UnrealIRCd Forums

Code: Select all

/*

BOPM sample configuration

*/

options {
/*
* Full path and filename for storing the process ID of the running
* BOPM.
*/
pidfile = "/home/username/bopm/bopm.pid ";

/*
* How many seconds to store the IP address of hosts which are
* confirmed (by previous scans) to be secure. New users from these
* IP addresses will not be scanned again until this amount of time
* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
* DIRECTIVE, but it is provided due to demand.
*
* The main reason for not using this feature is that anyone capable
* of running a proxy can get abusers onto your network - all they
* need do is shut the proxy down, connect themselves, restart the
* proxy, and tell their friends to come flood.
* 
* Keep this directive commented out to disable negative caching.
*/
negcache = 3600;

/*
* Amount of file descriptors to allocate to asynchronous DNS. 64
* should be plenty for almost anyone - previous versions of BOPM only
* did one at a time!
*/
dns_fdlimit = 64;

/*
* Put the full path and filename of a logfile here if you wish to log
* every scan done. Normally BOPM only logs successfully detected
* proxies in the bopm.log, but you may get abuse reports to your ISP
* about portscanning. Being able to show that it was BOPM that did
* the scan in question can be useful. Leave commented for no
* logging.
*/
#	scanlog = "/home/username/ircd/bopm/scan.log";
};


IRC {
/*
* IP to bind to for the IRC connection. You only need to use this if
* you wish BOPM to use a particular interface (virtual host, IP
* alias, ...) when connecting to the IRC server. There is another
* "vhost" setting in the scan {} block below for the actual
* portscans. Note that this directive expects an IP address, not a
* hostname. Please leave this commented out if you do not
* understand what it does, as most people don't need it.
*/
#	vhost = "0.0.0.0";

/*
* Nickname for BOPM to use.
*/
nick = "Charly";

/*
* Text to appear in the "realname" field of BOPM's /whois output.
*/
realname = "System Control";

/*
* If you don't have an identd running, what username to use.
*/
username = "Test";

/*
* Hostname (or IP) of the IRC server which BOPM will monitor
* connections on.
*/
server = "212.XXX.XX.XX";


/*
* Password used to connect to the IRC server (PASS)
*/

#password = "password";


/*
* Port of the above server to connect to. This is what BOPM uses to
* get onto IRC itself, it is nothing to do with what ports/protocols
* are scanned, nor do you need to list every port your ircd listens
* on.
*/
port = 6667;

/*
* Command to execute to identify to NickServ (if your network uses
* it). This is the raw IRC command text, and the below example
* corresponds to "/msg nickserv identify password" in a client. If
* you don't understand, just edit "password" in the line below to be
* your BOPM's nick password. Leave commented out if you don't need
* to identify to NickServ.
*/
	nickserv = "privmsg nickserv :identify XXXXXX";

/*
* The username and password needed for BOPM to oper up.
*/
oper = "OPERNICK OPERPASS";

/*
* Mode string that BOPM needs to set on itself as soon as it opers
* up. This needs to include the mode for seeing connection notices,
* otherwise BOPM won't scan anyone (that's usually umode +c). It's
* often also a good idea to remove any helper modes so that users
* don't try to talk to the BOPM.
*
* REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
* +c !!
*/
mode = "+scHD-h";

/* Example for Bahamut; +F gives BOPM relaxed flood limits */
#	mode = "+Fc-h";

/*
* If this is set then BOPM will use it as an /away message as soon as
* it connects.
*/
away = "BOPM System";

/*
* Info about channels you wish BOPM to join in order to accept
* commands. BOPM will also print messages in these channels every
* time it detects a proxy. Only IRC operators can command BOPM to do
* anything, but some of the things BOPM reports to these channels
* could be soncidered sensitive, so it's best not to put BOPM into
* public channels.
*/
channel {
/*
* Channel name. Local ("&") channels are supported if your ircd
* supports them.
*/
name = "#sistem";

/*
* If BOPM will need to use a key to enter this channel, this is
* where you specify it.
*/
#	 key = "somekey";

/*
* If you use ChanServ then maybe you want to set the channel
* invite-only and have each BOPM do "/msg ChanServ invite" to get
* itself in. Leave commented if you don't, or if this makes no
* sense to you.
*/
#	 invite = "privmsg chanserv :invite #sistem";
};

/*
* You can define a bunch of channels if you want:
*
* channel { name = "#sistem"; }; channel { name="#sistem"; }
*/

