need help with bopm
Posted: Fri Jan 16, 2009 11:05 am
Hi, i installed bopm yesterday... the problem is bopm is not checking user on connect... then i installed neostats with opsb and blsb...neostats seems to work but not bopm...
here is my conf
here is my conf
Code: Select all
/*
* BOPM sample configuration for Blitzed Admins. For explanations of what all
* the directives do, please see bopm.conf.sample.
*
* Most of this stuff is just suggestions. Any setting that is required will
* be noted as such.
*
*/
options {
pidfile = "/home/c0re/bopm/bopm.pid";
dns_fdlimit = 64;
/*
* You can use this to log ALL port scans that are done. This is
* optional and may be useful if you ever have to deal with abuse
* reports.
*/
# scanlog = "/home/c0re/bopm/scan.log";
};
IRC {
# vhost = "72.20.42.118";
/* You're required to keep to this naming scheme! */
nick = "Sw33t-Elite";
realname = "SweetBD Open Proxy Monitor";
username = "SweetBD";
server = "72.20.42.118";
/* It makes sense to put the nick password here so it ID's quicker. */
# password = "secret";
port = 6667;
/*
* Your BOPM will need a registered nick and be identified to it, to get
* into #wg. (see below)
*/
nickserv = "nickserv :identify bopm-nick-password";
oper = "c0xxx xxxx"; /* i changed the password before i post this conf in this theard */
/* Please use these modes, they're the only ones that make sense. */
mode = "+Fc-h";
away = "I'm a bot. Your messages will be ignored.";
channel {
/*
* This is where all of Blitzed's BOPMs are. The name "#wg" is left over
* from the days of dalnet's wgmon.
*/
name = "#staff";
/*
* Make sure your BOPM is set to ID to its nick, and that it has access
* enough in #wg to use the chanserv invite command. Anyone opped in #wg
* can add this access for you.
*/
invite = "chanserv :invite #staff";
};
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* "kline" controls the command used when an open proxy is confirmed.
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
*
* You're required to use the following kline_command:
*/
kline = "GZLINE *@%i 1d :An open proxy was detected on your host. Ensure you have removed any malware from your computer and secured any proxy software running";
};
OPM {
/* DroneBL (see http://www.dronebl.org/howtouse.do for details) */
blacklist {
name = "dnsbl.dronebl.org";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Sample";
3 = "IRC Drone";
5 = "Bottler";
6 = "Unknown spambot or drone";
7 = "DDOS Drone";
8 = "SOCKS Proxy";
9 = "HTTP Proxy";
10 = "ProxyChain";
255 = "Unknown";
};
kline = "GZLINE *@%i 1d :Host listed in the DroneBL. For more information visit http://dronebl.org/lookup.do?ip=%i";
};
blacklist {
name = "opm.blitzed.org";
type = "A record bitmask";
ban_unknown = yes;
reply {
1 = "WinGate";
2 = "Socks";
4 = "HTTP";
8 = "Router";
16 = "HTTP POST";
};
kline = "GZLINE *@%i 1d :Sorry, %n, Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
};
blacklist {
name = "dnsbl.njabl.org";
type = "A record reply";
reply {
9 = "Open proxy";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. www.njabl.org/cgi-bin/lookup.cgi?query=%i";
};
blacklist {
name = "virbl.dnsbl.bit.nl";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Virus";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Virus List.. http://virbl.bit.nl/list.php";
};
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Abusive";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our DDoS/Drone/Spammer/Abuse List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=%i";
};
/* rbl.efnet.org - http://rbl.efnet.org/ */
blacklist {
name = "rbl.efnet.org";
type = "A record reply";
reply {
1 = "Open proxy";
2 = "Trojan spreader";
3 = "Trojan infected client";
5 = "Drones / Flooding";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :Listed in rbl.efnet.org. See http://rbl.efnet.org/?i=%i";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "Tor exit server";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "no-more-funn.moensted.dk";
type = "A record reply";
ban_unknown = no;
reply {
10 = "Open Proxy";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. http://moensted.dk/spam/no-more-funn?addr=%i";
};
blacklist {
name = "dnsbl.sorbs.net";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Open HTTP Proxy";
3 = "Open Socks Proxy";
4 = "Other Open Proxy";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List as a %t.. http://dnsbl.sorbs.net/cgi-bin/db?IP=%i";
};
blacklist {
name = "spbl.bl.winbots.org";
type = "A record reply";
ban_unknown = yes;
reply {
1 = "Test";
2 = "UnderNet Spam";
3 = "QuakeNet Spam";
4 = "Winbots Spam";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our %t List.. Email [email protected] to get this resolved.";
};
blacklist {
name = "dronebl.noderebellion.net";
type = "A record reply";
ban_unknown = no;
reply {
3 = "IRC spam drone (litmus/sdbot)";
4 = "Tor anonymous proxy";
5 = "IRC DDoS drone (wisdom/agobot/phatbot/rxbot)";
10 = "Open proxy";
14 = "Unknown worm/bot (found in DDoS attack by dronebl user)";
17 = "Unknown worm/bot (found scanning NodeRebellion's IP network)";
19 = "Open proxy (proxychain)";
};
kline = "GZLINE *@%i 1d :Your IP (%i), is listed as a %t in the DroneBL, see http://www.noderebellion.net/tools/lookup/?ip=%i";
};
blacklist {
name = "tor.sectoor.de";
type = "A record reply";
reply {
1 = "tor exit server";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :You are in the tor.sectoor.de DNSBL. Please visit http://www.sectoor.de/tor.php?ip=%i";
};
/* You must use a real email address below (that you actually read). */
dnsbl_from = "[email protected]";
/* Don't change this, it's already the correct address. */
dnsbl_to = "[email protected]";
/* This is usually correct. */
sendmail = "/usr/sbin/sendmail";
};
scanner {
name = "default";
/*
* Any user will get scanned on these protocols. This is the top 10 list of
* protocol/ports found in our blacklist and you're required to test at
* least these.
