at first sorry my english is not the best.
I am an administrator on a server, and I want to try something with a bopm.
This is the code, what I find on the net. I change the action part to privmsg , so that I can see at first how its working. If its stabile i would change it to gline/zline.
Code: Select all
/*
BOPM sample configuration
*/
options {
/*
* Full path and filename for storing the process ID of the running
* BOPM.
*/
pidfile = "/home/username/bopm/bopm.pid ";
/*
* How many seconds to store the IP address of hosts which are
* confirmed (by previous scans) to be secure. New users from these
* IP addresses will not be scanned again until this amount of time
* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
* DIRECTIVE, but it is provided due to demand.
*
* The main reason for not using this feature is that anyone capable
* of running a proxy can get abusers onto your network - all they
* need do is shut the proxy down, connect themselves, restart the
* proxy, and tell their friends to come flood.
*
* Keep this directive commented out to disable negative caching.
*/
negcache = 3600;
/*
* Amount of file descriptors to allocate to asynchronous DNS. 64
* should be plenty for almost anyone - previous versions of BOPM only
* did one at a time!
*/
dns_fdlimit = 64;
/*
* Put the full path and filename of a logfile here if you wish to log
* every scan done. Normally BOPM only logs successfully detected
* proxies in the bopm.log, but you may get abuse reports to your ISP
* about portscanning. Being able to show that it was BOPM that did
* the scan in question can be useful. Leave commented for no
* logging.
*/
# scanlog = "/home/username/ircd/bopm/scan.log";
};
IRC {
/*
* IP to bind to for the IRC connection. You only need to use this if
* you wish BOPM to use a particular interface (virtual host, IP
* alias, ...) when connecting to the IRC server. There is another
* "vhost" setting in the scan {} block below for the actual
* portscans. Note that this directive expects an IP address, not a
* hostname. Please leave this commented out if you do not
* understand what it does, as most people don't need it.
*/
# vhost = "0.0.0.0";
/*
* Nickname for BOPM to use.
*/
nick = "Charly";
/*
* Text to appear in the "realname" field of BOPM's /whois output.
*/
realname = "System Control";
/*
* If you don't have an identd running, what username to use.
*/
username = "Test";
/*
* Hostname (or IP) of the IRC server which BOPM will monitor
* connections on.
*/
server = "212.XXX.XX.XX";
/*
* Password used to connect to the IRC server (PASS)
*/
#password = "password";
/*
* Port of the above server to connect to. This is what BOPM uses to
* get onto IRC itself, it is nothing to do with what ports/protocols
* are scanned, nor do you need to list every port your ircd listens
* on.
*/
port = 6667;
/*
* Command to execute to identify to NickServ (if your network uses
* it). This is the raw IRC command text, and the below example
* corresponds to "/msg nickserv identify password" in a client. If
* you don't understand, just edit "password" in the line below to be
* your BOPM's nick password. Leave commented out if you don't need
* to identify to NickServ.
*/
nickserv = "privmsg nickserv :identify XXXXXX";
/*
* The username and password needed for BOPM to oper up.
*/
oper = "OPERNICK OPERPASS";
/*
* Mode string that BOPM needs to set on itself as soon as it opers
* up. This needs to include the mode for seeing connection notices,
* otherwise BOPM won't scan anyone (that's usually umode +c). It's
* often also a good idea to remove any helper modes so that users
* don't try to talk to the BOPM.
*
* REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
* +c !!
*/
mode = "+scHD-h";
/* Example for Bahamut; +F gives BOPM relaxed flood limits */
# mode = "+Fc-h";
/*
* If this is set then BOPM will use it as an /away message as soon as
* it connects.
*/
away = "BOPM System";
/*
* Info about channels you wish BOPM to join in order to accept
* commands. BOPM will also print messages in these channels every
* time it detects a proxy. Only IRC operators can command BOPM to do
* anything, but some of the things BOPM reports to these channels
* could be soncidered sensitive, so it's best not to put BOPM into
* public channels.
*/
channel {
/*
* Channel name. Local ("&") channels are supported if your ircd
* supports them.
*/
name = "#sistem";
/*
* If BOPM will need to use a key to enter this channel, this is
* where you specify it.
*/
# key = "somekey";
/*
* If you use ChanServ then maybe you want to set the channel
* invite-only and have each BOPM do "/msg ChanServ invite" to get
* itself in. Leave commented if you don't, or if this makes no
* sense to you.
