diff options
Diffstat (limited to 'doc/reference.conf')
| -rw-r--r-- | doc/reference.conf | 785 |
1 files changed, 785 insertions, 0 deletions
diff --git a/doc/reference.conf b/doc/reference.conf new file mode 100644 index 0000000..444c049 --- /dev/null +++ b/doc/reference.conf @@ -0,0 +1,785 @@ +/* + * Hybrid Open Proxy Monitor - HOPM sample configuration + * + * Copyright (c) 2014-2018 ircd-hybrid development team + * + * $Id$ + */ + +/* + * Shell style (#), C++ style (//) and C style comments are supported. + * + * Files may be included by either: + * .include "filename" + * .include <filename> + * + * Times/durations are written as: + * 12 hours 30 minutes 1 second + * + * Valid units of time: + * year, month, week, day, hour, minute, second + * + * Valid units of size: + * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte + * + * Sizes and times may be singular or plural. + */ + +options { + /* + * Full path and filename for storing the process ID of the running + * HOPM. + */ + pidfile = "var/run/hopm.pid"; + + /* + * Maximum commands to queue. Set to 0 if you don't want HOPM + * to process commands. + */ + command_queue_size = 64; + + /* + * Interval to check command queue for timed out commands. + */ + command_interval = 10 seconds; + + /* + * Timeout of commands. + */ + command_timeout = 180 seconds; + + /* + * How long to store the IP address of hosts which are confirmed + * (by previous scans) to be secure. New users from these + * IP addresses will not be scanned again until this amount of time + * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS + * DIRECTIVE, but it is provided due to demand. + * + * The main reason for not using this feature is that anyone capable + * of running a proxy can get abusers onto your network - all they + * need do is shut the proxy down, connect themselves, restart the + * proxy, and tell their friends to come flood. + * + * Keep this directive commented out to disable negative caching. + */ +# negcache = 1 hour; + + /* + * How long between rebuilds of the negative cache. The negcache + * is only rebuilt to free up memory used by entries that are too old. + * You probably don't need to tweak this unless you have huge amounts + * of people connecting (hundreds per minute). Default is 12 hours. + */ + negcache_rebuild = 12 hours; + + /* + * Amount of file descriptors to allocate to asynchronous DNS. 64 + * should be plenty for almost anyone. + */ + dns_fdlimit = 64; + + /* + * Amount of time the resolver waits until a response is received + * from a name server. + */ + dns_timeout = 5 seconds; + + /* + * Put the full path and filename of a logfile here if you wish to log + * every scan done. Normally HOPM only logs successfully detected + * proxies in the hopm.log, but you may get abuse reports to your ISP + * about portscanning. Being able to show that it was HOPM that did + * the scan in question can be useful. Leave commented for no + * logging. + */ +# scanlog = "var/log/scan.log"; +}; + + +irc { + /* + * IP address to bind to for the IRC connection. You only need to + * use this if you wish HOPM to use a particular interface + * (virtual host, IP alias, ...) when connecting to the IRC server. + * There is another "vhost" setting in the scan {} block below for + * the actual portscans. Note that this directive expects an IP address, + * not a hostname. Please leave this commented out if you do not + * understand what it does, as most people don't need it. + */ +# vhost = "0.0.0.0"; + + /* + * Nickname for HOPM to use. + */ + nick = "MyHopm"; + + /* + * Text to appear in the "realname" field of HOPM's /whois output. + */ + realname = "Hybrid Open Proxy Monitor"; + + /* + * If you don't have an identd running, what username to use. + */ + username = "hopm"; + + /* + * Hostname (or IP address) of the IRC server which HOPM will monitor + * connections on. IPv6 is now supported. + */ + server = "irc.example.org"; + + /* + * Password used to connect to the IRC server (PASS) + */ +# password = "secret"; + + /* + * Port