1/* 2 * BOPM sample configuration for Blitzed Admins. For explanations of what all 3 * the directives do, please see bopm.conf.sample. 4 * 5 * Most of this stuff is just suggestions. Any setting that is required will 6 * be noted as such. 7 * 8 */ 9 10options { 11 pidfile = "/some/path/bopm.pid"; 12 dns_fdlimit = 64; 13 14 /* 15 * You can use this to log ALL port scans that are done. This is 16 * optional and may be useful if you ever have to deal with abuse 17 * reports. 18 */ 19# scanlog = "/some/path/scan.log"; 20}; 21 22 23IRC { 24# vhost = "0.0.0.0"; 25 26 /* You're required to keep to this naming scheme! */ 27 nick = "servernameBOPM"; 28 29 realname = "Blitzed Open Proxy Monitor"; 30 username = "bopm"; 31 server = "servername.blitzed.org"; 32 33 /* It makes sense to put the nick password here so it ID's quicker. */ 34# password = "secret"; 35 port = 6667; 36 37 /* 38 * Your BOPM will need a registered nick and be identified to it, to get 39 * into #wg. (see below) 40 */ 41 nickserv = "nickserv :identify bopm-nick-password"; 42 oper = "bopm operpass"; 43 44 /* Please use these modes, they're the only ones that make sense. */ 45 mode = "+Fc-h"; 46 away = "I'm a bot. Your messages will be ignored."; 47 48 channel { 49 /* 50 * This is where all of Blitzed's BOPMs are. The name "#wg" is left over 51 * from the days of dalnet's wgmon. 52 */ 53 name = "#wg"; 54 55 /* 56 * Make sure your BOPM is set to ID to its nick, and that it has access 57 * enough in #wg to use the chanserv invite command. Anyone opped in #wg 58 * can add this access for you. 59 */ 60 invite = "chanserv :invite #wg"; 61 }; 62 63 /* Hybrid / Bahamut / Unreal (in HCN mode) */ 64 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; 65 66 /* 67 * "kline" controls the command used when an open proxy is confirmed. 68 * 69 * %n User's nick 70 * %u User's username 71 * %h User's irc hostname 72 * %i User's IP address 73 * 74 * You're required to use the following kline_command: 75 */ 76 kline = "PRIVMSG OperServ :BOPMAKILL ADD +4h *@%h Open Proxy found on your host. Please visit http://www.blitzed.org/proxy?ip=%i"; 77}; 78 79 80OPM { 81 /* DroneBL (see http://www.dronebl.org/howtouse.do for details) */ 82 blacklist { 83 name = "dnsbl.dronebl.org"; 84 type = "A record reply"; 85 ban_unknown = no; 86 87 reply { 88 2 = "Sample"; 89 3 = "IRC Drone"; 90 5 = "Bottler"; 91 6 = "Unknown spambot or drone"; 92 7 = "DDOS Drone"; 93 8 = "SOCKS Proxy"; 94 9 = "HTTP Proxy"; 95 10 = "ProxyChain"; 96 255 = "Unknown"; 97 }; 98 kline = "OperServ :BOPMAKILL ADD +4h *@%h Host listed in the DroneBL. For more information visit http://dronebl.org/lookup.do?ip=%i"; 99 }; 100 101 /* rbl.efnet.org - http://rbl.efnet.org/ */ 102 blacklist { 103 name = "rbl.efnet.org"; 104 type = "A record reply"; 105 reply { 106 1 = "Open proxy"; 107 2 = "Trojan spreader"; 108 3 = "Trojan infected client"; 109 5 = "Drones / Flooding"; 110 }; 111 ban_unknown = no; 112 kline = "OperServ :BOPMAKILL ADD +4h *@%h Listed in rbl.efnet.org. See http://rbl.efnet.org/?i=%i"; 113 }; 114 115 /* You must use a real email address below (that you actually read). */ 116 dnsbl_from = "yournick@blitzed.org"; 117 118 /* Don't change this, it's already the correct address. */ 119 dnsbl_to = "bopm-report@dronebl.org"; 120 121 /* This is usually correct. */ 122 sendmail = "/usr/sbin/sendmail"; 123}; 124 125scanner { 126 name = "default"; 127 128 /* 129 * Any user will get scanned on these protocols. This is the top 10 list of 130 * protocol/ports found in our blacklist and you're required to test at 131 * least these. 