[irc/blitzed-org/bopm.git] / bopm.conf.sample

/*

BOPM sample configuration

*/

options {
        /*
         * Full path and filename for storing the process ID of the running
         * bopm.
         */
	pidfile = "/some/path/bopm.pid";

	/*
         * How many seconds to store the IP address of hosts which are
         * confirmed (by previous scans) to be secure.  New users from these
         * IP addresses will not be scanned again until this amount of time
         * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
         * DIRECTIVE, but it is provided due to demand.  Reasons for not using
         * this feature:
         *     1) It makes BOPM slower - every time a scan fails, the scan
         *        list must be walked to see if all scans for this host have
         *        failed.
         *     2) Anyone capable of running a proxy can get abusers onto your
         *        network - all they need do is shut the proxy down, connect
         *        themselves, restart the proxy, and tell their friends to
         *        come flood.
         *     
         * Keep this directive commented out to disable negative caching.
         */
#	negcache = 3600;

	/*
         * Amount of file descriptors to allocate to asynchronous DNS.  64
         * should be plenty for almost anyone - previous versions of bopm only
         * did one at a time!
         */
	dns_fdlimit = 64;

        /*
         * Put the full path and filename of a logfile here if you wish to log
         * every scan done.  Normally bopm only logs successfully detected
         * proxies in the bopm.log, but you may get abuse reports to your ISP
         * about portscanning.  Being able to show that it was bopm that did
         * the scan in question can be useful.  Leave commented for no
         * logging.
         */
#       scanlog = "/some/path/scan.log";
};


IRC {
	/*
         * IP to bind to for the IRC connection.  You only need to use this if
         * you wish bopm to use a particular interface (virtual host, IP
         * alias, ...) when connecting to the IRC server.  There is another
         * "vhost" setting in the scan {} block below for the actual
         * portscans.  Note that this directive expects an IP address, not a
         * hostname.  Please leave this commented out if you do not
         * understand what it does, as most people don't need it.
         */
#	vhost = "0.0.0.0";

        /*
         * Nickname for bopm to use.
         */
	nick = "MyBopm";

        /*
         * Text to appear in the "realname" field of bopm's /whois output.
         */
	realname = "Blitzed Open Proxy Monitor";

        /*
         * If you don't have an identd running, what username to use.
         */
	username = "bopm";

        /*
         * Hostname (or IP) of the IRC server which bopm will monitor
         * connections on.
         */
	server = "myserver.blitzed.org";

        /*
         * Port of the above server to connect to.  This is what bopm uses to
         * get onto IRC itself, it is nothing to do with what ports/protocols
         * are scanned, nor do you need to list every port your ircd listens
         * on.
         */
	port = 6667;

        /*
         * Command to execute to identify to NickServ (if your network uses
         * it).  This is the raw IRC command text, and the below example
         * corresponds to "/msg nickserv identify password" in a client.  If
         * you don't understand, just edit "password" in the line below to be
         * your bopm's nick password.  Leave commented out if you don't need
         * to identify to NickServ.
         */
#       nickserv = "privmsg nickserv :identify password";

        /*
         * The username and password needed for bopm to oper up.
         */
	oper = "bopm operpass";
 
        /*
         * Mode string that bopm needs to set on itself as soon as it opers
         * up.  This needs to include the mode for seeing connection notices,
         * otherwise bopm won't scan anyone (that's usually umode +c).  It's
         * often also a good idea to remove any helper modes so that users
         * don't try to talk to the bopm.
         *
         * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
         * +c !!
	mode = "+c-h";

        /* Example for Bahamut; +F gives bopm relaxed flood limits */
#       mode = "+Fc-h";

        /*
         * If this is set then bopm will use it as an /away message as soon as
         * it connects.
         */
	away = "I'm a bot.  Your messages will be ignored.";