*
* If you want to add more, ask the OPM people for some sensible
* suggestions.
*/
protocol = ROUTER:23;
protocol = SOCKS4:559;
protocol = HTTPPOST:3128;
protocol = SOCKS4:1080;
protocol = HTTP:8080;
protocol = SOCKS5:1182;
protocol = HTTP:3128;
protocol = HTTPPOST:8080;
protocol = SOCKS4:9999;
protocol = HTTPPOST:80;
protocol = SOCKS5:1080;
protocol = HTTP:63000;
protocol = HTTP:8000;
protocol = HTTPPOST:808;
protocol = HTTP:80;
protocol = HTTPPOST:6588;
protocol = HTTP:6588;
protocol = SOCKS5:3128;
protocol = SOCKS5:10080;
protocol = HTTPPOST:4480;
protocol = SOCKS4:6664;
protocol = SOCKS4:63808;
protocol = HTTP:6667;
protocol = SOCKS4:19991;
protocol = SOCKS4:1098;
protocol = SOCKS4:10000;
protocol = SOCKS4:4471;
protocol = HTTP:65506;
protocol = HTTP:63809;
protocol = SOCKS5:9090;
protocol = HTTP:9090;
protocol = HTTP:6668;
protocol = SOCKS4:58;
protocol = SOCKS5:58;
protocol = SOCKS4:6969;
protocol = WINGATE:23;
protocol = SOCKS5:3380;
protocol = SOCKS4:40;
protocol = SOCKS5:443;
protocol = SOCKS4:8888;
protocol = HTTPPOST:9090;
protocol = HTTP:5490;
protocol = SOCKS4:8080;
protocol = SOCKS5:6969;
protocol = SOCKS4:1026;
protocol = SOCKS4:1025;
protocol = HTTP:8888;
protocol = HTTP:6669;
protocol = HTTP:8090;
protocol = HTTP:808;
protocol = SOCKS5:1029;
protocol = SOCKS4:41080;
protocol = SOCKS5:8020;
protocol = SOCKS5:6000;
protocol = HTTPPOST:8081;
protocol = HTTP:4480;
protocol = SOCKS5:1027;
protocol = SOCKS4:1028;
protocol = HTTP:3332;
protocol = SOCKS5:8888;
protocol = SOCKS5:1028;
protocol = SOCKS4:3330;
protocol = SOCKS4:29992;
protocol = SOCKS4:1234;
protocol = SOCKS4:1029;
protocol = HTTP:5000;
protocol = HTTP:443;
protocol = SOCKS5:1813;
protocol = SOCKS5:1081;
protocol = SOCKS5:1026;
protocol = SOCKS4:1337;
protocol = SOCKS4:1050;
protocol = HTTP:1080;
protocol = SOCKS5:9999;
protocol = SOCKS5:9100;
protocol = SOCKS5:19991;
protocol = SOCKS5:1098;
protocol = SOCKS4:9100;
protocol = SOCKS4:7080;
protocol = SOCKS4:1033;
protocol = HTTP:9000;
protocol = HTTP:5800;
protocol = HTTP:5634;
protocol = HTTP:4471;
protocol = HTTP:3382;
protocol = SOCKS5:1200;
protocol = SOCKS5:1039;
protocol = SOCKS5:1025;
protocol = SOCKS4:8002;
protocol = SOCKS4:6748;
protocol = SOCKS4:44548;
protocol = SOCKS4:3380;
protocol = SOCKS4:32167;
protocol = SOCKS4:2000;
protocol = SOCKS4:1979;
protocol = SOCKS4:12654;
protocol = SOCKS4:11225;
protocol = SOCKS4:1066;
protocol = SOCKS4:1030;
protocol = SOCKS4:1027;
protocol = SOCKS4:10099;
protocol = HTTP:81;
protocol = HTTP:6665;
protocol = HTTP:6664;
protocol = HTTP:6663;
protocol = SOCKS5:8278;
protocol = SOCKS5:6748;
protocol = SOCKS5:4914;
protocol = SOCKS5:4471;
protocol = SOCKS5:29992;
protocol = SOCKS5:17235;
protocol = SOCKS5:1234;
protocol = SOCKS5:1202;
protocol = SOCKS5:1180;
protocol = SOCKS5:1075;
protocol = SOCKS5:1033;
protocol = SOCKS5:10000;
protocol = SOCKS4:8020;
protocol = SOCKS4:4044;
protocol = SOCKS4:3128;
protocol = SOCKS4:3127;
protocol = SOCKS4:28882;
protocol = SOCKS4:24973;
protocol = SOCKS4:21421;
protocol = SOCKS4:1182;
protocol = SOCKS4:1032;
protocol = SOCKS4:10242;
protocol = HTTPPOST:8089;
protocol = HTTP:8082;
protocol = HTTP:6661;
protocol = HTTP:35233;