132 * 133 * If you want to add more, ask the OPM people for some sensible 134 * suggestions. 135 */ 136 protocol = HTTP:80; 137 protocol = HTTP:3128; 138 protocol = HTTP:4480; 139 protocol = HTTP:6588; 140 protocol = HTTP:8080; 141 protocol = HTTP:2282; 142 protocol = HTTP:3802; 143 protocol = HTTP:7441; 144 protocol = HTTP:3332; 145 protocol = HTTP:65506; 146 147 protocol = SOCKS4:1080; 148 protocol = SOCKS5:1080; 149 150 protocol = HTTPPOST:80; 151 protocol = HTTPPOST:3128; 152 protocol = HTTPPOST:8080; 153 protocol = HTTPPOST:808; 154 155 protocol = WINGATE:23; 156 157 /* 158 * If your ircd is running from a machine with more than one interface, 159 * you'll need to specify the IP to scan from here. Particularly important 160 * if you're running on a shell server. 161 */ 162# vhost = "127.0.0.1"; 163 164 /* Don't bother changing these unless you know what they do. */ 165 fd = 512; 166 max_read = 4096; 167 timeout = 30; 168 169 /* Don't forget to change this to the public IP of your server! */ 170 target_ip = "127.0.0.1"; 171 172 /* This needs to be a port that is available to normal clients. */ 173 target_port = 6667; 174 175 /* Don't forget to change this to have your FULL server name here! */ 176 target_string = ":somese.rv.er.blitzed.org NOTICE AUTH :*** Looking up your hostname..."; 177}; 178 179scanner { 180 /* 181 * Here's a bunch more tests to do on "suspicious-looking" clients. Again, 182 * these are the most popular ports/protocols found in our blacklist, but 183 * feel free to add/remove some if you know what you're doing. 184 */ 185 name = "extra"; 186 187 protocol = WINGATE:1181; 188 189 protocol = HTTP:81; 190 protocol = HTTP:8000; 191 protocol = HTTP:8001; 192 protocol = HTTP:8081; 193 protocol = HTTP:5748; 194 protocol = HTTP:443; 195 196 protocol = HTTPPOST:81; 197 protocol = HTTPPOST:6588; 198 protocol = HTTPPOST:8000; 199 protocol = HTTPPOST:8001; 200 protocol = HTTPPOST:8081; 201 202 protocol = SOCKS5:1978; 203 protocol = SOCKS5:10001; 204 protocol = SOCKS5:30021; 205 protocol = SOCKS5:30022; 206 protocol = SOCKS5:38994; 207 protocol = SOCKS5:15859; 208 protocol = SOCKS5:1027; 209 protocol = SOCKS5:2425; 210 211 protocol = SOCKS4:559; 212 protocol = SOCKS4:29992; 213 protocol = SOCKS4:38884; 214 protocol = SOCKS4:18844; 215 protocol = SOCKS4:17771; 216 protocol = SOCKS4:31121; 217 protocol = SOCKS4:1182; 218 219 protocol = ROUTER:23; 220 221 /* Less fds are given to this scanner */ 222 fd = 400; 223}; 224 225user { 226 scanner = "default"; 227 mask = "*!*@*"; 228}; 229 230user { 231 scanner = "extra"; 232 /* 233 * If the user matches any of these masks they will get the extra scans 234 * too. 235 * 236 * Connections without ident will match on a vast number of connections; 237 * very few proxies run ident though. 238 */ 239 mask = "*!~*@*"; 240 mask = "*!squid@*"; 241 mask = "*!nobody@*"; 242 mask = "*!www-data@*"; 243 mask = "*!cache@*"; 244 mask = "*!CacheFlowS@*"; 245 mask = "*!*@*www*"; 246 mask = "*!*@*proxy*"; 247 mask = "*!*@*cache*"; 248}; 249 250/* 251 * You can use exempts to deliberately allow certain insecure proxies onto the 252 * network, but this should never be necessary! Please consult BOPM people 253 * before using this. If you think you have found a false positive then they 254 * really need to know. 255 */ 256/* 257exempt { 258 mask = "*!*@127.0.0.1"; 259}; 260*/ 261