*/
# invite = "privmsg chanserv :invite #sistem";
};
/*
* You can define a bunch of channels if you want:
*
* channel { name = "#sistem"; }; channel { name="#sistem"; }
*/
/*
* connregex is a POSIX regular expression used to parse connection
* (+c) notices from the ircd. The complexity of the expression should
* be kept to a minimum.
*
* Items in order MUST be: nick user host IP
*
* BOPM will not work with ircds which do not send an IP in the
* connection notice.
*
* This is fairly complicated stuff, and the consequences of getting
* it wrong are the BOPM does not scan anyone. Unless you know
* absolutely what you are doing, please just uncomment the example
* below that best matches the type of ircd you use.
*
* !!! NOTE !!! If a connregex for your ircd does not appear here and the
* hybrid connregex does not appear to work, check the BOPM FAQ at
* http://blitzed.org/bopm/faq.phtml before contacting our lists for help.
*
*/
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* Ultimate ircd - note the control-B characters around Connect/Exit,
* that is because that text appears in bold in the actual connect
* notice. Be very careful when editing this, do it as you would put
* bold characters into IRC MOTDs.
*/
# connregex = "\\*\\*\\* Connect/Exit -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* SorIRCd 1.3.4+ / StarIRCd 5.26+.
*/
# connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* "kline" controls the command used when an open proxy is confirmed.
* We suggest applying a temporary (no more than a few hours) KLINE on the host.
*
* <WARNING>
* Please note that if you are matching against our DNSBL
* opm.blitzed.org (see further below), then you will need some way to
* let users know how they can be removed from this DNSBL. That is
* the purpose of the blitzed.org URL in the example message, so
* please do not remove it unless you also disable DNSBL lookups (or
* if you use a different DNSBL).
*
* Also note that you cannot include ':' characters actually inside
* the KLINE message (e.g. for a http:// address).
*
* Users rewriting this message into something that isn't even a valid
* IRC command is the single most common cause of support requests and
* therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
* KLINE COMMANDS BELOW.
* </WARNING>
*
* That said, should you wish to customise this text, several
* printf-like placeholders are available:
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
*
*/
kline = "privmsg #sistemGLINE *@%i 10d :You are using Proxy!";
/*
* If you would prefer very plain pages then try this one. There's
* also an index3.phtml which is even more plain, useful for parsing
* via your own pages if you are trying to make your own interface to
* it. If you know XML though, talk to [email protected] about
* use of the XML interface to it.
*/
# kline = "privmsg #sistem KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information.";
/* A GLINE example for IRCu: */
# kline = "privmsg #sistem GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
/*
* Text to send on connection, these can be stacked and will be sent in this order
*
* !!! UNREAL USERS PLEASE NOTE !!!
* Unreal users will need PROTOCTL HCN to force hybrid connect
* notices.
*
* Yes Unreal users! That means you! That means you need the line
* below! See that thing at the start of the line? That's what we
* call a comment! Remove it to UNcomment the line.
*/
perform = "PROTOCTL HCN";
};
/*
* OPM Block defines blacklists and information required to report new proxies
* to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
* file. In the case of opm.blitzed.org, we store the IP addresses of known
* insecure proxy servers. By checking against this blacklist, BOPMs are able
* to ban known proxies without having to scan them all.
*
* If you still don't underdstand what a DNSBL is, have a look at
* http://www.blitzed.org/opm.
*/
OPM {
blacklist {
name = "dnsbl.proxybl.org";
type = "A record reply";
reply {
2 = "Open proxy";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";
};
blacklist {
name = "rbl.efnet.org";
type = "A record reply";
reply {
1 = "Open proxy";
2 = "Trojan spreader";
3 = "Trojan infected client";
4 = "TOR exit server";
5 = "Drones / Flooding";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!"; };
# /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl
# * http://oldwww.temp.ahbl.org/docs/ircbl.php */
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Open proxy";
};
kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";
};
/* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%h 24d :You are using Proxy!";
};
blacklist {
name = "dnsbl.dronebl.org";
type = "A record reply";
reply {
2 = "Sample";
5 = "Bottler";
7 = "DDOS Drone";
8 = "SOCKS Proxy";
9 = "HTTP Proxy";
10 = "ProxyChain";
12 = "Trolls (perm)";
13 = "Brute force attackers";
14 = "Open Wingate Proxy";
15 = "Compromised router / gateway";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy! ";
};
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy!";
};
blacklist {
name = "tor.dan.me.uk";
type = "A record reply";
reply {
100 = "Tor exit server";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy!";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "Tor exit server";
};
ban_unknown = no;
kline = "privmsg #sistem GLINE *@%i 24d :You are using Proxy! ";
};
/*
* You can specify multiple DNSBLs. Some people see "opm.blitzed.org"
* and mindlessly change the "blitzed.org" part to be their own
* domain. Please don't do this unless you really do run your own
* DNSBL, all you will accomplish is filling your channels with DNS
* error messages. opm.blitzed.org should be adequate for most
* people.
