1/* 2 3BOPM sample configuration 4 5*/ 6 7options { 8 /* 9 * Full path and filename for storing the process ID of the running 10 * BOPM. 11 */ 12 pidfile = "/var/run/bopm/bopm.pid"; 13 14 /* 15 * How many seconds to store the IP address of hosts which are 16 * confirmed (by previous scans) to be secure. New users from these 17 * IP addresses will not be scanned again until this amount of time 18 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS 19 * DIRECTIVE, but it is provided due to demand. 20 * 21 * The main reason for not using this feature is that anyone capable 22 * of running a proxy can get abusers onto your network - all they 23 * need do is shut the proxy down, connect themselves, restart the 24 * proxy, and tell their friends to come flood. 25 * 26 * Keep this directive commented out to disable negative caching. 27 */ 28# negcache = 3600; 29 30 /* 31 * Amount of file descriptors to allocate to asynchronous DNS. 64 32 * should be plenty for almost anyone - previous versions of BOPM only 33 * did one at a time! 34 */ 35 dns_fdlimit = 64; 36 37 /* 38 * Put the full path and filename of a logfile here if you wish to log 39 * every scan done. Normally BOPM only logs successfully detected 40 * proxies in the bopm.log, but you may get abuse reports to your ISP 41 * about portscanning. Being able to show that it was BOPM that did 42 * the scan in question can be useful. Leave commented for no 43 * logging. 44 */ 45# scanlog = "/var/log/bopm/scan.log"; 46}; 47 48 49IRC { 50 /* 51 * IP to bind to for the IRC connection. You only need to use this if 52 * you wish BOPM to use a particular interface (virtual host, IP 53 * alias, ...) when connecting to the IRC server. There is another 54 * "vhost" setting in the scan {} block below for the actual 55 * portscans. Note that this directive expects an IP address, not a 56 * hostname. Please leave this commented out if you do not 57 * understand what it does, as most people don't need it. 58 */ 59# vhost = "0.0.0.0"; 60 61 /* 62 * Nickname for BOPM to use. 63 */ 64 nick = "MyBopm"; 65 66 /* 67 * Text to appear in the "realname" field of BOPM's /whois output. 68 */ 69 realname = "Blitzed Open Proxy Monitor"; 70 71 /* 72 * If you don't have an identd running, what username to use. 73 */ 74 username = "bopm"; 75 76 /* 77 * Hostname (or IP) of the IRC server which BOPM will monitor 78 * connections on. 79 */ 80 server = "myserver.somenetwork.org"; 81 82 83 /* 84 * Password used to connect to the IRC server (PASS) 85 */ 86 87# password = "secret"; 88 89 90 /* 91 * Port of the above server to connect to. This is what BOPM uses to 92 * get onto IRC itself, it is nothing to do with what ports/protocols 93 * are scanned, nor do you need to list every port your ircd listens 94 * on. 95 */ 96 port = 6667; 97 98 /* 99 * Command to execute to identify to NickServ (if your network uses 100 * it). This is the raw IRC command text, and the below example 101 * corresponds to "/msg nickserv identify password" in a client. If 102 * you don't understand, just edit "password" in the line below to be 103 * your BOPM's nick password. Leave commented out if you don't need 104 * to identify to NickServ. 105 */ 106# nickserv = "privmsg nickserv :identify password"; 107 108 /* 109 * The username and password needed for BOPM to oper up. 110 */ 111 oper = "bopm operpass"; 112 113 /* 114 * Mode string that BOPM needs to set on itself as soon as it opers 115 * up. This needs to include the mode for seeing connection notices, 116 * otherwise BOPM won't scan anyone (that's usually umode +c). It's 117 * often also a good idea to remove any helper modes so that users 118 * don't try to talk to the BOPM. 119 * 120 * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE 121 * +c !! 