way to | |
215 | * let users know how they can be removed from this DNSBL. That is | |
216 | * the purpose of the blitzed.org URL in the example message, so | |
217 | * please do not remove it unless you also disable DNSBL lookups (or | |
218 | * if you use a different DNSBL). | |
219 | * | |
220 | * Also note that you cannot include ':' characters actually inside | |
221 | * the KLINE message (e.g. for a http:// address). | |
222 | * | |
223 | * Users rewriting this message into something that isn't even a valid | |
224 | * IRC command is the single most common cause of support requests and | |
225 | * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE | |
226 | * KLINE COMMANDS BELOW. | |
227 | * </WARNING> | |
228 | * | |
229 | * That said, should you wish to customise this text, several | |
230 | * printf-like placeholders are available: | |
231 | * | |
232 | * %n User's nick | |
233 | * %u User's username | |
234 | * %h User's irc hostname | |
235 | * %i User's IP address | |
236 | * | |
237 | */ | |
238 | kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; | |
239 | ||
240 | /* | |
241 | * If you would prefer very plain pages then try this one. There's | |
242 | * also an index3.phtml which is even more plain, useful for parsing | |
243 | * via your own pages if you are trying to make your own interface to | |
244 | * it. If you know XML though, talk to webmaster@blitzed.org about | |
245 | * use of the XML interface to it. | |
246 | */ | |
247 | # kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information."; | |
248 | ||
249 | /* A GLINE example for IRCu: */ | |
250 | # kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; | |
251 | ||
252 | /* | |
253 | * Text to send on connection, these can be stacked and will be sent in this order | |
254 | * | |
255 | * !!! UNREAL USERS PLEASE NOTE !!! | |
256 | * Unreal users will need PROTOCTL HCN to force hybrid connect | |
257 | * notices. | |
258 | * | |
259 | * Yes Unreal users! That means you! That means you need the line | |
260 | * below! See that thing at the start of the line? That's what we | |
261 | * call a comment! Remove it to UNcomment the line. | |
262 | */ | |
263 | # perform = "PROTOCTL HCN"; | |
264 | ||
265 | }; | |
266 | ||
267 | ||
268 | /* | |
269 | * OPM Block defines blacklists and information required to report new proxies | |
270 | * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone | |
271 | * file. In the case of opm.blitzed.org, we store the IP addresses of known | |
272 | * insecure proxy servers. By checking against this blacklist, BOPMs are able | |
273 | * to ban known proxies without having to scan them all. | |
274 | * | |
275 | * If you still don't underdstand what a DNSBL is, have a look at | |
276 | * http://www.blitzed.org/opm. | |
277 | */ | |
278 | ||
279 | OPM { | |
280 | /* | |
281 | * Blacklist zones to check IPs against. If you would rather not | |
282 | * trust a remotely managed blacklist, you could set up your own, or | |
283 | * you could comment this out in which case every user will be | |
284 | * scanned. | |
285 | * | |
286 | * If you DO intend to send reports, please contact us first at | |
287 | * opm-bopm@blitzed.org and let us know what you have set for | |
288 | * "dnsbl_from" and your server name (or network name if you're | |
289 | * reporting for a whole network). Until you do, all reports will be | |
290 | * bounced. | |
291 | * | |
292 | * Those who report should subscribe to the opm-announce mailing list. | |
293 | * This is an extremely low volume read-only mailing list that we use | |
294 | * to inform our reporters about important details relating to our | |
295 | * DNSBL. You can subscribe from: | |
296 | * | |
297 | * http://lists.blitzed.org/listinfo/opm-announce | |
298 | * | |
299 | * You may also be interested in opm-talk. That list is for user | |
300 | * discussion of our DNSBL service, feature requests etc.. Weekly | |
