Page 1 of 1

need help with bopm

Posted: Fri Jan 16, 2009 11:05 am
by c0re
Hi, i installed bopm yesterday... the problem is bopm is not checking user on connect... then i installed neostats with opsb and blsb...neostats seems to work but not bopm...

here is my conf

Code: Select all


/*
 * BOPM sample configuration for Blitzed Admins.  For explanations of what all
 * the directives do, please see bopm.conf.sample.
 *
 * Most of this stuff is just suggestions.  Any setting that is required will
 * be noted as such.
 *
 */

options {

   pidfile = "/home/c0re/bopm/bopm.pid";
   dns_fdlimit = 64;
   
   /*
    * You can use this to log ALL port scans that are done.  This is
    * optional and may be useful if you ever have to deal with abuse
    * reports.
    */
#  scanlog = "/home/c0re/bopm/scan.log";
};


IRC {
#  vhost = "72.20.42.118";

   /* You're required to keep to this naming scheme! */
   nick = "Sw33t-Elite";

   realname = "SweetBD Open Proxy Monitor";
   username = "SweetBD";
   server = "72.20.42.118";

   /* It makes sense to put the nick password here so it ID's quicker. */
#  password = "secret";
   port = 6667;

   /*
    * Your BOPM will need a registered nick and be identified to it, to get
    * into #wg. (see below)
    */
   nickserv = "nickserv :identify bopm-nick-password";
   oper = "c0xxx xxxx"; /* i changed the password before i post this conf in this theard */
   

   /* Please use these modes, they're the only ones that make sense. */
   mode = "+Fc-h";
   away = "I'm a bot.  Your messages will be ignored.";

   channel {
      /*
       * This is where all of Blitzed's BOPMs are.  The name "#wg" is left over
       * from the days of dalnet's wgmon.
       */
      name = "#staff";

      /*
       * Make sure your BOPM is set to ID to its nick, and that it has access
       * enough in #wg to use the chanserv invite command.  Anyone opped in #wg
       * can add this access for you.
       */
      invite = "chanserv :invite #staff";
   };

   /* Hybrid / Bahamut / Unreal (in HCN mode) */
   connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";

   /*
    * "kline" controls the command used when an open proxy is confirmed.
    *
    *  %n     User's nick
    *  %u     User's username
    *  %h     User's irc hostname
    *  %i     User's IP address
    *
    * You're required to use the following kline_command:
    */
   kline = "GZLINE *@%i 1d :An open proxy was detected on your host. Ensure you have removed any malware from your computer and secured any proxy software running";
};


OPM {
   /* DroneBL (see http://www.dronebl.org/howtouse.do for details) */
   blacklist {
      name = "dnsbl.dronebl.org";
      type = "A record reply";
      ban_unknown = no;
		
      reply {
         2 = "Sample"; 
         3 = "IRC Drone"; 
         5 = "Bottler"; 
         6 = "Unknown spambot or drone";
         7 = "DDOS Drone"; 
         8 = "SOCKS Proxy"; 
         9 = "HTTP Proxy"; 
         10 = "ProxyChain"; 
         255 = "Unknown"; 
      };
      kline = "GZLINE *@%i 1d :Host listed in the DroneBL. For more information visit http://dronebl.org/lookup.do?ip=%i";
   };


        blacklist {
           name = "opm.blitzed.org";
           type = "A record bitmask";
           ban_unknown = yes;
           reply {
              1 = "WinGate";
              2 = "Socks";
              4 = "HTTP";
              8 = "Router";
              16 = "HTTP POST";
           };
           kline = "GZLINE *@%i 1d :Sorry, %n, Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
        }; 
         blacklist {
            name = "dnsbl.njabl.org";
            type = "A record reply";
            reply {
               9 = "Open proxy";
            };
            ban_unknown = no;
            kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. www.njabl.org/cgi-bin/lookup.cgi?query=%i";
        }; 

        blacklist {
           name = "virbl.dnsbl.bit.nl";
           type = "A record reply";
           ban_unknown = yes;
           reply {
              2 = "Virus";
           };
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Virus List.. http://virbl.bit.nl/list.php";
        }; 

        blacklist {
           name = "ircbl.ahbl.org";
           type = "A record reply";
           ban_unknown = yes;
           reply {
              2 = "Abusive";
           };
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our DDoS/Drone/Spammer/Abuse List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
        }; 



        blacklist {
           name = "tor.dnsbl.sectoor.de";
           type = "A record reply";
           reply {
              1 = "Tor exit server";
           };
           ban_unknown = no;
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=%i";
        }; 


