diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Makefile.am | 2 | ||||
| -rw-r--r-- | doc/Makefile.in | 507 | ||||
| -rw-r--r-- | doc/reference.conf | 785 |
3 files changed, 1294 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..8444cd0 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,2 @@ +AUTOMAKE_OPTIONS = foreign +dist_sysconf_DATA = reference.conf diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 0000000..6185eaa --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,507 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = doc +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_append_compile_flags.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_arg_enable_assert.m4 \ + $(top_srcdir)/m4/ax_arg_enable_efence.m4 \ + $(top_srcdir)/m4/ax_arg_enable_warnings.m4 \ + $(top_srcdir)/m4/ax_arg_openssl.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_gcc_stack_protect.m4 \ + $(top_srcdir)/m4/ax_library_net.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_sysconf_DATA) \ + $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/src/setup.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(sysconfdir)" +DATA = $(dist_sysconf_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/mkinstalldirs +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign +dist_sysconf_DATA = reference.conf +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign doc/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_sysconfDATA: $(dist_sysconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sysconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sysconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sysconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sysconfdir)" || exit $$?; \ + done + +uninstall-dist_sysconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sysconfdir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(DATA) +installdirs: + for dir in "$(DESTDIR)$(sysconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-dist_sysconfDATA + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dist_sysconfDATA + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-dist_sysconfDATA install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-dist_sysconfDATA + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/reference.conf b/doc/reference.conf new file mode 100644 index 0000000..444c049 --- /dev/null +++ b/doc/reference.conf @@ -0,0 +1,785 @@ +/* + * Hybrid Open Proxy Monitor - HOPM sample configuration + * + * Copyright (c) 2014-2018 ircd-hybrid development team + * + * $Id$ + */ + +/* + * Shell style (#), C++ style (//) and C style comments are supported. + * + * Files may be included by either: + * .include "filename" + * .include <filename> + * + * Times/durations are written as: + * 12 hours 30 minutes 1 second + * + * Valid units of time: + * year, month, week, day, hour, minute, second + * + * Valid units of size: + * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte + * + * Sizes and times may be singular or plural. + */ + +options { + /* + * Full path and filename for storing the process ID of the running + * HOPM. + */ + pidfile = "var/run/hopm.pid"; + + /* + * Maximum commands to queue. Set to 0 if you don't want HOPM + * to process commands. + */ + command_queue_size = 64; + + /* + * Interval to check command queue for timed out commands. + */ + command_interval = 10 seconds; + + /* + * Timeout of commands. + */ + command_timeout = 180 seconds; + + /* + * How long to store the IP address of hosts which are confirmed + * (by previous scans) to be secure. New users from these + * IP addresses will not be scanned again until this amount of time + * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS + * DIRECTIVE, but it is provided due to demand. + * + * The main reason for not using this feature is that anyone capable + * of running a proxy can get abusers onto your network - all they + * need do is shut the proxy down, connect themselves, restart the + * proxy, and tell their friends to come flood. + * + * Keep this directive commented out to disable negative caching. + */ +# negcache = 1 hour; + + /* + * How long between rebuilds of the negative cache. The negcache + * is only rebuilt to free up memory used by entries that are too old. + * You probably don't need to tweak this unless you have huge amounts + * of people connecting (hundreds per minute). Default