/*
* connregex is a POSIX regular expression used to parse connection
* (+c) notices from the ircd. The complexity of the expression should
* be kept to a minimum.
* 
* Items in order MUST be: nick user host IP
*
* BOPM will not work with ircds which do not send an IP in the
* connection notice.
*
* This is fairly complicated stuff, and the consequences of getting
* it wrong are the BOPM does not scan anyone. Unless you know
* absolutely what you are doing, please just uncomment the example
* below that best matches the type of ircd you use.
*
* !!! NOTE !!! If a connregex for your ircd does not appear here and the
* hybrid connregex does not appear to work, check the BOPM FAQ at 
* http://blitzed.org/bopm/faq.phtml before contacting our lists for help.
*
*/

/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* Ultimate ircd - note the control-B characters around Connect/Exit,
* that is because that text appears in bold in the actual connect
* notice. Be very careful when editing this, do it as you would put
* bold characters into IRC MOTDs.
*/
#	connregex = "\\*\\*\\* Connect/Exit -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";

/*
* SorIRCd 1.3.4+ / StarIRCd 5.26+.
*/
#	connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";


/*
* "kline" controls the command used when an open proxy is confirmed.
* We suggest applying a temporary (no more than a few hours) KLINE on the host.
*
* <WARNING>
* Please note that if you are matching against our DNSBL
* opm.blitzed.org (see further below), then you will need some way to
* let users know how they can be removed from this DNSBL. That is
* the purpose of the blitzed.org URL in the example message, so
* please do not remove it unless you also disable DNSBL lookups (or
* if you use a different DNSBL).
*
* Also note that you cannot include ':' characters actually inside
* the KLINE message (e.g. for a http:// address).
*
* Users rewriting this message into something that isn't even a valid
* IRC command is the single most common cause of support requests and
* therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
* KLINE COMMANDS BELOW.
* </WARNING>
*
* That said, should you wish to customise this text, several
* printf-like placeholders are available:
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
*
*/
kline = "privmsg #sistemGLINE *@%i 10d :You are using Proxy!";

/*
* If you would prefer very plain pages then try this one. There's
* also an index3.phtml which is even more plain, useful for parsing
* via your own pages if you are trying to make your own interface to
* it. If you know XML though, talk to [email protected] about
* use of the XML interface to it.
*/
# kline = "privmsg #sistem KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information.";

/* A GLINE example for IRCu: */
# kline = "privmsg #sistem GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";

/*
* Text to send on connection, these can be stacked and will be sent in this order
* 
* !!! UNREAL USERS PLEASE NOTE !!!
* Unreal users will need PROTOCTL HCN to force hybrid connect
* notices.
*
* Yes Unreal users! That means you! That means you need the line
* below! See that thing at the start of the line? That's what we
* call a comment! Remove it to UNcomment the line.
*/
perform = "PROTOCTL HCN";

};


/*
* OPM Block defines blacklists and information required to report new proxies
* to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
* file. In the case of opm.blitzed.org, we store the IP addresses of known
* insecure proxy servers. By checking against this blacklist, BOPMs are able
* to ban known proxies without having to scan them all.
*
* If you still don't underdstand what a DNSBL is, have a look at
* http://www.blitzed.org/opm.
*/

OPM {

blacklist {
    name = "dnsbl.proxybl.org";
    type = "A record reply";
    reply {
        2 = "Open proxy";
    };
    ban_unknown = no;
    kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!"; 
};
        blacklist {
           name = "rbl.efnet.org";
           type = "A record reply";
           reply {
              1 = "Open proxy";
              2 = "Trojan spreader";
              3 = "Trojan infected client";
              4 = "TOR exit server";
              5 = "Drones / Flooding";
           };
           ban_unknown = no;
           kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";        };

#        /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl
#         * http://oldwww.temp.ahbl.org/docs/ircbl.php */
        blacklist {
           name = "ircbl.ahbl.org";
           type = "A record reply";
           ban_unknown = no;
           reply {
              2 = "Open proxy";
           };
           kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";
        };