122 */ 123 mode = "+c-h"; 124 125 /* Example for Bahamut; +F gives BOPM relaxed flood limits */ 126# mode = "+Fc-h"; 127 128 /* 129 * If this is set then BOPM will use it as an /away message as soon as 130 * it connects. 131 */ 132 away = "I'm a bot. Your messages will be ignored."; 133 134 /* 135 * Info about channels you wish BOPM to join in order to accept 136 * commands. BOPM will also print messages in these channels every 137 * time it detects a proxy. Only IRC operators can command BOPM to do 138 * anything, but some of the things BOPM reports to these channels 139 * could be soncidered sensitive, so it's best not to put BOPM into 140 * public channels. 141 */ 142 channel { 143 /* 144 * Channel name. Local ("&") channels are supported if your ircd 145 * supports them. 146 */ 147 name = "#bopm"; 148 149 /* 150 * If BOPM will need to use a key to enter this channel, this is 151 * where you specify it. 152 */ 153# key = "somekey"; 154 155 /* 156 * If you use ChanServ then maybe you want to set the channel 157 * invite-only and have each BOPM do "/msg ChanServ invite" to get 158 * itself in. Leave commented if you don't, or if this makes no 159 * sense to you. 160 */ 161# invite = "privmsg chanserv :invite #bopm"; 162 }; 163 164 /* 165 * You can define a bunch of channels if you want: 166 * 167 * channel { name = "#other"; }; channel { name="#channel"; } 168 */ 169 170 /* 171 * connregex is a POSIX regular expression used to parse connection 172 * (+c) notices from the ircd. The complexity of the expression should 173 * be kept to a minimum. 174 * 175 * Items in order MUST be: nick user host IP 176 * 177 * BOPM will not work with ircds which do not send an IP in the 178 * connection notice. 179 * 180 * This is fairly complicated stuff, and the consequences of getting 181 * it wrong are the BOPM does not scan anyone. Unless you know 182 * absolutely what you are doing, please just uncomment the example 183 * below that best matches the type of ircd you use. 184 * 185 * !!! NOTE !!! If a connregex for your ircd does not appear here and the 186 * hybrid connregex does not appear to work, check the BOPM FAQ at 187 * http://wiki.blitzed.org/BOPM before contacting our lists for help. 188 * 189 */ 190 191 /* Hybrid / Bahamut / Unreal (in HCN mode) */ 192 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; 193 194 /* 195 * Ultimate ircd - note the control-B characters around Connect/Exit, 196 * that is because that text appears in bold in the actual connect 197 * notice. Be very careful when editing this, do it as you would put 198 * bold characters into IRC MOTDs. 199 */ 200# connregex = "\\*\\*\\* Connect/Exit -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; 201 202 /* 203 * SorIRCd 1.3.4+ / StarIRCd 5.26+. 204 */ 205# connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; 206 207 208 /* 209 * "kline" controls the command used when an open proxy is confirmed. 210 * We suggest applying a temporary (no more than a few hours) KLINE on the host. 211 * 212 * <WARNING> 213 * Make sure if you need to change this string you also change the 214 * kline command for every DNSBL you enable below. 215 * 216 * Also note that some servers do not allow you to include ':' characters 217 * inside the KLINE message (e.g. for a http:// address). 218 * 219 * Users rewriting this message into something that isn't even a valid 220 * IRC command is the single most common cause of support requests and 221 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE 222 * KLINE COMMANDS BELOW. 223 * </WARNING> 224 * 225 * That said, should you wish to customise this text, several 226 * printf-like placeholders are available: 227 * 228 * %n User's nick 229 * %u User's username 230 * %h User's irc hostname 231 * %i User's IP address 232 * 233 */ 234 kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; 235 236 /* A GLINE example for IRCu: */ 237# kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; 238 239 /* An AKILL example for services with OperServ 240 * Your BOPM must have permission to AKILL for this to work! */ 241 242# kline = "PRIVMSG OpenServ :AKILL +3h *@%h Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; 243 244 /* 245 * Text to send on connection, these can be stacked and will be sent in this order 246 * 247 * !!! UNREAL USERS PLEASE NOTE !!! 