is 12 hours. + */ + negcache_rebuild = 12 hours; + + /* + * Amount of file descriptors to allocate to asynchronous DNS. 64 + * should be plenty for almost anyone. + */ + dns_fdlimit = 64; + + /* + * Amount of time the resolver waits until a response is received + * from a name server. + */ + dns_timeout = 5 seconds; + + /* + * Put the full path and filename of a logfile here if you wish to log + * every scan done. Normally HOPM only logs successfully detected + * proxies in the hopm.log, but you may get abuse reports to your ISP + * about portscanning. Being able to show that it was HOPM that did + * the scan in question can be useful. Leave commented for no + * logging. + */ +# scanlog = "var/log/scan.log"; +}; + + +irc { + /* + * IP address to bind to for the IRC connection. You only need to + * use this if you wish HOPM to use a particular interface + * (virtual host, IP alias, ...) when connecting to the IRC server. + * There is another "vhost" setting in the scan {} block below for + * the actual portscans. Note that this directive expects an IP address, + * not a hostname. Please leave this commented out if you do not + * understand what it does, as most people don't need it. + */ +# vhost = "0.0.0.0"; + + /* + * Nickname for HOPM to use. + */ + nick = "MyHopm"; + + /* + * Text to appear in the "realname" field of HOPM's /whois output. + */ + realname = "Hybrid Open Proxy Monitor"; + + /* + * If you don't have an identd running, what username to use. + */ + username = "hopm"; + + /* + * Hostname (or IP address) of the IRC server which HOPM will monitor + * connections on. IPv6 is now supported. + */ + server = "irc.example.org"; + + /* + * Password used to connect to the IRC server (PASS) + */ +# password = "secret"; + + /* + * Port of the above server to connect to. This is what HOPM uses to + * get onto IRC itself, it is nothing to do with what ports/protocols + * are scanned, nor do you need to list every port your ircd listens + * on. + */ + port = 6667; + + /* + * Defines time in which bot will timeout if no data is received + */ + readtimeout = 15 minutes; + + /* + * Interval in how often we try to reconnect to the IRC server + */ + reconnectinterval = 30 seconds; + + /* + * Command to execute to identify to NickServ (if your network uses + * it). This is the raw IRC command text, and the below example + * corresponds to "/msg nickserv identify password" in a client. If + * you don't understand, just edit "password" in the line below to be + * your HOPM's nick password. Leave commented out if you don't need + * to identify to NickServ. + */ +# nickserv = "NS IDENTIFY password"; + + /* + * The username and password needed for HOPM to oper up. + */ + oper = "hopm operpass"; + + /* + * Mode string that HOPM needs to set on itself as soon as it opers + * up. This needs to include the mode for seeing connection notices, + * otherwise HOPM won't scan anyone (that's usually umode +c). + */ + mode = "+c"; + + /* + * If this is set then HOPM will use it as an /away message as soon as + * it connects. + */ + away = "I'm a bot. Your messages will be ignored."; + + /* + * Info about channels you wish HOPM to join in order to accept + * commands. HOPM will also print messages in these channels every + * time it detects a proxy. Only IRC operators can command HOPM to do + * anything, but some of the things HOPM reports to these channels + * could be considered sensitive, so it's best not to put HOPM into + * public channels. + */ + channel { + /* + * Channel name. Local ("&") channels are supported if your ircd + * supports them. + */ + name = "#hopm"; + + /* + * If HOPM will need to use a key to enter this channel, this is + * where you specify it. + */ +# key = "somekey"; + + /* + * If you use ChanServ then maybe you want to set the channel + * invite-only and have each HOPM do "/msg ChanServ invite" to get + * itself in. Leave commented if you don't, or if this makes no + * sense to you. + */ +# invite = "CS INVITE #hopm"; + }; + + /* + * You can define a bunch of channels if you want: + * + * channel { name = "#other"; }; channel { name= "#channel"; } + */ + + /* + * connregex is a POSIX regular expression used to parse connection + * notices from the ircd. The complexity of the expression should + * be kept to a minimum. + * + * Items in order MUST be: nick user host IP + * + * HOPM will not work with ircds