1/*
2 * BOPM sample configuration for Blitzed Admins.  For explanations of what all
3 * the directives do, please see bopm.conf.sample.
4 *
5 * Most of this stuff is just suggestions.  Any setting that is required will
6 * be noted as such.
7 *
8 */
9
10options {
11   pidfile = "/some/path/bopm.pid";
12   dns_fdlimit = 64;
13
14   /*
15    * You can use this to log ALL port scans that are done.  This is
16    * optional and may be useful if you ever have to deal with abuse
17    * reports.
18    */
19#  scanlog = "/some/path/scan.log";
20};
21
22
23IRC {
24#  vhost = "0.0.0.0";
25
26   /* You're required to keep to this naming scheme! */
27   nick = "servernameBOPM";
28
29   realname = "Blitzed Open Proxy Monitor";
30   username = "bopm";
31   server = "servername.blitzed.org";
32
33   /* It makes sense to put the nick password here so it ID's quicker. */
34#  password = "secret";
35   port = 6667;
36
37   /*
38    * Your BOPM will need a registered nick and be identified to it, to get
39    * into #wg. (see below)
40    */
41   nickserv = "nickserv :identify bopm-nick-password";
42   oper = "bopm operpass";
43
44   /* Please use these modes, they're the only ones that make sense. */
45   mode = "+Fc-h";
46   away = "I'm a bot.  Your messages will be ignored.";
47
48   channel {
49      /*
50       * This is where all of Blitzed's BOPMs are.  The name "#wg" is left over
51       * from the days of dalnet's wgmon.
52       */
53      name = "#wg";
54
55      /*
56       * Make sure your BOPM is set to ID to its nick, and that it has access
57       * enough in #wg to use the chanserv invite command.  Anyone opped in #wg
58       * can add this access for you.
59       */
60      invite = "chanserv :invite #wg";
61   };
62
63   /* Hybrid / Bahamut / Unreal (in HCN mode) */
64   connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
65
66   /*
67    * "kline" controls the command used when an open proxy is confirmed.
68    *
69    *  %n     User's nick
70    *  %u     User's username
71    *  %h     User's irc hostname
72    *  %i     User's IP address
73    *
74    * You're required to use the following kline_command:
75    */
76   kline = "PRIVMSG OperServ :BOPMAKILL ADD +4h *@%h Open Proxy found on your host. Please visit http://www.blitzed.org/proxy?ip=%i";
77};
78
79
80OPM {
81   /* DroneBL (see http://www.dronebl.org/howtouse.do for details) */
82   blacklist {
83      name = "dnsbl.dronebl.org";
84      type = "A record reply";
85      ban_unknown = no;
86
87      reply {
88         2 = "Sample";
89         3 = "IRC Drone";
90         5 = "Bottler";
91         6 = "Unknown spambot or drone";
92         7 = "DDOS Drone";
93         8 = "SOCKS Proxy";
94         9 = "HTTP Proxy";
95         10 = "ProxyChain";
96         255 = "Unknown";
97      };
98      kline = "OperServ :BOPMAKILL ADD +4h *@%h Host listed in the DroneBL. For more information visit http://dronebl.org/lookup.do?ip=%i";
99   };
100
101   /* rbl.efnet.org - http://rbl.efnet.org/ */
102   blacklist {
103      name = "rbl.efnet.org";
104      type = "A record reply";
105      reply {
106         1 = "Open proxy";
107         2 = "Trojan spreader";
108         3 = "Trojan infected client";
109         5 = "Drones / Flooding";
110      };
111      ban_unknown = no;
112      kline = "OperServ :BOPMAKILL ADD +4h *@%h Listed in rbl.efnet.org. See http://rbl.efnet.org/?i=%i";
113   };
114
115   /* You must use a real email address below (that you actually read). */
116   dnsbl_from = "yournick@blitzed.org";
117
118   /* Don't change this, it's already the correct address. */
119   dnsbl_to = "bopm-report@dronebl.org";
120
121   /* This is usually correct. */
122   sendmail = "/usr/sbin/sendmail";
123};
124
125scanner {
126   name = "default";
127
128   /*
129    * Any user will get scanned on these protocols.  This is the top 10 list of
130    * protocol/ports found in our blacklist and you're required to test at
131    * least these.