   /* rbl.efnet.org - http://rbl.efnet.org/ */
   blacklist {
      name = "rbl.efnet.org";
      type = "A record reply";
      reply {
         1 = "Open proxy";
         2 = "Trojan spreader";
         3 = "Trojan infected client";
         5 = "Drones / Flooding";
      };
      ban_unknown = no;
      kline = "GZLINE *@%i 1d :Listed in rbl.efnet.org. See http://rbl.efnet.org/?i=%i";
   };

        blacklist {
           name = "tor.ahbl.org";
           type = "A record reply";
           reply {
              2 = "Tor exit server";
           };
           ban_unknown = no;
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List..  http://www.ahbl.org/tools/lookup.php?ip=%i";
        }; 

      blacklist {
           name = "no-more-funn.moensted.dk";
           type = "A record reply";
           ban_unknown = no;
           reply {
              10 = "Open Proxy";
           };
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. http://moensted.dk/spam/no-more-funn?addr=%i";
        }; 

      blacklist {
           name = "dnsbl.sorbs.net";
           type = "A record reply";
           ban_unknown = no;
           reply {
              2 = "Open HTTP Proxy";
              3 = "Open Socks Proxy";
              4 = "Other Open Proxy";
           };
           kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List as a %t.. http://dnsbl.sorbs.net/cgi-bin/db?IP=%i";
        }; 

blacklist {
  name = "spbl.bl.winbots.org";
  type = "A record reply";
  ban_unknown = yes;
  reply {
    1 = "Test";
    2 = "UnderNet Spam";
    3 = "QuakeNet Spam";
    4 = "Winbots Spam";
  };
  kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our %t List.. Email cobi@winbots.org to get this resolved.";
};


        blacklist {
           name = "dronebl.noderebellion.net";
           type = "A record reply";
           ban_unknown = no;
           reply {
              3 = "IRC spam drone (litmus/sdbot)";
              4 = "Tor anonymous proxy";
              5 = "IRC DDoS drone (wisdom/agobot/phatbot/rxbot)";
              10 = "Open proxy";
              14 = "Unknown worm/bot (found in DDoS attack by dronebl user)";
              17 = "Unknown worm/bot (found scanning NodeRebellion's IP network)";
              19 = "Open proxy (proxychain)";
           };
           kline = "GZLINE *@%i 1d :Your IP (%i), is listed as a %t in the DroneBL, see http://www.noderebellion.net/tools/lookup/?ip=%i";
        }; 

blacklist {
        name = "tor.sectoor.de";
        type = "A record reply";
        reply {
                1 = "tor exit server";
        };
        ban_unknown = no;
        kline = "GZLINE *@%i 1d :You are in the tor.sectoor.de DNSBL. Please visit http://www.sectoor.de/tor.php?ip=%i";
}; 


   /* You must use a real email address below (that you actually read). */
   dnsbl_from = "aaa@aaa.com";

   /* Don't change this, it's already the correct address. */
   dnsbl_to = "bopm-report@dronebl.org";

   /* This is usually correct. */
   sendmail = "/usr/sbin/sendmail";
};

scanner {
   name = "default";