*/
/* example: NJABL - please read http://www.njabl.org/use.html before
* uncommenting */
# blacklist {
# name = "dnsbl.njabl.org";
# type = "A record reply";
# reply {
# 9 = "Open proxy";
# };
# ban_unknown = no;
# kline = "privmsg #sistem KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
# };
/*
* You can report the insecure proxies you find to our DNSBL also!
* The remaining directives in this section are only needed if you
* intend to do this. Reports are sent by email, one email per IP
* address. The format does support multiple addresses in one email,
* but we don't know of any servers that are detecting enough insecure
* proxies for this to be really necessary.
*/
/*
* Email address to send reports FROM. If you intend to send reports,
* please pick an email address that we can actually send mail to
* should we ever need to contact you.
*/
# dnsbl_from = "[email protected]";
/*
* Email address to send reports TO.
*/
# dnsbl_to = "[email protected]";
/*
* Full path to your sendmail binary. Even if your system does not
* use sendmail, it probably does have a binary called "sendmail"
* present in /usr/sbin or /usr/lib. If you don't set this, no
* proxies will be reported.
*/
# sendmail = "/usr/sbin/sendmail";
};
/*
* The short explanation:
*
* This is where you define what ports/protocols to check for. You can have
* multiple scanner blocks and then choose which users will get scanned by
* which scanners further down.
*
* The long explanation:
*
* Scanner defines a virtual scanner. For each user being scanned, a scanner
* will use a file descriptor (and subsequent connection) for each protocol.
* Once connecting it will negotiate the proxy to connect to
* target_ip:target_port (target_ip MUST be an IP).
*
* Once connected, any data passed through the proxy will be checked to see if
* target_string is contained within that data. If it is the proxy is
* considered open. If the connection is closed at any point before
* target_string is matched, or if at least max_read bytes are read from the
* connection, the negotiation is considered failed.
*/
scanner {
name="default";
protocol = HTTP:80;
protocol = HTTP:8080;
protocol = HTTP:3128;
protocol = HTTP:6588;
protocol = HTTP:81;
protocol = HTTP:8000;
protocol = HTTP:8001;
protocol = HTTP:8081;
protocol = HTTPPOST:80;
protocol = HTTPPOST:81;
protocol = HTTPPOST:6588;
protocol = HTTPPOST:4480;
protocol = HTTPPOST:8000;
protocol = HTTPPOST:8001;
protocol = HTTPPOST:8080;
protocol = HTTPPOST:8081;
protocol = SOCKS4:1080;
protocol = SOCKS4:14281;
protocol = SOCKS4:1029;
protocol = SOCKS4:1212;
protocol = SOCKS4:4914;
protocol = SOCKS4:6826;
protocol = SOCKS4:7198;
protocol = SOCKS4:7366;
protocol = SOCKS4:9036;
protocol = SOCKS4:18572;
protocol = SOCKS4:8481;
protocol = SOCKS4:2782;
protocol = SOCKS4:6598;
protocol = SOCKS4:8725;
protocol = SOCKS4:18292;
protocol = SOCKS4:37046;
protocol = SOCKS4:17979;
protocol = SOCKS4:3380;
protocol = SOCKS4:19232;
protocol = SOCKS4:53431;
protocol = SOCKS4:1979;
protocol = SOCKS4:3380;
protocol = SOCKS4:45479;
protocol = SOCKS4:43871;
protocol = SOCKS4:58632;
protocol = SOCKS4:48860;
protocol = SOCKS4:26841;
protocol = SOCKS4:39470;
protocol = SOCKS4:7545;
protocol = SOCKS4:12781;
protocol = SOCKS4:29913;
protocol = SOCKS4:54906;