248 * Unreal users will need PROTOCTL HCN to force hybrid connect 249 * notices. 250 * 251 * Yes Unreal users! That means you! That means you need the line 252 * below! See that thing at the start of the line? That's what we 253 * call a comment! Remove it to UNcomment the line. 254 */ 255# perform = "PROTOCTL HCN"; 256 257}; 258 259 260/* 261 * OPM Block defines blacklists and information required to report new proxies 262 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone 263 * file. There are several blacklist that list IP addresses known to be open 264 * proxies or other forms of IRC abuse. By checking against these blacklists, 265 * BOPMs are able to ban known sources of abuse without completely scanning them. 266 */ 267 268OPM { 269 /* 270 * Blacklist zones to check IPs against. If you would rather not 271 * trust a remotely managed blacklist, you could set up your own, or 272 * leave these commented out in which case every user will be 273 * scanned. The use of at least one open proxy DNSBL is recommended 274 * however. 275 * 276 * Blitzed is not associated with any of these DNSBLs, please check 277 * the policies of each blacklist you use to check you are comfortable 278 * with using them to block access to your server (and that you are 279 * allowed to use them). 280 */ 281 282 /* DroneBL - http://dronebl.org */ 283# blacklist { 284# /* The DNS name of the blacklist */ 285# name = "dnsbl.dronebl.org"; 286# 287# /* 288# * There are only two values that are valid for this 289# * "A record bitmask" and "A record reply" 290# * These options affect how the values specified to reply 291# * below will be interpreted, a bitmask is where the reply 292# * values are 2^n and more than one is added up, a reply is 293# * simply where the last octet of the IP is that number. 294# * If you are not sure then the values set for dnsbl.dronebl.org 295# * will work without any changes. 296# */ 297# type = "A record reply"; 298# 299# /* Kline types not listed in the reply list below. 300# * 301# * For DNSBLs that are not IRC specific and you just wish to kline 302# * certain types this can be disabled. 303# */ 304# ban_unknown = yes; 305# 306# /* The actual values returned by the dnsbl.dronebl.org blacklist 307# * As documented at http://www.dronebl.org/howtouse.do */ 308# reply { 309# 2 = "Sample"; 310# 3 = "IRC Drone"; 311# 4 = "Tor"; 312# 5 = "Bottler"; 313# 6 = "Unknown spambot or drone"; 314# 7 = "DDOS Drone"; 315# 8 = "SOCKS Proxy"; 316# 9 = "HTTP Proxy"; 317# 10 = "ProxyChain"; 318# 255 = "Unknown"; 319# }; 320# 321# /* The kline message sent for this specific blacklist, remember to put 322# * the removal method in this. 323# */ 324# kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=Network"; 325# }; 326 327# /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl 328# * http://oldwww.temp.ahbl.org/docs/ircbl.php */ 329# blacklist { 330# name = "ircbl.ahbl.org"; 331# type = "A record reply"; 332# ban_unknown = no; 333# reply { 334# 2 = "Open proxy"; 335# }; 336# kline = "KLINE *@%h :Listed in ircbl.ahbl.org. See http://ahbl.org/removals"; 337# }; 338 339 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */ 340# blacklist { 341# name = "tor.dnsbl.sectoor.de"; 342# type = "A record reply"; 343# reply { 344# 1 = "Tor exit server"; 345# }; 346# ban_unknown = no; 347# kline = "KLINE *@%h :Tor exit server detected. See www.sectoor.de/tor.php?ip=%i"; 348# }; 349 350 /* rbl.efnet.org - http://rbl.efnet.org/ */ 351# blacklist { 352# name = "rbl.efnet.org"; 