         /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
        blacklist {
           name = "tor.dnsbl.sectoor.de";
           type = "A record reply";
           reply {
              1 = "Tor exit server";
           };
           ban_unknown = no;
           kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";
        };
blacklist {
    name = "dnsbl.dronebl.org";
    type = "A record reply";
    reply {
        2 = "Sample";
        5 = "Bottler";
        7 = "DDOS Drone";
        8 = "SOCKS Proxy";
        9 = "HTTP Proxy";
        10 = "ProxyChain";
        12 = "Trolls (perm)";
        13 = "Brute force attackers";
        14 = "Open Wingate Proxy";
        15 = "Compromised router / gateway";
    };
        ban_unknown = no;
        kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy! ";
};
        blacklist {
           name = "tor.dnsbl.sectoor.de";
           type = "A record reply";
           reply {
              1 = "Tor exit server";
           };
           ban_unknown = no;
           kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy!";
        };
        blacklist {
                name = "tor.dan.me.uk";
                type = "A record reply";
                reply {
                        100 = "Tor exit server";
                };
                ban_unknown = no;
                kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy!";
        };
        blacklist {
                name = "tor.ahbl.org";
                type = "A record reply";
                reply {
                        2 = "Tor exit server";
                };
                ban_unknown = no;
                kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy! ";
        };
/*
* You can specify multiple DNSBLs. Some people see "opm.blitzed.org"
* and mindlessly change the "blitzed.org" part to be their own
* domain. Please don't do this unless you really do run your own
* DNSBL, all you will accomplish is filling your channels with DNS
* error messages. opm.blitzed.org should be adequate for most
* people.
*/

/* example: NJABL - please read http://www.njabl.org/use.html before
* uncommenting */
#	 blacklist {
#	 name = "dnsbl.njabl.org";
#	 type = "A record reply";
#	 reply {
#	 9 = "Open proxy";
#	 };
#	 ban_unknown = no;
#	 kline = "privmsg #sistem KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
#	};

/*
* You can report the insecure proxies you find to our DNSBL also!
* The remaining directives in this section are only needed if you
* intend to do this. Reports are sent by email, one email per IP
* address. The format does support multiple addresses in one email,
* but we don't know of any servers that are detecting enough insecure
* proxies for this to be really necessary.
*/

/*
* Email address to send reports FROM. If you intend to send reports,
* please pick an email address that we can actually send mail to
* should we ever need to contact you.
*/
#	dnsbl_from = "[email protected]";

/*
* Email address to send reports TO.
*/
#	dnsbl_to = "[email protected]";

/*
* Full path to your sendmail binary. Even if your system does not
* use sendmail, it probably does have a binary called "sendmail"
* present in /usr/sbin or /usr/lib. If you don't set this, no
* proxies will be reported.
*/
#	sendmail = "/usr/sbin/sendmail";
};


/*
* The short explanation:
*
* This is where you define what ports/protocols to check for. You can have
* multiple scanner blocks and then choose which users will get scanned by
* which scanners further down.
*
* The long explanation:
*
* Scanner defines a virtual scanner. For each user being scanned, a scanner
* will use a file descriptor (and subsequent connection) for each protocol.
* Once connecting it will negotiate the proxy to connect to
* target_ip:target_port (target_ip MUST be an IP).
*
* Once connected, any data passed through the proxy will be checked to see if
* target_string is contained within that data. If it is the proxy is
* considered open. If the connection is closed at any point before
* target_string is matched, or if at least max_read bytes are read from the
* connection, the negotiation is considered failed.
*/