        /*
         * Info about channels you wish bopm to join in order to accept
         * commands.  bopm will also print messages in these channels every
         * time it detects a proxy.  Only IRC operators can command bopm to do
         * anything, but some of the things bopm reports to these channels
         * could be soncidered sensitive, so it's best not to put bopm into
         * public channels.
         */
	channel {
           /*
            * Channel name.  Local ("&") channels are supported if your ircd
            * supports them.
            */
	   name = "#bopm";

           /*
            * If bopm will need to use a key to enter this channel, this is
            * where you specify it.
            */
#          key = "somekey";

           /*
            * If you use ChanServ then maybe you want to set the channel
            * invite-only and have each bopm do "/msg ChanServ invite" to get
            * itself in.  Leave commented if you don't, or if this makes no
            * sense to you.
            */
#          invite = "privmsg chanserv :invite #bopm";
	};

	/*
	channel {
	   name = "#other channel";
	}; */
       
        /*
         * connregex is a POSIX regular expression used to parse connection
         * (+c) notices from the ircd. The complexity of the expression should
         * be kept to a minimum.
	 *  
         * Items in order MUST be: nick user host IP
         *
         * bopm will not work with ircds which do not send an IP in the
         * connection notice.
         *
         * This is fairly complicated stuff, and the consequences of getting
         * it wrong are the bopm does not scan anyone.  Unless you know
         * absolutely what you are doing, please just uncomment the example
         * below that best matches the type of ircd you use.
         */

	/* Hybrid / Bahamut / Unreal (in HCN mode) */
	connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";

	/*
         * "kline" controls the command used when an open proxy is confirmed.
         * We suggest applying a temporary (no more than a few hours) KLINE on the host.
         *
         * <WARNING>
         * Please note that if you are matching against our DNSBL
         * opm.blitzed.org (see further below), then you will need some way to
         * let users know how they can be removed from this DNSBL.  That is
         * the purpose of the blitzed.org URL in the example message, so
         * please do not remove it unless you also disable DNSBL lookups (or
         * if you use a different DNSBL).
         *
         * Also note that you cannot include ':' characters actually inside
         * the KLINE message (e.g. for a http:// address).
         *
         * Users rewriting this message into something that isn't even a valid
         * IRC command is the single most common cause of support requests and
         * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
         * KLINE COMMANDS BELOW.
         * </WARNING>
         *
         * That said, should you wish to customise this text, several
         * printf-like placeholders are available:
         *
	 *  %n     User's nick
	 *  %u     User's username
	 *  %h     User's irc hostname
	 *  %i     User's IP address
         *
	 */
	kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";

        /*
         * If you would prefer very plain pages then try this one.  There's
         * also an index3.phtml which is even more plain, useful for parsing
         * via your own pages if you are trying to make your own interface to
         * it.  If you know XML though, talk to webmaster@blitzed.org about
         * use of the XML interface to it.
         */
#       kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information.";

        /* A GLINE example for IRCu: */
#       kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";

        /*
         * Text to send on connection, these can be stacked and will be sent in this order
         * 
         * !!! UNREAL USERS PLEASE NOTE !!!
         * Unreal users will need PROTOCTL HCN to force hybrid connect
         * notices.
         */
#       perform = "PROTOCTL HCN";

};


/*
 * OPM Block defines blacklists and information required to report new proxies
 * to a dns blacklist.  DNS-based blacklists store IP addresses in a DNS zone
 * file.  In the case of opm.blitzed.org, we store the IP addresses of known
 * insecure proxy servers.  By checking against this blacklist, bopms are able
 * to ban known proxies without having to scan them all.
 *
 * If you still don't underdstand what a DNSBL is, have a look at
 * http://www.blitzed.org/opm.
 */