   /*
    * Any user will get scanned on these protocols.  This is the top 10 list of
    * protocol/ports found in our blacklist and you're required to test at
    * least these.
    *
    * If you want to add more, ask the OPM people for some sensible
    * suggestions.
    */
        protocol = ROUTER:23;
        protocol = SOCKS4:559;
        protocol = HTTPPOST:3128;
        protocol = SOCKS4:1080;
        protocol = HTTP:8080;
        protocol = SOCKS5:1182;
        protocol = HTTP:3128;
        protocol = HTTPPOST:8080;
        protocol = SOCKS4:9999;
        protocol = HTTPPOST:80;
        protocol = SOCKS5:1080;
        protocol = HTTP:63000;
        protocol = HTTP:8000;
        protocol = HTTPPOST:808;
        protocol = HTTP:80;
        protocol = HTTPPOST:6588;
        protocol = HTTP:6588;
        protocol = SOCKS5:3128;
        protocol = SOCKS5:10080;
        protocol = HTTPPOST:4480;
        protocol = SOCKS4:6664;
        protocol = SOCKS4:63808;
        protocol = HTTP:6667;
        protocol = SOCKS4:19991;
        protocol = SOCKS4:1098;
        protocol = SOCKS4:10000;
        protocol = SOCKS4:4471;
        protocol = HTTP:65506;
        protocol = HTTP:63809;
        protocol = SOCKS5:9090;
        protocol = HTTP:9090;
        protocol = HTTP:6668;
        protocol = SOCKS4:58;
        protocol = SOCKS5:58;
        protocol = SOCKS4:6969;
        protocol = WINGATE:23;
        protocol = SOCKS5:3380;
        protocol = SOCKS4:40;
        protocol = SOCKS5:443;
        protocol = SOCKS4:8888;
        protocol = HTTPPOST:9090;
        protocol = HTTP:5490;
        protocol = SOCKS4:8080;
        protocol = SOCKS5:6969;
        protocol = SOCKS4:1026;
        protocol = SOCKS4:1025;
        protocol = HTTP:8888;
        protocol = HTTP:6669;
        protocol = HTTP:8090;
        protocol = HTTP:808;
        protocol = SOCKS5:1029;
        protocol = SOCKS4:41080;
        protocol = SOCKS5:8020;
        protocol = SOCKS5:6000;
        protocol = HTTPPOST:8081;
        protocol = HTTP:4480;
        protocol = SOCKS5:1027;
        protocol = SOCKS4:1028;
        protocol = HTTP:3332;
        protocol = SOCKS5:8888;
        protocol = SOCKS5:1028;
        protocol = SOCKS4:3330;
        protocol = SOCKS4:29992;
        protocol = SOCKS4:1234;
        protocol = SOCKS4:1029;
        protocol = HTTP:5000;
        protocol = HTTP:443;
        protocol = SOCKS5:1813;
        protocol = SOCKS5:1081;
        protocol = SOCKS5:1026;
        protocol = SOCKS4:1337;
        protocol = SOCKS4:1050;
        protocol = HTTP:1080;
        protocol = SOCKS5:9999;
        protocol = SOCKS5:9100;
        protocol = SOCKS5:19991;
        protocol = SOCKS5:1098;
        protocol = SOCKS4:9100;
        protocol = SOCKS4:7080;
        protocol = SOCKS4:1033;
        protocol = HTTP:9000;
        protocol = HTTP:5800;
        protocol = HTTP:5634;
        protocol = HTTP:4471;
        protocol = HTTP:3382;
        protocol = SOCKS5:1200;
        protocol = SOCKS5:1039;
        protocol = SOCKS5:1025;
        protocol = SOCKS4:8002;
        protocol = SOCKS4:6748;
        protocol = SOCKS4:44548;
        protocol = SOCKS4:3380;
        protocol = SOCKS4:32167;
        protocol = SOCKS4:2000;
        protocol = SOCKS4:1979;
        protocol = SOCKS4:12654;
        protocol = SOCKS4:11225;
        protocol = SOCKS4:1066;
        protocol = SOCKS4:1030;
        protocol = SOCKS4:1027;
        protocol = SOCKS4:10099;
        protocol = HTTP:81;
        protocol = HTTP:6665;
        protocol = HTTP:6664;
        protocol = HTTP:6663;
        protocol = SOCKS5:8278;
        protocol = SOCKS5:6748;
        protocol = SOCKS5:4914;
        protocol = SOCKS5:4471;
        protocol = SOCKS5:29992;
        protocol = SOCKS5:17235;
        protocol = SOCKS5:1234;
        protocol = SOCKS5:1202;
        protocol = SOCKS5:1180;
        protocol = SOCKS5:1075;
        protocol = SOCKS5:1033;
        protocol = SOCKS5:10000;
        protocol = SOCKS4:8020;
        protocol = SOCKS4:4044;
        protocol = SOCKS4:3128;
        protocol = SOCKS4:3127;
        protocol = SOCKS4:28882;
        protocol = SOCKS4:24973;
        protocol = SOCKS4:21421;
        protocol = SOCKS4:1182;
        protocol = SOCKS4:1032;
        protocol = SOCKS4:10242;
        protocol = HTTPPOST:8089;
        protocol = HTTP:8082;
        protocol = HTTP:6661;
        protocol = HTTP:35233;
        protocol = HTTP:19991;
        protocol = HTTP:1098;
        protocol = HTTP:1050;
        protocol = SOCKS5:9988;
        protocol = SOCKS5:8080;
        protocol = SOCKS5:8009;
        protocol = SOCKS5:6561;
        protocol = SOCKS5:24971;
        protocol = SOCKS5:18844;
        protocol = SOCKS5:1122;
        protocol = SOCKS5:10777;
        protocol = SOCKS5:1030;
        protocol = SOCKS5:10130;
        protocol = SOCKS5:10099;
        protocol = SOCKS4:8751;
        protocol = SOCKS4:8278;
        protocol = SOCKS4:8111;
        protocol = SOCKS4:7007;
        protocol = SOCKS4:6551;
        protocol = SOCKS4:5353;
        protocol = SOCKS4:443;
        protocol = SOCKS4:43341;
        protocol = SOCKS4:3801;
        protocol = SOCKS4:2280;
        protocol = SOCKS4:1978;
        protocol = SOCKS4:1212;
        protocol = SOCKS4:1039;
        protocol = SOCKS4:1031;
        protocol = HTTPPOST:81;
        protocol = HTTP:9988;
        protocol = HTTP:7868;
        protocol = HTTP:7070;
        protocol = HTTP:444;
        protocol = HTTP:1200;
        protocol = HTTP:1039;