scanner { 
name="default"; 
protocol = HTTP:80; 
protocol = HTTP:8080; 
protocol = HTTP:3128; 
protocol = HTTP:6588; 
protocol = HTTP:81; 
protocol = HTTP:8000; 
protocol = HTTP:8001; 
protocol = HTTP:8081; 
protocol = HTTPPOST:80; 
protocol = HTTPPOST:81; 
protocol = HTTPPOST:6588; 
protocol = HTTPPOST:4480; 
protocol = HTTPPOST:8000; 
protocol = HTTPPOST:8001; 
protocol = HTTPPOST:8080; 
protocol = HTTPPOST:8081; 
protocol = SOCKS4:1080; 
protocol = SOCKS4:14281; 
protocol = SOCKS4:1029; 
protocol = SOCKS4:1212; 
protocol = SOCKS4:4914; 
protocol = SOCKS4:6826; 
protocol = SOCKS4:7198; 
protocol = SOCKS4:7366; 
protocol = SOCKS4:9036; 
protocol = SOCKS4:18572; 
protocol = SOCKS4:8481; 
protocol = SOCKS4:2782; 
protocol = SOCKS4:6598; 
protocol = SOCKS4:8725; 
protocol = SOCKS4:18292; 
protocol = SOCKS4:37046; 
protocol = SOCKS4:17979; 
protocol = SOCKS4:3380; 
protocol = SOCKS4:19232; 
protocol = SOCKS4:53431; 
protocol = SOCKS4:1979; 
protocol = SOCKS4:3380; 
protocol = SOCKS4:45479; 
protocol = SOCKS4:43871; 
protocol = SOCKS4:58632; 
protocol = SOCKS4:48860; 
protocol = SOCKS4:26841; 
protocol = SOCKS4:39470; 
protocol = SOCKS4:7545; 
protocol = SOCKS4:12781; 
protocol = SOCKS4:29913; 
protocol = SOCKS4:54906; 
protocol = SOCKS4:6134; 
protocol = SOCKS4:7040; 
protocol = SOCKS4:2373; 
protocol = SOCKS4:4471; 
protocol = SOCKS4:19310; 
protocol = SOCKS4:2425; 
protocol = SOCKS4:12654; 
protocol = SOCKS4:53605; 
protocol = SOCKS4:24781; 
protocol = SOCKS4:4777; 
protocol = SOCKS4:50115; 
protocol = SOCKS4:39540; 
protocol = SOCKS4:65490; 
protocol = SOCKS4:35803; 
protocol = SOCKS4:53838; 
protocol = SOCKS4:43479; 
protocol = SOCKS4:6064; 
protocol = SOCKS4:15113; 
protocol = SOCKS4:59467; 
protocol = SOCKS4:8923; 
protocol = SOCKS4:48561; 
protocol = SOCKS4:55822; 
protocol = SOCKS4:14795; 
protocol = SOCKS4:10197; 
protocol = SOCKS4:36135; 
protocol = SOCKS4:41417; 
protocol = SOCKS4:12952; 
protocol = SOCKS4:36508; 
protocol = SOCKS4:4960; 
protocol = SOCKS4:42468; 
protocol = SOCKS4:48649; 
protocol = SOCKS5:14795; 
protocol = SOCKS5:42468; 
protocol = SOCKS5:4960; 
protocol = SOCKS5:22808; 
protocol = SOCKS5:12952; 
protocol = SOCKS5:41417; 
protocol = SOCKS5:48649; 
protocol = SOCKS5:36135; 
protocol = SOCKS5:3320; 
protocol = SOCKS5:8500; 
protocol = SOCKS5:10197; 
protocol = SOCKS5:55822; 
protocol = SOCKS5:43479; 
protocol = SOCKS5:53838; 
protocol = SOCKS5:24781; 
protocol = SOCKS5:12654; 
protocol = SOCKS5:4471; 
protocol = SOCKS5:2373; 
protocol = SOCKS5:7040; 
protocol = SOCKS5:54906; 
protocol = SOCKS5:29913; 
protocol = SOCKS5:1813; 
protocol = SOCKS5:1080; 
protocol = SOCKS5:14281; 
protocol = SOCKS5:1029; 
protocol = SOCKS5:1212; 
protocol = SOCKS5:8481; 
protocol = SOCKS5:18572; 
protocol = SOCKS5:4438; 
protocol = SOCKS5:5104; 
protocol = SOCKS5:5113; 
protocol = SOCKS5:5262; 
protocol = SOCKS5:5634; 
protocol = SOCKS5:6552; 
protocol = SOCKS5:6561; 
protocol = SOCKS5:7464; 
protocol = SOCKS5:7810; 
protocol = SOCKS5:8130; 
protocol = SOCKS5:8148; 
protocol = SOCKS5:8520; 
protocol = SOCKS5:8814; 
protocol = SOCKS5:9100; 
protocol = SOCKS5:9186; 
protocol = SOCKS5:9447; 
protocol = SOCKS5:9578; 
protocol = ROUTER:23; 
protocol = WINGATE:23; 
# vhost = "127.0.0.1"; 


fd = 512;

max_read = 4096;

timeout = 30;

target_ip = "31.210.155.203";

target_port = 3542;


/* Usually first line sent to client on connection to ircd. 
* If your ircd supports a more specific line (see below),
* using it will reduce false positives.
*/
#target_string = "*** Looking up your hostname...";

/* Some ircds give a source for the NOTICE AUTH (bahamut for example).
* It is recommended you use the following instead of the generic
* "*** Looking up your hostname..." if your ircd supports it. 
* This will reduce the chances of false positives.
*/
	target_string = ":Sitemiz  NOTICE AUTH :*** Looking up your hostname...";

/* If you try to connect too fast, you'll be throttled by your own
* ircd. Here's what a hybrid throttle message looks like:
*/
target_string = "ERROR :Trying to reconnect too fast.";