OPM {
        /*
         * Blacklist zones to check IPs against.  If you would rather not
         * trust a remotely managed blacklist, you could set up your own, or
         * you could comment this out in which case every user will be
         * scanned.
         *
         * If you DO intend to send reports, please contact us first at
         * opm@lists.blitzed.org and let us know what you have set for
         * "dnsbl_from" and your server name (or network name if you're
         * reporting for a whole network).  Until you do, all reports will be
         * bounced.
         *
         * Those who report should subscribe to the opm-announce mailing list.
         * This is an extremely low volume read-only mailing list that we use
         * to inform our reporters about important details relating to our
         * DNSBL.  You can subscribe from:
         *
         * http://lists.blitzed.org/listinfo/opm-announce
         *
         * You may also be interested in opm-talk.  That list is for user
         * discussion of our DNSBL service, feature requests etc..  Weekly
         * stats about our DNSBL such as how many addresses are in it, who
         * reports the most, etc. are also posted there.  You can subscribe
         * from:
         *
         * http://lists.blitzed.org/listinfo/opm-talk
         */
        blacklist = "opm.blitzed.org";

        /*
         * You can specify multiple DNSBLs.  Some people see "opm.blitzed.org"
         * and mindlessly change the "blitzed.org" part to be their own
         * domain.  Please don't do this unless you really do run your own
         * DNSBL, all you will accomplish is filling your channels with DNS
         * error messages.  opm.blitzed.org should be adequate for most
         * people.
         */
#	blacklist = "opm.myhost.org";

        /*
         * You can report the insecure proxies you find to our DNSBL also!
         * The remaining directives in this section are only needed if you
         * intend to do this.  Reports are sent by email, one email per IP
         * address.  The format does support multiple addresses in one email,
         * but we don't know of any servers that are detecting enough insecure
         * proxies for this to be really necessary.
         */

        /*
         * Email address to send reports FROM.  If you intend to send reports,
         * please pick an email address that we can actually send mail to
         * should we ever need to contact you.
         */
#       dnsbl_from = "mybopm@myserver.org";

        /*
         * Email address to send reports TO.  This default is the one
         * currently in use by Blitzed.
         */
#       dnsbl_to = "bopm@reports.blitzed.org";

        /*
         * Full path to your sendmail binary.  Even if your system does not
         * use sendmail, it probably does have a binary called "sendmail"
         * present in /usr/sbin or /usr/lib.  If you don't set this, no
         * proxies will be reported.
         */
#       sendmail = "/usr/sbin/sendmail";
};


/*
 * The short explanation:
 *
 * This is where you define what ports/protocols to check for.  You can have
 * multiple scanner blocks and then choose which users will get scanned by
 * which scanners further down.
 *
 * The long explanation:
 *
 * Scanner defines a virtual scanner.  For each user being scanned, a scanner
 * will use a file descriptor (and subsequent connection) for each protocol.
 * Once connecting it will negotiate the proxy to connect to
 * target_ip:target_port (target_ip MUST be an IP).
 *
 * Once connected, any data passed through the proxy will be checked to see if
 * target_string is contained within that data.  If it is the proxy is
 * considered open. If the connection is closed at any point before
 * target_string is matched, or if at least max_read bytes are read from the
 * connection, the negotiation is considered failed.
 */

scanner {

	/*
         * Unique name of this scanner.  This is used further down in the
         * user {} blocks to decide which users get affected by which
         * scanners.
         */
	name="default";

        /*
         * HTTP CONNECT - very common proxy protocol supported by widely known
         * software such as Squid and Apache.  The most common sort of
         * insecure proxy and found on a multitude of weird ports too.  Offers
         * transparent two way TCP connections.
         */
	protocol = HTTP:80;
	protocol = HTTP:8080;
	protocol = HTTP:3128;

        /*
         * SOCKS4/5 - well known proxy protocols, probably the second most
         * common for insecure proxies, also offers transparent two way TCP
         * connections.  Fortunately largely confined to port 1080.
         */
	protocol = SOCKS4:1080;
	protocol = SOCKS5:1080;