301 | * stats about our DNSBL such as how many addresses are in it, who | |
302 | * reports the most, etc. are also posted there. You can subscribe | |
303 | * from: | |
304 | * | |
305 | * http://lists.blitzed.org/listinfo/opm-talk | |
306 | */ | |
307 | ||
308 | blacklist { | |
309 | /* The DNS name of the blacklist */ | |
310 | name = "opm.blitzed.org"; | |
311 | ||
312 | /* | |
313 | * There are only two values that are valid for this | |
314 | * "A record bitmask" and "A record reply" | |
315 | * These options affect how the values specified to reply | |
316 | * below will be interpreted, a bitmask is where the reply | |
317 | * values are 2^n and more than one is added up, a reply is | |
318 | * simply where the last octet of the IP is that number. | |
319 | * If you are not sure then the values set for opm.blitzed.org | |
320 | * will work without any changes. | |
321 | */ | |
322 | type = "A record bitmask"; | |
323 | ||
324 | /* Kline types not set in the proxy types below, we might add | |
325 | * other proxy types in the future, unless you want to exclude | |
326 | * specific types of proxies it is recommended you leave this set. | |
327 | * For DNSBLs that do not contain just open proxies this must be | |
328 | * disabled (opm.blitzed.org is just an open proxy blacklist). | |
329 | */ | |
330 | ban_unknown = yes; | |
331 | ||
332 | /* The actual values returned by the opm.blitzed.org blacklist | |
333 | * As documented at http://opm.blitzed.org/info | |
334 | */ | |
335 | reply { | |
336 | 1 = "WinGate"; | |
337 | 2 = "Socks"; | |
338 | 4 = "HTTP"; | |
339 | 8 = "Router"; | |
340 | 16 = "HTTP POST"; | |
341 | }; | |
342 | ||
343 | /* The kline message sent for this specific blacklist, remember to put | |
344 | * the removal method in this. | |
345 | * By default this is commented out the KLINE command in the IRC | |
346 | * block is used | |
347 | */ | |
348 | # kline = "KLINE *@%h :Open proxy found on your host, please visit www.blitzed.org/proxy?ip=%i"; | |
349 | }; | |
350 | ||
351 | /* | |
352 | * You can specify multiple DNSBLs. Some people see "opm.blitzed.org" | |
353 | * and mindlessly change the "blitzed.org" part to be their own | |
354 | * domain. Please don't do this unless you really do run your own | |
355 | * DNSBL, all you will accomplish is filling your channels with DNS | |
356 | * error messages. opm.blitzed.org should be adequate for most | |
357 | * people. | |
358 | */ | |
359 | ||
360 | /* example: NJABL - please read http://www.njabl.org/use.html before | |
361 | * uncommenting */ | |
362 | # blacklist { | |
363 | # name = "dnsbl.njabl.org"; | |
364 | # type = "A record reply"; | |
365 | # reply { | |
366 | # 9 = "Open proxy"; | |
367 | # }; | |
368 | # ban_unknown = no; | |
369 | # kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i"; | |
370 | # }; | |
371 | ||
24377f10 ER |
372 | blacklist { |
373 | name = "dynablock.easynet.nl"; | |
374 | whitelist = yes; | |
375 | alert = no; | |
376 | ban_unknown = yes; | |
377 | type = "A record reply"; | |
378 | reply { | |
379 | 2 = "Dynamic address"; | |
380 | }; | |
381 | }; | |
382 | ||
c0d1b0c5 ER |
383 | /* |
384 | * You can report the insecure proxies you find to our DNSBL also! | |
385 | * The remaining directives in this section are only needed if you | |
386 | * intend to do this. Reports are sent by email, one email per IP | |
387 | * address. The format does support multiple addresses in one email, | |
388 | * but we don't know of any servers that are detecting enough insecure | |
389 | * proxies for this to be really necessary. | |
390 | */ | |
391 | ||
392 | /* | |
393 | * Email address to send reports FROM. If you intend to send reports, | |
394 | * please pick an email address that we can actually send mail to | |
395 | * should we ever need to contact you. | |
396 | */ | |
397 | # dnsbl_from = "mybopm@myserver.org"; | |
398 | ||
399 | /* | |