   /*
    * If your ircd is running from a machine with more than one interface,
    * you'll need to specify the IP to scan from here.  Particularly important
    * if you're running on a shell server.
    */
  vhost = "72.20.42.118";

   /* Don't bother changing these unless you know what they do. */
   fd = 512;
   max_read = 4096;
   timeout = 30;

   /* Don't forget to change this to the public IP of your server! */
   target_ip     = "irc.mynetwork.com";

   /* This needs to be a port that is available to normal clients. */
   target_port   = 6667;

   /* Don't forget to change this to have your FULL server name here! */
   target_string = "*** Looking up your hostname...";
};

scanner {
   /*
    * Here's a bunch more tests to do on "suspicious-looking" clients.  Again,
    * these are the most popular ports/protocols found in our blacklist, but
    * feel free to add/remove some if you know what you're doing.
    */
   name = "extra";

   protocol = WINGATE:1181;

   protocol = HTTP:81;
   protocol = HTTP:8000;
   protocol = HTTP:8001;
   protocol = HTTP:8081;
   protocol = HTTP:5748;
   protocol = HTTP:443;

   protocol = HTTPPOST:81;
   protocol = HTTPPOST:6588;
   protocol = HTTPPOST:8000;
   protocol = HTTPPOST:8001;
   protocol = HTTPPOST:8081;

   protocol = SOCKS5:1978;
   protocol = SOCKS5:10001;
   protocol = SOCKS5:30021;
   protocol = SOCKS5:30022;
   protocol = SOCKS5:38994;
   protocol = SOCKS5:15859;
   protocol = SOCKS5:1027;
   protocol = SOCKS5:2425;

   protocol = SOCKS4:559;
   protocol = SOCKS4:29992;
   protocol = SOCKS4:38884;
   protocol = SOCKS4:18844;
   protocol = SOCKS4:17771;
   protocol = SOCKS4:31121;
   protocol = SOCKS4:1182;

   protocol = ROUTER:23;

   /* Less fds are given to this scanner */
   fd = 400;
};

user {
   scanner = "default";
   mask = "*!*@*";
};

user {
   scanner = "extra";
   /*
    * If the user matches any of these masks they will get the extra scans
    * too.
    *
    * Connections without ident will match on a vast number of connections;
    * very few proxies run ident though.
    */
   mask = "*!~*@*";
   mask = "*!squid@*";
   mask = "*!nobody@*";
   mask = "*!www-data@*";
   mask = "*!cache@*";
   mask = "*!CacheFlowS@*";
   mask = "*!*@*www*";
   mask = "*!*@*proxy*";
   mask = "*!*@*cache*";
};

/*
 * You can use exempts to deliberately allow certain insecure proxies onto the
 * network, but this should never be necessary!  Please consult BOPM people
 * before using this.  If you think you have found a false positive then they
 * really need to know.
 */
/*
exempt {
	mask = "*!*@127.0.0.1";
};
*/


Re: need help with bopm

Posted: Fri Jan 16, 2009 5:24 pm
by Stealth
You need to put this line in your IRC block to make the BOPM get the correct connection notice:

Code: Select all

perform = "PROTOCTL HCN";
Also, your modes are incorrect. They should be:

Code: Select all

mode = "-h+s +Fc";
For modes, it's always easier to use oper::modes and oper::snomask to manage them.

Re: need help with bopm

Posted: Fri Feb 20, 2009 5:15 pm
by MaRkODrAcUlA
i cant connect :(
where can i place-> perform = "PROTOCTL HCN"; <-?
anywhere in bomp file ?

Re: need help with bopm

Posted: Sat Feb 21, 2009 3:02 am
by digi198816
There should already be a
"perform = "PROTOCTL HCN";" in Bomp config file, all u would need to do is uncomment it. If u cant then add it anywhere in the config.