        /*
         * Cisco routers with a default password (yes, it really does happen).
         * Also pretty much anything else that will let you telnet to anywhere
         * else on the internet.  Fortunately these are always on port 23.
         */
	protocol = ROUTER:23;

        /*
         * WinGate is commercial windows proxy software which is now not so
         * common, but still to be found, and helpfully presents an interface
         * that can be used to telnet out, on port 23.
         */
	protocol = WINGATE:23;

        /*
         * The HTTP POST protocol, often dismissed when writing the access
         * controls for proxies, but sadly can still be used to abused.
         * Offers only the opportunity to send a single block of data, but
         * enough of them at once can still make for a devastating flood.
         * Found on the same ports that HTTP CONNECT proxies inhabit.
         *
         * Note that if your ircd has "ping cookies" then clients from HTTP
         * POST proxies cannot actually ever get onto your network anyway.  If
         * you leave the checks in then you'll still find some (because some
         * people IRC from boxes that run them), but if you use bopm purely as
         * a protective measure and you have ping cookies, you need not scan
         * for HTTP POST.
         */
	protocol = HTTPPOST:80;

	/*
         * IP this scanner will bind to.  Use this if you need your scans to
         * come FROM a particular interface on the machine you run bopm from.
         * If you don't understand what this means, please leave this
         * commented out, as this is a major source of support queries!
         */
#       vhost = "127.0.0.1";

	/* Maximum file descriptors this scanner can use.  Remember that there
         * will be one FD for each protocol listed above.  As this example
         * scanner has 8 protocols, it requires 8 FDs per user.  With a 512 FD
         * limit, this scanner can be used on 64 users _at the same time_.
         * That should be adequate for most servers.
         */
	fd = 512;

	/*
         * Maximum data read from a proxy before considering it closed.  Don't
         * set this too high, some people have fun setting up lots of ports
         * that send endless data to tie up your scanner.  4KB is plenty for
         * any known proxy.
         */
	max_read = 4096;

	/*
         * Amount of time (in seconds) before a test is considered timed out.
         * Again, all but the poorest slowest proxies will be detected within
         * 30 seconds, and this helps keep resource usage low.
         */
	timeout = 30;

        /* 
         * Target IP to tell the proxy to connect to
         * 
         * !!! THIS MUST BE CHANGED !!!
         *
         * You cannot instruct the proxy to connect to itself! The easiest
         * thing to do would be to set this to the IP of your ircd and then
         * keep the default target_strings.
         *
         * Please use an IP that is publically reachable from anywhere on the
         * Internet, because you have no way of knowing where the insecure
         * proxies will be located.  Just because you and your bopm can
         * connect to your ircd on some private IP like 192.168.0.1, does not
         * mean that the insecure proxies out there on the Internet will be
         * able to.  And if they never connect, you will never detect them.
         *
         * Remember to change this setting for every scanner you configure.
         *
         */
        target_ip     = "127.0.0.1";

	/*
         * Target port to tell the proxy to connect to.  This is usually
         * something like 6667.  Basically any client-usable port.
         */
	target_port   = 6667;

	/* 
         * Target string we check for in the data read back by the scanner.
         * This should be some string out of the data that your ircd usually
         * sends on connect.  The example below will work on most
         * hybrid/bahamut ircds.  Multiple target strings are allowed.
	 */

        /* Usually first line sent to client on connection to ircd. */
        target_string = "Looking up your hostname...";

	/* If you try to connect too fast, you'll be throttled by your own
         * ircd.  Here's what a hybrid throttle message looks like:
         */
	target_string = "ERROR :Trying to reconnect too fast.";

	/* And the same for bahamut: */
	target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};

scanner {
        name = "extended";
        protocol = HTTP:8001;
        protocol = HTTP:8002;
        protocol = HTTPPOST:8080;
        protocol = HTTPPOST:3128;
        #vhost = "127.0.0.1";
        fd = 128;
        target_ip     = "127.0.0.1";   /* !!! CHANGE ME !!! */
        target_port   = 6667;
        target_string = "Looking up your hostname...";
};