400 | * Email address to send reports TO. | |
401 | */ | |
402 | # dnsbl_to = "bopm@reports.blitzed.org"; | |
403 | ||
404 | /* | |
405 | * Full path to your sendmail binary. Even if your system does not | |
406 | * use sendmail, it probably does have a binary called "sendmail" | |
407 | * present in /usr/sbin or /usr/lib. If you don't set this, no | |
408 | * proxies will be reported. | |
409 | */ | |
410 | # sendmail = "/usr/sbin/sendmail"; | |
411 | }; | |
412 | ||
413 | ||
414 | /* | |
415 | * The short explanation: | |
416 | * | |
417 | * This is where you define what ports/protocols to check for. You can have | |
418 | * multiple scanner blocks and then choose which users will get scanned by | |
419 | * which scanners further down. | |
420 | * | |
421 | * The long explanation: | |
422 | * | |
423 | * Scanner defines a virtual scanner. For each user being scanned, a scanner | |
424 | * will use a file descriptor (and subsequent connection) for each protocol. | |
425 | * Once connecting it will negotiate the proxy to connect to | |
426 | * target_ip:target_port (target_ip MUST be an IP). | |
427 | * | |
428 | * Once connected, any data passed through the proxy will be checked to see if | |
429 | * target_string is contained within that data. If it is the proxy is | |
430 | * considered open. If the connection is closed at any point before | |
431 | * target_string is matched, or if at least max_read bytes are read from the | |
432 | * connection, the negotiation is considered failed. | |
433 | */ | |
434 | ||
435 | scanner { | |
436 | ||
437 | /* | |
438 | * Unique name of this scanner. This is used further down in the | |
439 | * user {} blocks to decide which users get affected by which | |
440 | * scanners. | |
441 | */ | |
442 | name="default"; | |
443 | ||
444 | /* | |
445 | * HTTP CONNECT - very common proxy protocol supported by widely known | |
446 | * software such as Squid and Apache. The most common sort of | |
447 | * insecure proxy and found on a multitude of weird ports too. Offers | |
448 | * transparent two way TCP connections. | |
449 | */ | |
450 | protocol = HTTP:80; | |
451 | protocol = HTTP:8080; | |
452 | protocol = HTTP:3128; | |
453 | protocol = HTTP:6588; | |
454 | ||
455 | /* | |
456 | * SOCKS4/5 - well known proxy protocols, probably the second most | |
457 | * common for insecure proxies, also offers transparent two way TCP | |
458 | * connections. Fortunately largely confined to port 1080. | |
459 | */ | |
460 | protocol = SOCKS4:1080; | |
461 | protocol = SOCKS5:1080; | |
462 | ||
463 | /* | |
464 | * Cisco routers with a default password (yes, it really does happen). | |
465 | * Also pretty much anything else that will let you telnet to anywhere | |
466 | * else on the internet. Fortunately these are always on port 23. | |
467 | */ | |
468 | protocol = ROUTER:23; | |
469 | ||
470 | /* | |
471 | * WinGate is commercial windows proxy software which is now not so | |
472 | * common, but still to be found, and helpfully presents an interface | |
473 | * that can be used to telnet out, on port 23. | |
474 | */ | |
475 | protocol = WINGATE:23; | |
476 | ||
477 | /* | |
478 | * The HTTP POST protocol, often dismissed when writing the access | |
479 | * controls for proxies, but sadly can still be used to abused. | |
480 | * Offers only the opportunity to send a single block of data, but | |
481 | * enough of them at once can still make for a devastating flood. | |
482 | * Found on the same ports that HTTP CONNECT proxies inhabit. | |
483 | * | |
484 | * Note that if your ircd has "ping cookies" then clients from HTTP | |
485 | * POST proxies cannot actually ever get onto your network anyway. If | |
486 | * you leave the checks in then you'll still find some (because some | |
487 | * people IRC from boxes that run them), but if you use BOPM purely as | |
488 | * a protective measure and you have ping cookies, you need not scan | |