of the above server to connect to. This is what HOPM uses to + * get onto IRC itself, it is nothing to do with what ports/protocols + * are scanned, nor do you need to list every port your ircd listens + * on. + */ + port = 6667; + + /* + * Defines time in which bot will timeout if no data is received + */ + readtimeout = 15 minutes; + + /* + * Interval in how often we try to reconnect to the IRC server + */ + reconnectinterval = 30 seconds; + + /* + * Command to execute to identify to NickServ (if your network uses + * it). This is the raw IRC command text, and the below example + * corresponds to "/msg nickserv identify password" in a client. If + * you don't understand, just edit "password" in the line below to be + * your HOPM's nick password. Leave commented out if you don't need + * to identify to NickServ. + */ +# nickserv = "NS IDENTIFY password"; + + /* + * The username and password needed for HOPM to oper up. + */ + oper = "hopm operpass"; + + /* + * Mode string that HOPM needs to set on itself as soon as it opers + * up. This needs to include the mode for seeing connection notices, + * otherwise HOPM won't scan anyone (that's usually umode +c). + */ + mode = "+c"; + + /* + * If this is set then HOPM will use it as an /away message as soon as + * it connects. + */ + away = "I'm a bot. Your messages will be ignored."; + + /* + * Info about channels you wish HOPM to join in order to accept + * commands. HOPM will also print messages in these channels every + * time it detects a proxy. Only IRC operators can command HOPM to do + * anything, but some of the things HOPM reports to these channels + * could be considered sensitive, so it's best not to put HOPM into + * public channels. + */ + channel { + /* + * Channel name. Local ("&") channels are supported if your ircd + * supports them. + */ + name = "#hopm"; + + /* + * If HOPM will need to use a key to enter this channel, this is + * where you specify it. + */ +# key = "somekey"; + + /* + * If you use ChanServ then maybe you want to set the channel + * invite-only and have each HOPM do "/msg ChanServ invite" to get + * itself in. Leave commented if you don't, or if this makes no + * sense to you. + */ +# invite = "CS INVITE #hopm"; + }; + + /* + * You can define a bunch of channels if you want: + * + * channel { name = "#other"; }; channel { name= "#channel"; } + */ + + /* + * connregex is a POSIX regular expression used to parse connection + * notices from the ircd. The complexity of the expression should + * be kept to a minimum. + * + * Items in order MUST be: nick user host IP + * + * HOPM will not work with ircds which do not send an IP address in the + * connection notice. + * + * This is fairly complicated stuff, and the consequences of getting + * it wrong are the HOPM does not scan anyone. Unless you know + * absolutely what you are doing, please just uncomment the example + * below that best matches the type of ircd you use. + */ + + /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */ + connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */ +# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* UnrealIRCd 4.0.x */ +# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* InspIRCd */ +# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-f\\.:]+)\\) \\[.*\\]"; + + /* ngIRCd */ +# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* + * "kline" controls the command used when an open proxy is confirmed. + * We suggest applying a temporary (no more than a few hours) KLINE on the host. + * + * <WARNING> + * Make sure if you need to change this string you also change the + * kline command for every DNSBL you enable below. + * + * Also note that some servers do not allow you to include ':' characters + * inside the KLINE message (e.g. for a http:// address). + * + * Users rewriting this message into something that isn't even a valid + * IRC command is the single most common cause of support requests and + * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE + * KLINE COMMANDS