/*
 * User blocks define what scanners will be used to scan which hostmasks. When
 * a user connects they will be scanned on every scanner {} (above) that
 * matches their host.
 */

user {
        /*
         * Users matching this host mask will be scanned with all the
         * protocols in the scanner named.
         */
	mask = "*!*@*";
	scanner = "default";
};

user {
	mask = "*!*@*proxy*";
	mask = "*!*@*www*";
	scanner = "extended";
};


/*
 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
 * Note that bopm will not resolve IP addresses to hosts nor hosts to IP
 * addresses, so you will probably want to put both forms in here if you need
 * to use this at all.
 *
 * There are very few valid reasons to actually use "exempt".  bopm should
 * never get false positives, and we would like to know very much if it does.
 * One possible scenario is that the machine bopm runs from is specifically
 * authorized to use certain hosts as proxies, and users from those hosts use
 * your network.  In this case, without exempt, bopm will scan these hosts,
 * find itself able to use them as proxies, and ban them.
 */
exempt {
	mask = "*!*@localhost";
	mask = "*!*@127.0.0.1";
};
Commit	Line	Data
2e2a3d93	1	/*
65ee1e17	2
2e2a3d93	3	BOPM sample configuration
65ee1e17	4
2e2a3d93	5	*/
65ee1e17	6
2e2a3d93	7	options {
8e5c4d64	8	/*
	9	* Full path and filename for storing the process ID of the running
	10	* bopm.
	11	*/
	12	pidfile = "/some/path/bopm.pid";
6a4b304c	13
8e5c4d64	14	/*
	15	* How many seconds to store the IP address of hosts which are
	16	* confirmed (by previous scans) to be secure. New users from these
	17	* IP addresses will not be scanned again until this amount of time
	18	* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
	19	* DIRECTIVE, but it is provided due to demand. Reasons for not using
	20	* this feature:
	21	* 1) It makes BOPM slower - every time a scan fails, the scan
	22	* list must be walked to see if all scans for this host have
	23	* failed.
	24	* 2) Anyone capable of running a proxy can get abusers onto your
	25	* network - all they need do is shut the proxy down, connect
	26	* themselves, restart the proxy, and tell their friends to
	27	* come flood.
	28	*
	29	* Keep this directive commented out to disable negative caching.
	30	*/
	31	# negcache = 3600;
6a4b304c	32
8e5c4d64	33	/*
	34	* Amount of file descriptors to allocate to asynchronous DNS. 64
	35	* should be plenty for almost anyone - previous versions of bopm only
	36	* did one at a time!
	37	*/
f1cfd799	38	dns_fdlimit = 64;
8e5c4d64	39
	40	/*
	41	* Put the full path and filename of a logfile here if you wish to log
	42	* every scan done. Normally bopm only logs successfully detected
	43	* proxies in the bopm.log, but you may get abuse reports to your ISP
	44	* about portscanning. Being able to show that it was bopm that did
	45	* the scan in question can be useful. Leave commented for no
	46	* logging.
	47	*/
	48	# scanlog = "/some/path/scan.log";
2e2a3d93	49	};
65ee1e17	50
65ee1e17	51
2e2a3d93	52	IRC {
8e5c4d64	53	/*
	54	* IP to bind to for the IRC connection. You only need to use this if
	55	* you wish bopm to use a particular interface (virtual host, IP
	56	* alias, ...) when connecting to the IRC server. There is another
	57	* "vhost" setting in the scan {} block below for the actual
	58	* portscans. Note that this directive expects an IP address, not a
	59	* hostname. Please leave this commented out if you do not
	60	* understand what it does, as most people don't need it.