489 | * for HTTP POST. | |
490 | */ | |
491 | protocol = HTTPPOST:80; | |
492 | ||
493 | /* | |
494 | * IP this scanner will bind to. Use this if you need your scans to | |
495 | * come FROM a particular interface on the machine you run BOPM from. | |
496 | * If you don't understand what this means, please leave this | |
497 | * commented out, as this is a major source of support queries! | |
498 | */ | |
499 | # vhost = "127.0.0.1"; | |
500 | ||
501 | /* Maximum file descriptors this scanner can use. Remember that there | |
502 | * will be one FD for each protocol listed above. As this example | |
503 | * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD | |
504 | * limit, this scanner can be used on 64 users _at the same time_. | |
505 | * That should be adequate for most servers. | |
506 | */ | |
507 | fd = 512; | |
508 | ||
509 | /* | |
510 | * Maximum data read from a proxy before considering it closed. Don't | |
511 | * set this too high, some people have fun setting up lots of ports | |
512 | * that send endless data to tie up your scanner. 4KB is plenty for | |
513 | * any known proxy. | |
514 | */ | |
515 | max_read = 4096; | |
516 | ||
517 | /* | |
518 | * Amount of time (in seconds) before a test is considered timed out. | |
519 | * Again, all but the poorest slowest proxies will be detected within | |
520 | * 30 seconds, and this helps keep resource usage low. | |
521 | */ | |
522 | timeout = 30; | |
523 | ||
524 | /* | |
525 | * Target IP to tell the proxy to connect to | |
526 | * | |
527 | * !!! THIS MUST BE CHANGED !!! | |
528 | * | |
529 | * You cannot instruct the proxy to connect to itself! The easiest | |
530 | * thing to do would be to set this to the IP of your ircd and then | |
531 | * keep the default target_strings. | |
532 | * | |
533 | * Please use an IP that is publically reachable from anywhere on the | |
534 | * Internet, because you have no way of knowing where the insecure | |
535 | * proxies will be located. Just because you and your BOPM can | |
536 | * connect to your ircd on some private IP like 192.168.0.1, does not | |
537 | * mean that the insecure proxies out there on the Internet will be | |
538 | * able to. And if they never connect, you will never detect them. | |
539 | * | |
540 | * Remember to change this setting for every scanner you configure. | |
541 | * | |
542 | */ | |
543 | target_ip = "127.0.0.1"; | |
544 | ||
545 | /* | |
546 | * Target port to tell the proxy to connect to. This is usually | |
547 | * something like 6667. Basically any client-usable port. | |
548 | */ | |
549 | target_port = 6667; | |
550 | ||
551 | /* | |
552 | * Target string we check for in the data read back by the scanner. | |
553 | * This should be some string out of the data that your ircd usually | |
554 | * sends on connect. The example below will work on most | |
555 | * hybrid/bahamut ircds. Multiple target strings are allowed. | |
556 | * | |
557 | * NOTE: Try to keep the number of target strings to a minimum. Two | |
558 | * should be fine. One for normal connections and one for throttled | |
559 | * connections. Comment out any others for efficiency. | |
560 | */ | |
561 | ||
562 | /* Usually first line sent to client on connection to ircd. | |
563 | * If your ircd supports a more specific line (see below), | |
564 | * using it will reduce false positives. | |
565 | */ | |
566 | target_string = "*** Looking up your hostname..."; | |
567 | ||
568 | /* Some ircds give a source for the NOTICE AUTH (bahamut for example). | |
569 | * It is recommended you use the following instead of the generic | |
570 | * "*** Looking up your hostname..." if your ircd supports it. | |
571 | * This will reduce the chances of false positives. | |
572 | */ | |
573 | # target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname..."; | |
574 | ||
575 | /* If you try to connect too fast, you'll be throttled by your own | |