protocol = SOCKS4:6134;
protocol = SOCKS4:7040;
protocol = SOCKS4:2373;
protocol = SOCKS4:4471;
protocol = SOCKS4:19310;
protocol = SOCKS4:2425;
protocol = SOCKS4:12654;
protocol = SOCKS4:53605;
protocol = SOCKS4:24781;
protocol = SOCKS4:4777;
protocol = SOCKS4:50115;
protocol = SOCKS4:39540;
protocol = SOCKS4:65490;
protocol = SOCKS4:35803;
protocol = SOCKS4:53838;
protocol = SOCKS4:43479;
protocol = SOCKS4:6064;
protocol = SOCKS4:15113;
protocol = SOCKS4:59467;
protocol = SOCKS4:8923;
protocol = SOCKS4:48561;
protocol = SOCKS4:55822;
protocol = SOCKS4:14795;
protocol = SOCKS4:10197;
protocol = SOCKS4:36135;
protocol = SOCKS4:41417;
protocol = SOCKS4:12952;
protocol = SOCKS4:36508;
protocol = SOCKS4:4960;
protocol = SOCKS4:42468;
protocol = SOCKS4:48649;
protocol = SOCKS5:14795;
protocol = SOCKS5:42468;
protocol = SOCKS5:4960;
protocol = SOCKS5:22808;
protocol = SOCKS5:12952;
protocol = SOCKS5:41417;
protocol = SOCKS5:48649;
protocol = SOCKS5:36135;
protocol = SOCKS5:3320;
protocol = SOCKS5:8500;
protocol = SOCKS5:10197;
protocol = SOCKS5:55822;
protocol = SOCKS5:43479;
protocol = SOCKS5:53838;
protocol = SOCKS5:24781;
protocol = SOCKS5:12654;
protocol = SOCKS5:4471;
protocol = SOCKS5:2373;
protocol = SOCKS5:7040;
protocol = SOCKS5:54906;
protocol = SOCKS5:29913;
protocol = SOCKS5:1813;
protocol = SOCKS5:1080;
protocol = SOCKS5:14281;
protocol = SOCKS5:1029;
protocol = SOCKS5:1212;
protocol = SOCKS5:8481;
protocol = SOCKS5:18572;
protocol = SOCKS5:4438;
protocol = SOCKS5:5104;
protocol = SOCKS5:5113;
protocol = SOCKS5:5262;
protocol = SOCKS5:5634;
protocol = SOCKS5:6552;
protocol = SOCKS5:6561;
protocol = SOCKS5:7464;
protocol = SOCKS5:7810;
protocol = SOCKS5:8130;
protocol = SOCKS5:8148;
protocol = SOCKS5:8520;
protocol = SOCKS5:8814;
protocol = SOCKS5:9100;
protocol = SOCKS5:9186;
protocol = SOCKS5:9447;
protocol = SOCKS5:9578;
protocol = ROUTER:23;
protocol = WINGATE:23;
# vhost = "127.0.0.1";
fd = 512;
max_read = 4096;
timeout = 30;
target_ip = "31.210.155.203";
target_port = 3542;
/* Usually first line sent to client on connection to ircd.
* If your ircd supports a more specific line (see below),
* using it will reduce false positives.
*/
#target_string = "*** Looking up your hostname...";
/* Some ircds give a source for the NOTICE AUTH (bahamut for example).
* It is recommended you use the following instead of the generic
* "*** Looking up your hostname..." if your ircd supports it.
* This will reduce the chances of false positives.
*/
target_string = ":Sitemiz NOTICE AUTH :*** Looking up your hostname...";
/* If you try to connect too fast, you'll be throttled by your own
* ircd. Here's what a hybrid throttle message looks like:
*/
target_string = "ERROR :Trying to reconnect too fast.";
/* And the same for bahamut (comment this out if you're not using bahamut): */
target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};
scanner {
name = "extended";
protocol = HTTP:81;
protocol = HTTP:8000;
protocol = HTTP:8001;
protocol = HTTP:8081;
protocol = HTTPPOST:81;
protocol = HTTPPOST:6588;
# protocol = HTTPPOST:4480;
protocol = HTTPPOST:8000;
protocol = HTTPPOST:8001;
protocol = HTTPPOST:8080;
protocol = HTTPPOST:8081;
/*
* IRCnet have seen many socks5 on these ports, more than on the
* standard ports even.