which do not send an IP address in the + * connection notice. + * + * This is fairly complicated stuff, and the consequences of getting + * it wrong are the HOPM does not scan anyone. Unless you know + * absolutely what you are doing, please just uncomment the example + * below that best matches the type of ircd you use. + */ + + /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */ + connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */ +# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* UnrealIRCd 4.0.x */ +# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* InspIRCd */ +# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-f\\.:]+)\\) \\[.*\\]"; + + /* ngIRCd */ +# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*"; + + /* + * "kline" controls the command used when an open proxy is confirmed. + * We suggest applying a temporary (no more than a few hours) KLINE on the host. + * + * <WARNING> + * Make sure if you need to change this string you also change the + * kline command for every DNSBL you enable below. + * + * Also note that some servers do not allow you to include ':' characters + * inside the KLINE message (e.g. for a http:// address). + * + * Users rewriting this message into something that isn't even a valid + * IRC command is the single most common cause of support requests and + * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE + * KLINE COMMANDS BELOW. + * </WARNING> + * + * That said, should you wish to customise this text, several + * printf-like placeholders are available: + * + * %n User's nick + * %u User's username + * %h User's irc hostname + * %i User's IP address + * %t Protocol type which has triggered a positive scan + */ + + /* A KLINE example for bahamut / charybdis / ircd-hybrid / ircd-ratbox */ + kline = "KLINE 180 *@%i :Open proxy found on your host."; + + /* A KLINE example for InspIRCd */ +# kline = "KLINE *@%i 3h :Open proxy found on your host."; + + /* A KLINE example for ngIRCd */ +# kline = "KLINE *@%i 10800 :Open proxy found on your host."; + + /* A GLINE example for ircu */ +# kline = "GLINE +*@%i 10800 :Open proxy found on your host."; + + /* A ZLINE example for UnrealIRCd */ +# kline = "ZLINE *@%i 3h :Open proxy found on your host."; + + /* + * An AKILL example for services with OperServ. Your HOPM must have permission to + * AKILL for this to work! + */ +# kline = "OS AKILL ADD +3h *@%i Open proxy found on your host."; + + /* + * Text to send on connection, these can be stacked and will be sent in this order. + * + * !!! UNREAL USERS PLEASE NOTE !!! + * Unreal users will need PROTOCTL HCN to force hybrid connect + * notices. + * + * Yes Unreal users! That means you! That means you need the line + * below! See that thing at the start of the line? That's what we + * call a comment! Remove it to UNcomment the line. + * + * Note that this is no longer needed as of UnrealIRCd 4.0.0. + */ +# perform = "PROTOCTL HCN"; + + /* + * Text to send, via NOTICE, immediately when a new client connects. These can be + * stacked and will be sent in this order. + */ +# notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear."; +}; + + +/* + * OPM Block defines blacklists and information required to report new proxies + * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone + * file. There are several blacklist that list IP addresses known to be open + * proxies or other forms of IRC abuse. By checking against these blacklists, + * HOPMs are able to ban known sources of abuse without completely scanning them. + */ +#opm { + /* + * Blacklist zones to check IPs against. If you would rather not + * trust a remotely managed blacklist, you could set up your own, or + * leave these commented out in which case every user will be + * scanned. The use of at least one open proxy DNSBL is recommended + * however. + * + * Please check the policies of each blacklist you use to check you + * are comfortable with using them to block access to your server + * (and that you are allowed to use them). + */ + + + /* dnsbl.dronebl.org - http://dronebl.org */ +# blacklist { + /* The DNS name of the blacklist */ +# name = "dnsbl.dronebl.org"; + + /* + * Address families that are supported by the blacklist. Default is 'ipv4'. + */ +# address_family = ipv4, ipv6; + + /* + * There are only two values that are valid for this + * "A record bitmask" and "A record reply" + * These options