353# type = "A record reply"; 354# reply { 355# 1 = "Open proxy"; 356# 2 = "Trojan spreader"; 357# 3 = "Trojan infected client"; 358# 4 = "TOR exit server"; 359# 5 = "Drones / Flooding"; 360# }; 361# ban_unknown = yes; 362# kline = "KLINE *@%h :Listed in rbl.efnet.org. See rbl.efnet.org/?i=%i"; 363# }; 364 365 366 /* example: NJABL - please read http://www.njabl.org/use.html before 367 * uncommenting */ 368# blacklist { 369# name = "dnsbl.njabl.org"; 370# type = "A record reply"; 371# reply { 372# 9 = "Open proxy"; 373# }; 374# ban_unknown = no; 375# kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i"; 376# }; 377 378 /* 379 * You can report the insecure proxies you find to a DNSBL also! 380 * The remaining directives in this section are only needed if you 381 * intend to do this. Reports are sent by email, one email per IP 382 * address. The format does support multiple addresses in one email, 383 * but we don't know of any servers that are detecting enough insecure 384 * proxies for this to be really necessary. 385 */ 386 387 /* 388 * Email address to send reports FROM. If you intend to send reports, 389 * please pick an email address that we can actually send mail to 390 * should we ever need to contact you. 391 */ 392# dnsbl_from = "mybopm@myserver.org"; 393 394 /* 395 * Email address to send reports TO. 396 * For example DroneBL: 397 */ 398# dnsbl_to = "bopm-report@dronebl.org"; 399 400 /* 401 * Full path to your sendmail binary. Even if your system does not 402 * use sendmail, it probably does have a binary called "sendmail" 403 * present in /usr/sbin or /usr/lib. If you don't set this, no 404 * proxies will be reported. 405 */ 406# sendmail = "/usr/sbin/sendmail"; 407}; 408 409 410/* 411 * The short explanation: 412 * 413 * This is where you define what ports/protocols to check for. You can have 414 * multiple scanner blocks and then choose which users will get scanned by 415 * which scanners further down. 416 * 417 * The long explanation: 418 * 419 * Scanner defines a virtual scanner. For each user being scanned, a scanner 420 * will use a file descriptor (and subsequent connection) for each protocol. 421 * Once connecting it will negotiate the proxy to connect to 422 * target_ip:target_port (target_ip MUST be an IP). 423 * 424 * Once connected, any data passed through the proxy will be checked to see if 425 * target_string is contained within that data. If it is the proxy is 426 * considered open. If the connection is closed at any point before 427 * target_string is matched, or if at least max_read bytes are read from the 428 * connection, the negotiation is considered failed. 429 */ 430 431scanner { 432 433 /* 434 * Unique name of this scanner. This is used further down in the 435 * user {} blocks to decide which users get affected by which 436 * scanners. 437 */ 438 name="default"; 439 440 /* 441 * HTTP CONNECT - very common proxy protocol supported by widely known 442 * software such as Squid and Apache. The most common sort of 443 * insecure proxy and found on a multitude of weird ports too. Offers 444 * transparent two way TCP connections. 445 */ 446 protocol = HTTP:80; 447 protocol = HTTP:8080; 448 protocol = HTTP:3128; 449 protocol = HTTP:6588; 450 451 /* 452 * SOCKS4/5 - well known proxy protocols, probably the second most 453 * common for insecure proxies, also offers transparent two way TCP 454 * connections. Fortunately largely confined to port 1080. 455 */ 456 protocol = SOCKS4:1080; 457 protocol = SOCKS5:1080; 458 459 /* 460 * Cisco routers with a default password (yes, it really does happen). 461 * Also pretty much anything else that will let you telnet to anywhere 462 * else on the internet. Fortunately these are always on port 23. 463 */ 464 protocol = ROUTER:23; 465 466 /* 467 * WinGate is commercial windows proxy software which is now not so 468 * common, but still to be found, and helpfully presents an interface 469 * that can be used to telnet out, on port 23. 