BELOW. + * </WARNING> + * + * That said, should you wish to customise this text, several + * printf-like placeholders are available: + * + * %n User's nick + * %u User's username + * %h User's irc hostname + * %i User's IP address + * %t Protocol type which has triggered a positive scan + */ + + /* A KLINE example for bahamut / charybdis / ircd-hybrid / ircd-ratbox */ + kline = "KLINE 180 *@%i :Open proxy found on your host."; + + /* A KLINE example for InspIRCd */ +# kline = "KLINE *@%i 3h :Open proxy found on your host."; + + /* A KLINE example for ngIRCd */ +# kline = "KLINE *@%i 10800 :Open proxy found on your host."; + + /* A GLINE example for ircu */ +# kline = "GLINE +*@%i 10800 :Open proxy found on your host."; + + /* A ZLINE example for UnrealIRCd */ +# kline = "ZLINE *@%i 3h :Open proxy found on your host."; + + /* + * An AKILL example for services with OperServ. Your HOPM must have permission to + * AKILL for this to work! + */ +# kline = "OS AKILL ADD +3h *@%i Open proxy found on your host."; + + /* + * Text to send on connection, these can be stacked and will be sent in this order. + * + * !!! UNREAL USERS PLEASE NOTE !!! + * Unreal users will need PROTOCTL HCN to force hybrid connect + * notices. + * + * Yes Unreal users! That means you! That means you need the line + * below! See that thing at the start of the line? That's what we + * call a comment! Remove it to UNcomment the line. + * + * Note that this is no longer needed as of UnrealIRCd 4.0.0. + */ +# perform = "PROTOCTL HCN"; + + /* + * Text to send, via NOTICE, immediately when a new client connects. These can be + * stacked and will be sent in this order. + */ +# notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear."; +}; + + +/* + * OPM Block defines blacklists and information required to report new proxies + * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone + * file. There are several blacklist that list IP addresses known to be open + * proxies or other forms of IRC abuse. By checking against these blacklists, + * HOPMs are able to ban known sources of abuse without completely scanning them. + */ +#opm { + /* + * Blacklist zones to check IPs against. If you would rather not + * trust a remotely managed blacklist, you could set up your own, or + * leave these commented out in which case every user will be + * scanned. The use of at least one open proxy DNSBL is recommended + * however. + * + * Please check the policies of each blacklist you use to check you + * are comfortable with using them to block access to your server + * (and that you are allowed to use them). + */ + + + /* dnsbl.dronebl.org - http://dronebl.org */ +# blacklist { + /* The DNS name of the blacklist */ +# name = "dnsbl.dronebl.org"; + + /* + * Address families that are supported by the blacklist. Default is 'ipv4'. + */ +# address_family = ipv4, ipv6; + + /* + * There are only two values that are valid for this + * "A record bitmask" and "A record reply" + * These options affect how the values specified to reply + * below will be interpreted, a bitmask is where the reply + * values are 2^n and more than one is added up, a reply is + * simply where the last octet of the IP address is that number. + * If you are not sure then the values set for dnsbl.dronebl.org + * will work without any changes. + */ +# type = "A record reply"; + + /* + * Kline types not listed in the reply list below. + * + * For DNSBLs that are not IRC specific and you just wish to kline + * certain types this can be enabled/disabled. + */ +# ban_unknown = no; + + /* + * The actual values returned by the dnsbl.dronebl.org blacklist as + * documented at http://dronebl.org/docs/howtouse + */ +# reply { +# 2 = "Sample data used for heuristical analysis"; +# 3 = "IRC spam drone (litmus/sdbot/fyle)"; +# 5 = "Bottler (experimental)"; +# 6 = "Unknown worm or spambot"; +# 7 = "DDoS drone"; +# 8 = "Open SOCKS proxy"; +# 9 = "Open HTTP proxy"; +# 10 = "ProxyChain"; +# 11 = "Web Page Proxy"; +# 12 = "Open DNS Resolver"; +# 13 = "Automated dictionary attacks"; +# 14 = "Open WINGATE proxy"; +# 15 = "Compromised router / gateway"; +# 16 = "Autorooting worms"; +# 17 = "Automatically determined botnet IPs (experimental)"; +# 18 = "DNS/MX type hostname detected on IRC"; +# 255 = "Uncategorized threat class"; +# }; + + /* + * The kline message sent for this specific blacklist, remember to put + * the removal method in this. + */ +# kline = "KLINE 180 *@%i :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network"; +# }; + + + /* rbl.efnetrbl.org - https://rbl.efnetrbl.org/ */ +# blacklist { +# name = "rbl.efnetrbl.org"; +# type = "A record reply"; +# ban_unknown = no; + +# reply { +# 1 = "Open proxy"; +# 2 = "spamtrap666"; +# 3 = "spamtrap50"; +# 4 = "TOR"; +# 5 = "Drones / Flooding"; +# }; + +# kline = "KLINE 180 *@%i :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; +# }; + + + + /* tor.efnetrbl.org - https://rbl.efnetrbl.org/ */ +# blacklist { +# name = "tor.efnetrbl.org"; +# type = "A record reply"; +# ban_unknown = no; + +# reply { +# 1 = "TOR"; +# }; + +# kline = "KLINE 180 *@%i :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; +# }; + + /* + * You can report the insecure proxies you find to a DNSBL also! + * The remaining directives in this section are only needed if you + * intend to do this. Reports are sent by email, one email per IP + * address. The format does support multiple addresses in one email, + * but we don't know of any servers that are detecting enough insecure + * proxies for this to be really necessary. + */ + + /* + * Email address to send reports FROM. If you intend to send reports, + * please pick an email address that we can actually send mail to + * should we ever need to contact you. + */ +# dnsbl_from = "mybopm@myserver.org"; + + /* + * Email address to send reports TO. + * For example DroneBL: + */ +# dnsbl_to = "bopm-report@dronebl.org"; + + /* + * Full path to your sendmail binary. Even if your system does not + * use sendmail, it probably does have a binary called "sendmail" + * present in /usr/sbin or /usr/lib. If you don't set this, no + * proxies will be reported. + */ +# sendmail = "/usr/sbin/sendmail"; +#}; + + +/* + * The short explanation: + * + * This is where you define what ports/protocols to check for. You can have + * multiple scanner blocks and then choose which users will get scanned by + * which scanners further down. + * + * The long explanation: + * + * Scanner defines a virtual scanner. For each user being scanned, a scanner + * will use a file descriptor (and subsequent connection) for each protocol. + * Once connecting it will negotiate the proxy to connect to + * target_ip:target_port (target_ip MUST be an IP address). + * + * Once connected, any data passed through the proxy will be checked to see if + * target_string is contained within that data. If it is the proxy is + * considered open. If the connection is closed at any point before + * target_string is matched, or if at least max_read bytes are read from the + * connection, the negotiation is considered failed. + */ +scanner { + /* + * Unique name of this scanner. This is used further down in the + * user {} blocks to decide which users get affected by which + * scanners. + */ + name = "default"; + + /* + * HTTP CONNECT - very common proxy protocol supported by widely known + * software such as Squid and Apache. The most common sort of + * insecure proxy and found on a multitude of weird ports too. Offers + * transparent two way TCP connections. + */ + protocol = HTTP:80; + protocol = HTTP:8080; + protocol = HTTP:3128; + protocol = HTTP:6588; + + /* + * The SSL/TLS variant of HTTP + */ +# protocol = HTTPS:443; +# protocol = HTTPS:8443; + + /* + * SOCKS4/5 - well known proxy protocols, probably the second most + * common for insecure proxies, also offers transparent two way TCP + * connections. Fortunately largely confined to port 1080. + */ + protocol = SOCKS4:1080; + protocol = SOCKS5:1080; + + /* + * Cisco routers with a default password (yes, it really does happen). + * Also pretty much anything else that