affect how the values specified to reply + * below will be interpreted, a bitmask is where the reply + * values are 2^n and more than one is added up, a reply is + * simply where the last octet of the IP address is that number. + * If you are not sure then the values set for dnsbl.dronebl.org + * will work without any changes. + */ +# type = "A record reply"; + + /* + * Kline types not listed in the reply list below. + * + * For DNSBLs that are not IRC specific and you just wish to kline + * certain types this can be enabled/disabled. + */ +# ban_unknown = no; + + /* + * The actual values returned by the dnsbl.dronebl.org blacklist as + * documented at http://dronebl.org/docs/howtouse + */ +# reply { +# 2 = "Sample data used for heuristical analysis"; +# 3 = "IRC spam drone (litmus/sdbot/fyle)"; +# 5 = "Bottler (experimental)"; +# 6 = "Unknown worm or spambot"; +# 7 = "DDoS drone"; +# 8 = "Open SOCKS proxy"; +# 9 = "Open HTTP proxy"; +# 10 = "ProxyChain"; +# 11 = "Web Page Proxy"; +# 12 = "Open DNS Resolver"; +# 13 = "Automated dictionary attacks"; +# 14 = "Open WINGATE proxy"; +# 15 = "Compromised router / gateway"; +# 16 = "Autorooting worms"; +# 17 = "Automatically determined botnet IPs (experimental)"; +# 18 = "DNS/MX type hostname detected on IRC"; +# 255 = "Uncategorized threat class"; +# }; + + /* + * The kline message sent for this specific blacklist, remember to put + * the removal method in this. + */ +# kline = "KLINE 180 *@%i :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network"; +# }; + + + /* rbl.efnetrbl.org - https://rbl.efnetrbl.org/ */ +# blacklist { +# name = "rbl.efnetrbl.org"; +# type = "A record reply"; +# ban_unknown = no; + +# reply { +# 1 = "Open proxy"; +# 2 = "spamtrap666"; +# 3 = "spamtrap50"; +# 4 = "TOR"; +# 5 = "Drones / Flooding"; +# }; + +# kline = "KLINE 180 *@%i :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; +# }; + + + + /* tor.efnetrbl.org - https://rbl.efnetrbl.org/ */ +# blacklist { +# name = "tor.efnetrbl.org"; +# type = "A record reply"; +# ban_unknown = no; + +# reply { +# 1 = "TOR"; +# }; + +# kline = "KLINE 180 *@%i :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i"; +# }; + + /* + * You can report the insecure proxies you find to a DNSBL also! + * The remaining directives in this section are only needed if you + * intend to do this. Reports are sent by email, one email per IP + * address. The format does support multiple addresses in one email, + * but we don't know of any servers that are detecting enough insecure + * proxies for this to be really necessary. + */ + + /* + * Email address to send reports FROM. If you intend to send reports, + * please pick an email address that we can actually send mail to + * should we ever need to contact you. + */ +# dnsbl_from = "mybopm@myserver.org"; + + /* + * Email address to send reports TO. + * For example DroneBL: + */ +# dnsbl_to = "bopm-report@dronebl.org"; + + /* + * Full path to your sendmail binary. Even if your system does not + * use sendmail, it probably does have a binary called "sendmail" + * present in /usr/sbin or /usr/lib. If you don't set this, no + * proxies will be reported. + */ +# sendmail = "/usr/sbin/sendmail"; +#}; + + +/* + * The short explanation: + * + * This is where you define what ports/protocols to check for. You can have + * multiple scanner blocks and then choose which users will get scanned by + * which scanners further down. + * + * The long explanation: + * + * Scanner defines a virtual scanner. For each user being scanned, a scanner + * will use a file descriptor (and subsequent connection) for each protocol. + * Once connecting it will negotiate the proxy to connect to + * target_ip:target_port (target_ip MUST be an IP address). + * + * Once connected, any data passed through the proxy will be checked to see if + * target_string is contained within that data. If it is the proxy is + * considered open. If the connection is closed at any point before + * target_string is matched, or if at least max_read bytes are read from the + * connection, the negotiation is considered failed. + */ +scanner { + /* + * Unique name of this scanner. This is used further down in the + * user {} blocks to decide which users get affected by which + * scanners. + */ + name = "default"; + + /* + * HTTP CONNECT - very common proxy protocol supported by widely known + * software such as Squid and