576 | * ircd. Here's what a hybrid throttle message looks like: | |
577 | */ | |
578 | target_string = "ERROR :Trying to reconnect too fast."; | |
579 | ||
580 | /* And the same for bahamut (comment this out if you're not using bahamut): */ | |
581 | target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; | |
582 | }; | |
583 | ||
584 | scanner { | |
585 | name = "extended"; | |
586 | ||
587 | protocol = HTTP:81; | |
588 | protocol = HTTP:8000; | |
589 | protocol = HTTP:8001; | |
590 | protocol = HTTP:8081; | |
591 | ||
592 | protocol = HTTPPOST:81; | |
593 | protocol = HTTPPOST:6588; | |
594 | # protocol = HTTPPOST:4480; | |
595 | protocol = HTTPPOST:8000; | |
596 | protocol = HTTPPOST:8001; | |
597 | protocol = HTTPPOST:8080; | |
598 | protocol = HTTPPOST:8081; | |
599 | ||
600 | /* | |
601 | * IRCnet have seen many socks5 on these ports, more than on the | |
602 | * standard ports even. | |
603 | */ | |
604 | protocol = SOCKS4:4914; | |
605 | protocol = SOCKS4:6826; | |
606 | protocol = SOCKS4:7198; | |
607 | protocol = SOCKS4:7366; | |
608 | protocol = SOCKS4:9036; | |
609 | ||
610 | protocol = SOCKS5:4438; | |
611 | protocol = SOCKS5:5104; | |
612 | protocol = SOCKS5:5113; | |
613 | protocol = SOCKS5:5262; | |
614 | protocol = SOCKS5:5634; | |
615 | protocol = SOCKS5:6552; | |
616 | protocol = SOCKS5:6561; | |
617 | protocol = SOCKS5:7464; | |
618 | protocol = SOCKS5:7810; | |
619 | protocol = SOCKS5:8130; | |
620 | protocol = SOCKS5:8148; | |
621 | protocol = SOCKS5:8520; | |
622 | protocol = SOCKS5:8814; | |
623 | protocol = SOCKS5:9100; | |
624 | protocol = SOCKS5:9186; | |
625 | protocol = SOCKS5:9447; | |
626 | protocol = SOCKS5:9578; | |
627 | ||
628 | fd = 400; | |
629 | ||
630 | /* If required you can add settings such as target_ip here | |
631 | * they will override the defaults set in the first scanner | |
632 | * for this and subsequent scanners defined in the config file | |
633 | * This affects the following options: | |
634 | * fd, vhost, target_ip, target_port, target_string, timeout and | |
635 | * max_read. | |
636 | */ | |
637 | }; | |
638 | ||
639 | ||
640 | ||
641 | /* | |
642 | * User blocks define what scanners will be used to scan which hostmasks. When | |
643 | * a user connects they will be scanned on every scanner {} (above) that | |
644 | * matches their host. | |
645 | */ | |
646 | ||
647 | user { | |
648 | /* | |
649 | * Users matching this host mask will be scanned with all the | |
650 | * protocols in the scanner named. | |
651 | */ | |
652 | mask = "*!*@*"; | |
653 | scanner = "default"; | |
654 | }; | |
655 | ||
656 | user { | |
657 | /* Connections without ident will match on a vast number of connections | |
658 | * very few proxies run ident though */ | |
659 | # mask = "*!~*@*"; | |
660 | mask = "*!squid@*"; | |
661 | mask = "*!nobody@*"; | |
662 | mask = "*!www-data@*"; | |
663 | mask = "*!cache@*"; | |
664 | mask = "*!CacheFlowS@*"; | |
665 | mask = "*!*@*www*"; | |
666 | mask = "*!*@*proxy*"; | |
667 | mask = "*!*@*cache*"; | |
668 | ||
669 | scanner = "extended"; | |
670 | }; | |
671 | ||
672 | ||
673 | /* | |
674 | * Exempt hosts matching certain strings from any form of scanning or dnsbl. | |
675 | * BOPM will check each string against both the hostname and the IP address of | |
676 | * the user. | |
677 | * | |
678 | * There are very few valid reasons to actually use "exempt". BOPM should | |
679 | * never get false positives, and we would like to know very much if it does. | |
680 | * One possible scenario is that the machine BOPM runs from is specifically | |
681 | * authorized to use certain hosts as proxies, and users from those hosts use | |
682 | * your network. In this case, without exempt, BOPM will scan these hosts, | |
683 | * find itself able to use them as proxies, and ban them. | |
684 | */ | |
685 | exempt { | |
686 | mask = "*!*@127.0.0.1"; | |
687 | }; | |
688 | ||
689 | /* | |
690 | * vim:syn=c | |
691 | */ |