/* And the same for bahamut (comment this out if you're not using bahamut): */
target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};

scanner { 
name = "extended"; 
protocol = HTTP:81; 
protocol = HTTP:8000; 
protocol = HTTP:8001; 
protocol = HTTP:8081; 
protocol = HTTPPOST:81; 
protocol = HTTPPOST:6588; 
# protocol = HTTPPOST:4480; 
protocol = HTTPPOST:8000; 
protocol = HTTPPOST:8001; 
protocol = HTTPPOST:8080; 
protocol = HTTPPOST:8081; 
/*
* IRCnet have seen many socks5 on these ports, more than on the
* standard ports even.
*/
protocol = SOCKS4:4914;
protocol = SOCKS4:6826;
protocol = SOCKS4:7198;
protocol = SOCKS4:7366;
protocol = SOCKS4:9036;
protocol = SOCKS5:4438;
protocol = SOCKS5:5104;
protocol = SOCKS5:5113;
protocol = SOCKS5:5262;
protocol = SOCKS5:5634;
protocol = SOCKS5:6552;
protocol = SOCKS5:6561;
protocol = SOCKS5:7464;
protocol = SOCKS5:7810;
protocol = SOCKS5:8130;
protocol = SOCKS5:8148;
protocol = SOCKS5:8520;
protocol = SOCKS5:8814;
protocol = SOCKS5:9100;
protocol = SOCKS5:9186;
protocol = SOCKS5:9447;
protocol = SOCKS5:9578;
protocol = WINGATE:1181;
protocol = SOCKS5:1180;
protocol = HTTPPOST:3128;
protocol = HTTP:3128;
protocol = HTTP:80;
protocol = HTTPPOST:555;
protocol = HTTP:1182;
protocol = HTTPPOST:6588;
protocol = SOCKS5:1813;
protocol = HTTP:4480;
protocol = HTTP:8000;
protocol = HTTP:9778;
protocol = HTTP:25318;
protocol = SOCKS5:25791;
protocol = HTTPPOST:8000;
protocol = SOCKS5:5104;
protocol = HTTP:81;
protocol = HTTP:2282;
protocol = SOCKS5:5262;
protocol = HTTPPOST:5121;
protocol = SOCKS5:8814;
protocol = SOCKS5:6552;
protocol = SOCKS5:4438;
protocol = HTTPPOST:81;
protocol = SOCKS5:8148;
protocol = SOCKS5:4044;
protocol = HTTPPOST:4480;
protocol = SOCKS5:9186;
protocol = SOCKS5:8130;
protocol = HTTPPOST:8548;
protocol = SOCKS5:5634;



fd = 400;

/* If required you can add settings such as target_ip here
* they will override the defaults set in the first scanner
* for this and subsequent scanners defined in the config file
* This affects the following options:
* fd, vhost, target_ip, target_port, target_string, timeout and
* max_read.
*/
};



/*
* User blocks define what scanners will be used to scan which hostmasks. When
* a user connects they will be scanned on every scanner {} (above) that
* matches their host.
*/

user {
/*
* Users matching this host mask will be scanned with all the
* protocols in the scanner named.
*/
mask = "*!*@*";
scanner = "default";
};

user {
/* Connections without ident will match on a vast number of connections
* very few proxies run ident though */
#	mask = "*!~*@*";
   mask = "*!squid@*";
   mask = "*!nobody@*";
   mask = "*!www-data@*";
   mask = "*!cache@*";
   mask = "*!CacheFlowS@*";
   mask = "*!*@*www*";
   mask = "*!*@*proxy*";
   mask = "*!*@*cache*";
   mask = "*!*@*.optonline.net";
   mask = "*!*@24.191.0.*";
   mask = "*!*@*.comcast.net";
   mask = "*!*@*.attbi.com";
   mask = "*!*@*.gbt2003.com";
   mask = "*!*@*.interbusiness.it";    
   mask = "*!*@*.il24.net";
   mask = "*!*@*.bbtec.net";
   mask = "*!*@*.speedy.net.pe";
   mask = "*!*@*.telesp.net.br";
   mask = "*!*@*.enamm.edu.pe";
   mask = "*!*@*.lv.lv.cox.net";
   mask = "*!*@*.ipt.aol.com";

scanner = "extended";
};


/*
* Exempt hosts matching certain strings from any form of scanning or dnsbl.
* BOPM will check each string against both the hostname and the IP address of
* the user.
*
* There are very few valid reasons to actually use "exempt". BOPM should
* never get false positives, and we would like to know very much if it does.
* One possible scenario is that the machine BOPM runs from is specifically
* authorized to use certain hosts as proxies, and users from those hosts use
* your network. In this case, without exempt, BOPM will scan these hosts,
* find itself able to use them as proxies, and ban them.
*/
exempt {
mask = "*!*@72.20.35.242";
};

Code: Select all

/*
* Password used to connect to the IRC server (PASS)
*/

password = "nick:pass";