Apache. The most common sort of + * insecure proxy and found on a multitude of weird ports too. Offers + * transparent two way TCP connections. + */ + protocol = HTTP:80; + protocol = HTTP:8080; + protocol = HTTP:3128; + protocol = HTTP:6588; + + /* + * The SSL/TLS variant of HTTP + */ +# protocol = HTTPS:443; +# protocol = HTTPS:8443; + + /* + * SOCKS4/5 - well known proxy protocols, probably the second most + * common for insecure proxies, also offers transparent two way TCP + * connections. Fortunately largely confined to port 1080. + */ + protocol = SOCKS4:1080; + protocol = SOCKS5:1080; + + /* + * Cisco routers with a default password (yes, it really does happen). + * Also pretty much anything else that will let you telnet to anywhere + * else on the Internet. Fortunately these are always on port 23. + */ + protocol = ROUTER:23; + + /* + * WinGate is commercial windows proxy software which is now not so + * common, but still to be found, and helpfully presents an interface + * that can be used to telnet out, on port 23. + */ + protocol = WINGATE:23; + + /* + * Dreambox DVB receivers with a default password allowing + * full root access to telnet or install bouncers. + */ + protocol = DREAMBOX:23; + + /* + * The HTTP POST protocol, often dismissed when writing the access + * controls for proxies, but sadly can still be used to abused. + * Offers only the opportunity to send a single block of data, but + * enough of them at once can still make for a devastating flood. + * Found on the same ports that HTTP CONNECT proxies inhabit. + * + * Note that if your ircd has "ping cookies" then clients from HTTP + * POST proxies cannot actually ever get onto your network anyway. If + * you leave the checks in then you'll still find some (because some + * people IRC from boxes that run them), but if you use HOPM purely as + * a protective measure and you have ping cookies, you need not scan + * for HTTP POST. + */ + protocol = HTTPPOST:80; + + /* + * The SSL/TLS variant of HTTPPOST + */ +# protocol = HTTPSPOST:443; +# protocol = HTTPSPOST:8443; + + /* + * IP address this scanner will bind to. Use this if you need your scans to + * come FROM a particular interface on the machine you run HOPM from. + * If you don't understand what this means, please leave this + * commented out, as this is a major source of support queries! + */ +# vhost = "127.0.0.1"; + + /* + * Maximum file descriptors this scanner can use. Remember that there + * will be one FD for each protocol listed above. As this example + * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD + * limit, this scanner can be used on 64 users _at the same time_. + * That should be adequate for most servers. + */ + fd = 512; + + /* + * Maximum data read from a proxy before considering it closed. Don't + * set this too high, some people have fun setting up lots of ports + * that send endless data to tie up your scanner. 4KB is plenty for + * any known proxy. + */ + max_read = 4 kbytes; + + /* + * Amount of time before a test is considered timed out. + * Again, all but the poorest slowest proxies will be detected within + * 30 seconds, and this helps keep resource usage low. + */ + timeout = 30 seconds; + + /* + * Target IP to tell the proxy to connect to + * + * !!! THIS MUST BE CHANGED !!! + * + * You cannot instruct the proxy to connect to itself! The easiest + * thing to do would be to set this to the IP address of your ircd + * and then keep the default target_strings. + * + * Please use an IP address that is publically reachable from anywhere + * on the Internet, because you have no way of knowing where the insecure + * proxies will be located. Just because you and your HOPM can + * connect to your ircd on some private IP address like 192.168.0.1, + * does not mean that the insecure proxies out there on the Internet will be + * able to. And if they never connect, you will never detect them. + * + * Remember to change this setting for every scanner you configure. + */ + target_ip = "127.0.0.1"; + + /* + * Target port to tell the proxy to connect to. This is usually + * something like 6667. Basically any client-usable port. + */ + target_port = 6667; + + /* + * Target string we check for in the data read back by the scanner. + * This should be some string out of the data that your ircd usually + * sends on connect. Multiple target strings are allowed. + * + * NOTE: Try to