132    *
133    * If you want to add more, ask the OPM people for some sensible
134    * suggestions.
135    */
136   protocol = HTTP:80;
137   protocol = HTTP:3128;
138   protocol = HTTP:4480;
139   protocol = HTTP:6588;
140   protocol = HTTP:8080;
141   protocol = HTTP:2282;
142   protocol = HTTP:3802;
143   protocol = HTTP:7441;
144   protocol = HTTP:3332;
145   protocol = HTTP:65506;
146
147   protocol = SOCKS4:1080;
148   protocol = SOCKS5:1080;
149
150   protocol = HTTPPOST:80;
151   protocol = HTTPPOST:3128;
152   protocol = HTTPPOST:8080;
153   protocol = HTTPPOST:808;
154
155   protocol = WINGATE:23;
156
157   /*
158    * If your ircd is running from a machine with more than one interface,
159    * you'll need to specify the IP to scan from here.  Particularly important
160    * if you're running on a shell server.
161    */
162#  vhost = "127.0.0.1";
163
164   /* Don't bother changing these unless you know what they do. */
165   fd = 512;
166   max_read = 4096;
167   timeout = 30;
168
169   /* Don't forget to change this to the public IP of your server! */
170   target_ip     = "127.0.0.1";
171
172   /* This needs to be a port that is available to normal clients. */
173   target_port   = 6667;
174
175   /* Don't forget to change this to have your FULL server name here! */
176   target_string = ":somese.rv.er.blitzed.org NOTICE AUTH :*** Looking up your hostname...";
177};
178
179scanner {
180   /*
181    * Here's a bunch more tests to do on "suspicious-looking" clients.  Again,
182    * these are the most popular ports/protocols found in our blacklist, but
183    * feel free to add/remove some if you know what you're doing.
184    */
185   name = "extra";
186
187   protocol = WINGATE:1181;
188
189   protocol = HTTP:81;
190   protocol = HTTP:8000;
191   protocol = HTTP:8001;
192   protocol = HTTP:8081;
193   protocol = HTTP:5748;
194   protocol = HTTP:443;
195
196   protocol = HTTPPOST:81;
197   protocol = HTTPPOST:6588;
198   protocol = HTTPPOST:8000;
199   protocol = HTTPPOST:8001;
200   protocol = HTTPPOST:8081;
201
202   protocol = SOCKS5:1978;
203   protocol = SOCKS5:10001;
204   protocol = SOCKS5:30021;
205   protocol = SOCKS5:30022;
206   protocol = SOCKS5:38994;
207   protocol = SOCKS5:15859;
208   protocol = SOCKS5:1027;
209   protocol = SOCKS5:2425;
210
211   protocol = SOCKS4:559;
212   protocol = SOCKS4:29992;
213   protocol = SOCKS4:38884;
214   protocol = SOCKS4:18844;
215   protocol = SOCKS4:17771;
216   protocol = SOCKS4:31121;
217   protocol = SOCKS4:1182;
218
219   protocol = ROUTER:23;
220
221   /* Less fds are given to this scanner */
222   fd = 400;
223};
224
225user {
226   scanner = "default";
227   mask = "*!*@*";
228};
229
230user {
231   scanner = "extra";
232   /*
233    * If the user matches any of these masks they will get the extra scans
234    * too.
235    *
236    * Connections without ident will match on a vast number of connections;
237    * very few proxies run ident though.
238    */
239   mask = "*!~*@*";
240   mask = "*!squid@*";
241   mask = "*!nobody@*";
242   mask = "*!www-data@*";
243   mask = "*!cache@*";
244   mask = "*!CacheFlowS@*";
245   mask = "*!*@*www*";
246   mask = "*!*@*proxy*";
247   mask = "*!*@*cache*";
248};
249
250/*
251 * You can use exempts to deliberately allow certain insecure proxies onto the
252 * network, but this should never be necessary!  Please consult BOPM people
253 * before using this.  If you think you have found a false positive then they
254 * really need to know.
255 */
256/*
257exempt {
258	mask = "*!*@127.0.0.1";
259};
260*/
261