will let you telnet to anywhere + * else on the Internet. Fortunately these are always on port 23. + */ + protocol = ROUTER:23; + + /* + * WinGate is commercial windows proxy software which is now not so + * common, but still to be found, and helpfully presents an interface + * that can be used to telnet out, on port 23. + */ + protocol = WINGATE:23; + + /* + * Dreambox DVB receivers with a default password allowing + * full root access to telnet or install bouncers. + */ + protocol = DREAMBOX:23; + + /* + * The HTTP POST protocol, often dismissed when writing the access + * controls for proxies, but sadly can still be used to abused. + * Offers only the opportunity to send a single block of data, but + * enough of them at once can still make for a devastating flood. + * Found on the same ports that HTTP CONNECT proxies inhabit. + * + * Note that if your ircd has "ping cookies" then clients from HTTP + * POST proxies cannot actually ever get onto your network anyway. If + * you leave the checks in then you'll still find some (because some + * people IRC from boxes that run them), but if you use HOPM purely as + * a protective measure and you have ping cookies, you need not scan + * for HTTP POST. + */ + protocol = HTTPPOST:80; + + /* + * The SSL/TLS variant of HTTPPOST + */ +# protocol = HTTPSPOST:443; +# protocol = HTTPSPOST:8443; + + /* + * IP address this scanner will bind to. Use this if you need your scans to + * come FROM a particular interface on the machine you run HOPM from. + * If you don't understand what this means, please leave this + * commented out, as this is a major source of support queries! + */ +# vhost = "127.0.0.1"; + + /* + * Maximum file descriptors this scanner can use. Remember that there + * will be one FD for each protocol listed above. As this example + * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD + * limit, this scanner can be used on 64 users _at the same time_. + * That should be adequate for most servers. + */ + fd = 512; + + /* + * Maximum data read from a proxy before considering it closed. Don't + * set this too high, some people have fun setting up lots of ports + * that send endless data to tie up your scanner. 4KB is plenty for + * any known proxy. + */ + max_read = 4 kbytes; + + /* + * Amount of time before a test is considered timed out. + * Again, all but the poorest slowest proxies will be detected within + * 30 seconds, and this helps keep resource usage low. + */ + timeout = 30 seconds; + + /* + * Target IP to tell the proxy to connect to + * + * !!! THIS MUST BE CHANGED !!! + * + * You cannot instruct the proxy to connect to itself! The easiest + * thing to do would be to set this to the IP address of your ircd + * and then keep the default target_strings. + * + * Please use an IP address that is publically reachable from anywhere + * on the Internet, because you have no way of knowing where the insecure + * proxies will be located. Just because you and your HOPM can + * connect to your ircd on some private IP address like 192.168.0.1, + * does not mean that the insecure proxies out there on the Internet will be + * able to. And if they never connect, you will never detect them. + * + * Remember to change this setting for every scanner you configure. + */ + target_ip = "127.0.0.1"; + + /* + * Target port to tell the proxy to connect to. This is usually + * something like 6667. Basically any client-usable port. + */ + target_port = 6667; + + /* + * Target string we check for in the data read back by the scanner. + * This should be some string out of the data that your ircd usually + * sends on connect. Multiple target strings are allowed. + * + * NOTE: Try to keep the number of target strings to a minimum. Two + * should be fine. One for normal connections and one for throttled + * connections. Comment out any others for efficiency. + */ + + /* + * Usually first line sent to client on connection to ircd. + * If your ircd supports a more specific line (see below), + * using it will reduce false positives. + */ + target_string = ":irc.example.org NOTICE * :*** Looking up your hostname"; + + /* + * If you try to connect too fast, you'll be throttled by your own + * ircd. Here's what a hybrid throttle message looks like: + */ + target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; +}; + + +scanner { + name = "extended"; + + protocol = HTTP:81; + protocol = HTTP:8000; + protocol = HTTP:8001; + protocol = HTTP:8081; + + protocol = HTTPPOST:81; + protocol = HTTPPOST:6588; + protocol = HTTPPOST:4480; + protocol = HTTPPOST:8000; + protocol = HTTPPOST:8001; + protocol = HTTPPOST:8080; + protocol = HTTPPOST:8081; + + /* + * IRCnet have seen many socks5 on these ports, more than on the + * standard ports even. + */ + protocol = SOCKS4:4914; + protocol = SOCKS4:6826; + protocol = SOCKS4:7198; + protocol = SOCKS4:7366; + protocol = SOCKS4:9036; + + protocol = SOCKS5:4438; + protocol = SOCKS5:5104; + protocol = SOCKS5:5113; + protocol = SOCKS5:5262; + protocol = SOCKS5:5634; + protocol = SOCKS5:6552; + protocol = SOCKS5:6561; + protocol = SOCKS5:7464; + protocol = SOCKS5:7810; + protocol = SOCKS5:8130; + protocol = SOCKS5:8148; + protocol = SOCKS5:8520; + protocol = SOCKS5:8814; + protocol = SOCKS5:9100; + protocol = SOCKS5:9186; + protocol = SOCKS5:9447; + protocol = SOCKS5:9578; + protocol = SOCKS5:10000; + protocol = SOCKS5:64101; + + /* + * These came courtsey of Keith Dunnett from a bunch of public open + * proxy lists. + */ + protocol = SOCKS4:29992; + protocol = SOCKS4:38884; + protocol = SOCKS4:18844; + protocol = SOCKS4:17771; + protocol = SOCKS4:31121; + + fd = 400; + + /* + * If required you can add settings such as target_ip here + * they will override the defaults set in the first scanner + * for this and subsequent scanners defined in the config file + * This affects the following options: + * fd, vhost, target_ip, target_port, target_string, timeout and + * max_read. + */ +}; + +/* + * Scanner to detect vulnerable SSH versions that normally exist on hacked + * routers and IoT devices. Don't forget to add this scanner to a user block. + */ +scanner { + name = "ssh"; + + protocol = SSH:22; + + target_string = "SSH-1.99-OpenSSH_5.1"; + target_string = "SSH-2.0-dropbear_0.51"; + target_string = "SSH-2.0-dropbear_0.52"; + target_string = "SSH-2.0-dropbear_0.53.1"; + target_string = "SSH-2.0-dropbear_2012.55"; + target_string = "SSH-2.0-dropbear_2013.62"; + target_string = "SSH-2.0-dropbear_2014.63"; + target_string = "SSH-2.0-OpenSSH_4.3"; + target_string = "SSH-2.0-OpenSSH_5.1"; + target_string = "SSH-2.0-OpenSSH_5.5p1"; + target_string = "SSH-2.0-ROSSSH"; + target_string = "SSH-2.0-SSH_Server"; +}; + + +/* + * User blocks define what scanners will be used to scan which hostmasks. + * When a user connects they will be scanned on every scanner {} (above) + * that matches their host. + */ +user { + /* + * Users matching this host mask will be scanned with all the + * protocols in the scanner named. + */ + mask = "*!*@*"; + scanner = "default"; +}; + +user { + /* + * Connections without ident will match on a vast number of connections + * very few proxies run ident though + */ +# mask = "*!~*@*"; + mask = "*!squid@*"; + mask = "*!nobody@*"; + mask = "*!www-data@*"; + mask = "*!cache@*"; + mask = "*!CacheFlowS@*"; + mask = "*!*@*www*"; + mask = "*!*@*proxy*"; + mask = "*!*@*cache*"; + + scanner = "extended"; +}; + + +/* + * Exempt hosts matching certain strings from any form of scanning or dnsbl. + * HOPM will check each string against both the hostname and the IP address of + * the user. + * + * There are very few valid reasons to actually use "exempt". HOPM should + * never get false positives, and we would like to know very much if it does. + * One possible scenario is that the machine HOPM runs from is specifically + * authorized to use certain hosts as proxies, and users from those hosts use + * your network. In this case, without exempt, HOPM will scan these hosts, + * find itself able to use them as proxies, and ban them. + */ +exempt { + mask = "*!*@127.0.0.1"; +}; |