keep the number of target strings to a minimum. Two + * should be fine. One for normal connections and one for throttled + * connections. Comment out any others for efficiency. + */ + + /* + * Usually first line sent to client on connection to ircd. + * If your ircd supports a more specific line (see below), + * using it will reduce false positives. + */ + target_string = ":irc.example.org NOTICE * :*** Looking up your hostname"; + + /* + * If you try to connect too fast, you'll be throttled by your own + * ircd. Here's what a hybrid throttle message looks like: + */ + target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; +}; + + +scanner { + name = "extended"; + + protocol = HTTP:81; + protocol = HTTP:8000; + protocol = HTTP:8001; + protocol = HTTP:8081; + + protocol = HTTPPOST:81; + protocol = HTTPPOST:6588; + protocol = HTTPPOST:4480; + protocol = HTTPPOST:8000; + protocol = HTTPPOST:8001; + protocol = HTTPPOST:8080; + protocol = HTTPPOST:8081; + + /* + * IRCnet have seen many socks5 on these ports, more than on the + * standard ports even. + */ + protocol = SOCKS4:4914; + protocol = SOCKS4:6826; + protocol = SOCKS4:7198; + protocol = SOCKS4:7366; + protocol = SOCKS4:9036; + + protocol = SOCKS5:4438; + protocol = SOCKS5:5104; + protocol = SOCKS5:5113; + protocol = SOCKS5:5262; + protocol = SOCKS5:5634; + protocol = SOCKS5:6552; + protocol = SOCKS5:6561; + protocol = SOCKS5:7464; + protocol = SOCKS5:7810; + protocol = SOCKS5:8130; + protocol = SOCKS5:8148; + protocol = SOCKS5:8520; + protocol = SOCKS5:8814; + protocol = SOCKS5:9100; + protocol = SOCKS5:9186; + protocol = SOCKS5:9447; + protocol = SOCKS5:9578; + protocol = SOCKS5:10000; + protocol = SOCKS5:64101; + + /* + * These came courtsey of Keith Dunnett from a bunch of public open + * proxy lists. + */ + protocol = SOCKS4:29992; + protocol = SOCKS4:38884; + protocol = SOCKS4:18844; + protocol = SOCKS4:17771; + protocol = SOCKS4:31121; + + fd = 400; + + /* + * If required you can add settings such as target_ip here + * they will override the defaults set in the first scanner + * for this and subsequent scanners defined in the config file + * This affects the following options: + * fd, vhost, target_ip, target_port, target_string, timeout and + * max_read. + */ +}; + +/* + * Scanner to detect vulnerable SSH versions that normally exist on hacked + * routers and IoT devices. Don't forget to add this scanner to a user block. + */ +scanner { + name = "ssh"; + + protocol = SSH:22; + + target_string = "SSH-1.99-OpenSSH_5.1"; + target_string = "SSH-2.0-dropbear_0.51"; + target_string = "SSH-2.0-dropbear_0.52"; + target_string = "SSH-2.0-dropbear_0.53.1"; + target_string = "SSH-2.0-dropbear_2012.55"; + target_string = "SSH-2.0-dropbear_2013.62"; + target_string = "SSH-2.0-dropbear_2014.63"; + target_string = "SSH-2.0-OpenSSH_4.3"; + target_string = "SSH-2.0-OpenSSH_5.1"; + target_string = "SSH-2.0-OpenSSH_5.5p1"; + target_string = "SSH-2.0-ROSSSH"; + target_string = "SSH-2.0-SSH_Server"; +}; + + +/* + * User blocks define what scanners will be used to scan which hostmasks. + * When a user connects they will be scanned on every scanner {} (above) + * that matches their host. + */ +user { + /* + * Users matching this host mask will be scanned with all the + * protocols in the scanner named. + */ + mask = "*!*@*"; + scanner = "default"; +}; + +user { + /* + * Connections without ident will match on a vast number of connections + * very few proxies run ident though + */ +# mask = "*!~*@*"; + mask = "*!squid@*"; + mask = "*!nobody@*"; + mask = "*!www-data@*"; + mask = "*!cache@*"; + mask = "*!CacheFlowS@*"; + mask = "*!*@*www*"; + mask = "*!*@*proxy*"; + mask = "*!*@*cache*"; + + scanner = "extended"; +}; + + +/* + * Exempt hosts matching certain strings from any form of scanning or dnsbl. + * HOPM will check each string against both the hostname and the IP address of + * the user. + * + * There are very few valid reasons to actually use "exempt". HOPM should + * never get false positives, and we would like to know very much if it does. + * One possible scenario is that the machine HOPM runs from is specifically + * authorized to use certain hosts as proxies, and users from those hosts use + * your network. In this case, without exempt, HOPM will scan these hosts, + * find itself able to use them as proxies, and ban them. + */ +exempt { + mask = "*!*@127.0.0.1"; +}; |