*/
protocol = SOCKS4:4914;
protocol = SOCKS4:6826;
protocol = SOCKS4:7198;
protocol = SOCKS4:7366;
protocol = SOCKS4:9036;
protocol = SOCKS5:4438;
protocol = SOCKS5:5104;
protocol = SOCKS5:5113;
protocol = SOCKS5:5262;
protocol = SOCKS5:5634;
protocol = SOCKS5:6552;
protocol = SOCKS5:6561;
protocol = SOCKS5:7464;
protocol = SOCKS5:7810;
protocol = SOCKS5:8130;
protocol = SOCKS5:8148;
protocol = SOCKS5:8520;
protocol = SOCKS5:8814;
protocol = SOCKS5:9100;
protocol = SOCKS5:9186;
protocol = SOCKS5:9447;
protocol = SOCKS5:9578;
protocol = WINGATE:1181;
protocol = SOCKS5:1180;
protocol = HTTPPOST:3128;
protocol = HTTP:3128;
protocol = HTTP:80;
protocol = HTTPPOST:555;
protocol = HTTP:1182;
protocol = HTTPPOST:6588;
protocol = SOCKS5:1813;
protocol = HTTP:4480;
protocol = HTTP:8000;
protocol = HTTP:9778;
protocol = HTTP:25318;
protocol = SOCKS5:25791;
protocol = HTTPPOST:8000;
protocol = SOCKS5:5104;
protocol = HTTP:81;
protocol = HTTP:2282;
protocol = SOCKS5:5262;
protocol = HTTPPOST:5121;
protocol = SOCKS5:8814;
protocol = SOCKS5:6552;
protocol = SOCKS5:4438;
protocol = HTTPPOST:81;
protocol = SOCKS5:8148;
protocol = SOCKS5:4044;
protocol = HTTPPOST:4480;
protocol = SOCKS5:9186;
protocol = SOCKS5:8130;
protocol = HTTPPOST:8548;
protocol = SOCKS5:5634;
fd = 400;
/* If required you can add settings such as target_ip here
* they will override the defaults set in the first scanner
* for this and subsequent scanners defined in the config file
* This affects the following options:
* fd, vhost, target_ip, target_port, target_string, timeout and
* max_read.
*/
};
/*
* User blocks define what scanners will be used to scan which hostmasks. When
* a user connects they will be scanned on every scanner {} (above) that
* matches their host.
*/
user {
/*
* Users matching this host mask will be scanned with all the
* protocols in the scanner named.
*/
mask = "*!*@*";
scanner = "default";
};
user {
/* Connections without ident will match on a vast number of connections
* very few proxies run ident though */
# mask = "*!~*@*";
mask = "*!squid@*";
mask = "*!nobody@*";
mask = "*!www-data@*";
mask = "*!cache@*";
mask = "*!CacheFlowS@*";
mask = "*!*@*www*";
mask = "*!*@*proxy*";
mask = "*!*@*cache*";
mask = "*!*@*.optonline.net";
mask = "*!*@24.191.0.*";
mask = "*!*@*.comcast.net";
mask = "*!*@*.attbi.com";
mask = "*!*@*.gbt2003.com";
mask = "*!*@*.interbusiness.it";
mask = "*!*@*.il24.net";
mask = "*!*@*.bbtec.net";
mask = "*!*@*.speedy.net.pe";
mask = "*!*@*.telesp.net.br";
mask = "*!*@*.enamm.edu.pe";
mask = "*!*@*.lv.lv.cox.net";
mask = "*!*@*.ipt.aol.com";
scanner = "extended";
};
/*
* Exempt hosts matching certain strings from any form of scanning or dnsbl.
* BOPM will check each string against both the hostname and the IP address of
* the user.
*
* There are very few valid reasons to actually use "exempt". BOPM should
* never get false positives, and we would like to know very much if it does.
* One possible scenario is that the machine BOPM runs from is specifically
* authorized to use certain hosts as proxies, and users from those hosts use
* your network. In this case, without exempt, BOPM will scan these hosts,
* find itself able to use them as proxies, and ban them.
*/
exempt {
mask = "*!*@72.20.35.242";
};
Because we dont have the system with /oper nick pass
We have a own server for the admins
and we are loging like that: /server admin.xxxxxx.xxx:port nick:pass
How must i change the conf that i join the server.
And my second question is, is ther any way that if the bopm bot is sajoined by someone that he automaticly part from this channel?
I want that he stay only in one channel, if he join another channel, he should part.