470 */ 471 protocol = WINGATE:23; 472 473 /* 474 * The HTTP POST protocol, often dismissed when writing the access 475 * controls for proxies, but sadly can still be used to abused. 476 * Offers only the opportunity to send a single block of data, but 477 * enough of them at once can still make for a devastating flood. 478 * Found on the same ports that HTTP CONNECT proxies inhabit. 479 * 480 * Note that if your ircd has "ping cookies" then clients from HTTP 481 * POST proxies cannot actually ever get onto your network anyway. If 482 * you leave the checks in then you'll still find some (because some 483 * people IRC from boxes that run them), but if you use BOPM purely as 484 * a protective measure and you have ping cookies, you need not scan 485 * for HTTP POST. 486 */ 487 protocol = HTTPPOST:80; 488 489 /* 490 * IP this scanner will bind to. Use this if you need your scans to 491 * come FROM a particular interface on the machine you run BOPM from. 492 * If you don't understand what this means, please leave this 493 * commented out, as this is a major source of support queries! 494 */ 495# vhost = "127.0.0.1"; 496 497 /* Maximum file descriptors this scanner can use. Remember that there 498 * will be one FD for each protocol listed above. As this example 499 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD 500 * limit, this scanner can be used on 64 users _at the same time_. 501 * That should be adequate for most servers. 502 */ 503 fd = 512; 504 505 /* 506 * Maximum data read from a proxy before considering it closed. Don't 507 * set this too high, some people have fun setting up lots of ports 508 * that send endless data to tie up your scanner. 4KB is plenty for 509 * any known proxy. 510 */ 511 max_read = 4096; 512 513 /* 514 * Amount of time (in seconds) before a test is considered timed out. 515 * Again, all but the poorest slowest proxies will be detected within 516 * 30 seconds, and this helps keep resource usage low. 517 */ 518 timeout = 30; 519 520 /* 521 * Target IP to tell the proxy to connect to 522 * 523 * !!! THIS MUST BE CHANGED !!! 524 * 525 * You cannot instruct the proxy to connect to itself! The easiest 526 * thing to do would be to set this to the IP of your ircd and then 527 * keep the default target_strings. 528 * 529 * Please use an IP that is publically reachable from anywhere on the 530 * Internet, because you have no way of knowing where the insecure 531 * proxies will be located. Just because you and your BOPM can 532 * connect to your ircd on some private IP like 192.168.0.1, does not 533 * mean that the insecure proxies out there on the Internet will be 534 * able to. And if they never connect, you will never detect them. 535 * 536 * Remember to change this setting for every scanner you configure. 537 * 538 */ 539 target_ip = "127.0.0.1"; 540 541 /* 542 * Target port to tell the proxy to connect to. This is usually 543 * something like 6667. Basically any client-usable port. 544 */ 545 target_port = 6667; 546 547 /* 548 * Target string we check for in the data read back by the scanner. 549 * This should be some string out of the data that your ircd usually 550 * sends on connect. The example below will work on most 551 * hybrid/bahamut ircds. Multiple target strings are allowed. 552 * 553 * NOTE: Try to keep the number of target strings to a minimum. Two 554 * should be fine. One for normal connections and one for throttled 555 * connections. Comment out any others for efficiency. 556 */ 557 558 /* Usually first line sent to client on connection to ircd. 559 * If your ircd supports a more specific line (see below), 560 * using it will reduce false positives. 561 */ 562 target_string = "*** Looking up your hostname..."; 563 564 /* Some ircds give a source for the NOTICE AUTH (bahamut for example). 