protocol = HTTP:19991;
protocol = HTTP:1098;
protocol = HTTP:1050;
protocol = SOCKS5:9988;
protocol = SOCKS5:8080;
protocol = SOCKS5:8009;
protocol = SOCKS5:6561;
protocol = SOCKS5:24971;
protocol = SOCKS5:18844;
protocol = SOCKS5:1122;
protocol = SOCKS5:10777;
protocol = SOCKS5:1030;
protocol = SOCKS5:10130;
protocol = SOCKS5:10099;
protocol = SOCKS4:8751;
protocol = SOCKS4:8278;
protocol = SOCKS4:8111;
protocol = SOCKS4:7007;
protocol = SOCKS4:6551;
protocol = SOCKS4:5353;
protocol = SOCKS4:443;
protocol = SOCKS4:43341;
protocol = SOCKS4:3801;
protocol = SOCKS4:2280;
protocol = SOCKS4:1978;
protocol = SOCKS4:1212;
protocol = SOCKS4:1039;
protocol = SOCKS4:1031;
protocol = HTTPPOST:81;
protocol = HTTP:9988;
protocol = HTTP:7868;
protocol = HTTP:7070;
protocol = HTTP:444;
protocol = HTTP:1200;
protocol = HTTP:1039;
/*
* If your ircd is running from a machine with more than one interface,
* you'll need to specify the IP to scan from here. Particularly important
* if you're running on a shell server.
*/
vhost = "72.20.42.118";
/* Don't bother changing these unless you know what they do. */
fd = 512;
max_read = 4096;
timeout = 30;
/* Don't forget to change this to the public IP of your server! */
target_ip = "irc.mynetwork.com";
/* This needs to be a port that is available to normal clients. */
target_port = 6667;
/* Don't forget to change this to have your FULL server name here! */
target_string = "*** Looking up your hostname...";
};
scanner {
/*
* Here's a bunch more tests to do on "suspicious-looking" clients. Again,
* these are the most popular ports/protocols found in our blacklist, but
* feel free to add/remove some if you know what you're doing.
*/
name = "extra";
protocol = WINGATE:1181;
protocol = HTTP:81;
protocol = HTTP:8000;
protocol = HTTP:8001;
protocol = HTTP:8081;
protocol = HTTP:5748;
protocol = HTTP:443;
protocol = HTTPPOST:81;
protocol = HTTPPOST:6588;
protocol = HTTPPOST:8000;
protocol = HTTPPOST:8001;
protocol = HTTPPOST:8081;
protocol = SOCKS5:1978;
protocol = SOCKS5:10001;
protocol = SOCKS5:30021;
protocol = SOCKS5:30022;
protocol = SOCKS5:38994;
protocol = SOCKS5:15859;
protocol = SOCKS5:1027;
protocol = SOCKS5:2425;
protocol = SOCKS4:559;
protocol = SOCKS4:29992;
protocol = SOCKS4:38884;
protocol = SOCKS4:18844;
protocol = SOCKS4:17771;
protocol = SOCKS4:31121;
protocol = SOCKS4:1182;
protocol = ROUTER:23;
/* Less fds are given to this scanner */
fd = 400;
};
user {
scanner = "default";
mask = "*!*@*";
};
user {
scanner = "extra";
/*
* If the user matches any of these masks they will get the extra scans
* too.
*
* Connections without ident will match on a vast number of connections;
* very few proxies run ident though.
*/
mask = "*!~*@*";
mask = "*!squid@*";
mask = "*!nobody@*";
mask = "*!www-data@*";
mask = "*!cache@*";
mask = "*!CacheFlowS@*";
mask = "*!*@*www*";
mask = "*!*@*proxy*";
mask = "*!*@*cache*";
};
/*
* You can use exempts to deliberately allow certain insecure proxies onto the
* network, but this should never be necessary! Please consult BOPM people
* before using this. If you think you have found a false positive then they
* really need to know.
*/
/*
exempt {
mask = "*!*@127.0.0.1";
};
*/