565 * It is recommended you use the following instead of the generic 566 * "*** Looking up your hostname..." if your ircd supports it. 567 * This will reduce the chances of false positives. 568 */ 569# target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname..."; 570 571 /* If you try to connect too fast, you'll be throttled by your own 572 * ircd. Here's what a hybrid throttle message looks like: 573 */ 574 target_string = "ERROR :Trying to reconnect too fast."; 575 576 /* And the same for bahamut (comment this out if you're not using bahamut): */ 577 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; 578}; 579 580scanner { 581 name = "extended"; 582 583 protocol = HTTP:81; 584 protocol = HTTP:8000; 585 protocol = HTTP:8001; 586 protocol = HTTP:8081; 587 588 protocol = HTTPPOST:81; 589 protocol = HTTPPOST:6588; 590# protocol = HTTPPOST:4480; 591 protocol = HTTPPOST:8000; 592 protocol = HTTPPOST:8001; 593 protocol = HTTPPOST:8080; 594 protocol = HTTPPOST:8081; 595 596 /* 597 * IRCnet have seen many socks5 on these ports, more than on the 598 * standard ports even. 599 */ 600 protocol = SOCKS4:4914; 601 protocol = SOCKS4:6826; 602 protocol = SOCKS4:7198; 603 protocol = SOCKS4:7366; 604 protocol = SOCKS4:9036; 605 606 protocol = SOCKS5:4438; 607 protocol = SOCKS5:5104; 608 protocol = SOCKS5:5113; 609 protocol = SOCKS5:5262; 610 protocol = SOCKS5:5634; 611 protocol = SOCKS5:6552; 612 protocol = SOCKS5:6561; 613 protocol = SOCKS5:7464; 614 protocol = SOCKS5:7810; 615 protocol = SOCKS5:8130; 616 protocol = SOCKS5:8148; 617 protocol = SOCKS5:8520; 618 protocol = SOCKS5:8814; 619 protocol = SOCKS5:9100; 620 protocol = SOCKS5:9186; 621 protocol = SOCKS5:9447; 622 protocol = SOCKS5:9578; 623 624 /* 625 * These came courtsey of Keith Dunnett from a bunch of public open 626 * proxy lists. 627 */ 628 protocol = SOCKS4:29992; 629 protocol = SOCKS4:38884; 630 protocol = SOCKS4:18844; 631 protocol = SOCKS4:17771; 632 protocol = SOCKS4:31121; 633 634 fd = 400; 635 636 /* If required you can add settings such as target_ip here 637 * they will override the defaults set in the first scanner 638 * for this and subsequent scanners defined in the config file 639 * This affects the following options: 640 * fd, vhost, target_ip, target_port, target_string, timeout and 641 * max_read. 642 */ 643}; 644 645 646 647/* 648 * User blocks define what scanners will be used to scan which hostmasks. When 649 * a user connects they will be scanned on every scanner {} (above) that 650 * matches their host. 651 */ 652 653user { 654 /* 655 * Users matching this host mask will be scanned with all the 656 * protocols in the scanner named. 657 */ 658 mask = "*!*@*"; 659 scanner = "default"; 660}; 661 662user { 663 /* Connections without ident will match on a vast number of connections 664 * very few proxies run ident though */ 665# mask = "*!~*@*"; 666 mask = "*!squid@*"; 667 mask = "*!nobody@*"; 668 mask = "*!www-data@*"; 669 mask = "*!cache@*"; 670 mask = "*!CacheFlowS@*"; 671 mask = "*!*@*www*"; 672 mask = "*!*@*proxy*"; 673 mask = "*!*@*cache*"; 674 675 scanner = "extended"; 676}; 677 678 679/* 680 * Exempt hosts matching certain strings from any form of scanning or dnsbl. 681 * BOPM will check each string against both the hostname and the IP address of 682 * the user. 683 * 684 * There are very few valid reasons to actually use "exempt". BOPM should 685 * never get false positives, and we would like to know very much if it does. 686 * One possible scenario is that the machine BOPM runs from is specifically 687 * authorized to use certain hosts as proxies, and users from those hosts use 688 * your network. In this case, without exempt, BOPM will scan these hosts, 689 * find itself able to use them as proxies, and ban them. 690 */ 691exempt { 692 mask = "*!*@127.0.0.1"; 693}; 694