	61	*/
	62	# vhost = "0.0.0.0";
65ee1e17	63
8e5c4d64	64	/*
	65	* Nickname for bopm to use.
	66	*/
2e2a3d93	67	nick = "MyBopm";
65ee1e17	68
8e5c4d64	69	/*
	70	* Text to appear in the "realname" field of bopm's /whois output.
	71	*/
b111ff5b	72	realname = "Blitzed Open Proxy Monitor";
8e5c4d64	73
	74	/*
	75	* If you don't have an identd running, what username to use.
	76	*/
b111ff5b	77	username = "bopm";
65ee1e17	78
8e5c4d64	79	/*
	80	* Hostname (or IP) of the IRC server which bopm will monitor
	81	* connections on.
	82	*/
b111ff5b	83	server = "myserver.blitzed.org";
8e5c4d64	84
	85	/*
	86	* Port of the above server to connect to. This is what bopm uses to
	87	* get onto IRC itself, it is nothing to do with what ports/protocols
	88	* are scanned, nor do you need to list every port your ircd listens
	89	* on.
	90	*/
b111ff5b	91	port = 6667;
65ee1e17	92
8e5c4d64	93	/*
	94	* Command to execute to identify to NickServ (if your network uses
	95	* it). This is the raw IRC command text, and the below example
	96	* corresponds to "/msg nickserv identify password" in a client. If
	97	* you don't understand, just edit "password" in the line below to be
	98	* your bopm's nick password. Leave commented out if you don't need
	99	* to identify to NickServ.
	100	*/
	101	# nickserv = "privmsg nickserv :identify password";
	102
	103	/*
	104	* The username and password needed for bopm to oper up.
	105	*/
b111ff5b	106	oper = "bopm operpass";
6a4b304c	107
8e5c4d64	108	/*
	109	* Mode string that bopm needs to set on itself as soon as it opers
	110	* up. This needs to include the mode for seeing connection notices,
	111	* otherwise bopm won't scan anyone (that's usually umode +c). It's
	112	* often also a good idea to remove any helper modes so that users
	113	* don't try to talk to the bopm.
	114	*
	115	* REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
	116	* +c !!
	117	mode = "+c-h";
	118
	119	/* Example for Bahamut; +F gives bopm relaxed flood limits */
	120	# mode = "+Fc-h";
	121
	122	/*
	123	* If this is set then bopm will use it as an /away message as soon as
	124	* it connects.
	125	*/
	126	away = "I'm a bot. Your messages will be ignored.";
	127
	128	/*
	129	* Info about channels you wish bopm to join in order to accept
	130	* commands. bopm will also print messages in these channels every
	131	* time it detects a proxy. Only IRC operators can command bopm to do
	132	* anything, but some of the things bopm reports to these channels
	133	* could be soncidered sensitive, so it's best not to put bopm into
	134	* public channels.
	135	*/
b111ff5b	136	channel {
8e5c4d64	137	/*
	138	* Channel name. Local ("&") channels are supported if your ircd
	139	* supports them.
	140	*/
b111ff5b	141	name = "#bopm";
8e5c4d64	142
	143	/*
	144	* If bopm will need to use a key to enter this channel, this is
	145	* where you specify it.
	146	*/
	147	# key = "somekey";
	148
	149	/*
	150	* If you use ChanServ then maybe you want to set the channel
	151	* invite-only and have each bopm do "/msg ChanServ invite" to get
	152	* itself in. Leave commented if you don't, or if this makes no
	153	* sense to you.
	154	*/
	155	# invite = "privmsg chanserv :invite #bopm";
b111ff5b	156	};
6a4b304c	157
b111ff5b	158	/*
	159	channel {
	160	name = "#other channel";
	161	}; */
d612c0f7	162
8e5c4d64	163	/*
	164	* connregex is a POSIX regular expression used to parse connection
	165	* (+c) notices from the ircd. The complexity of the expression should
	166	* be kept to a minimum.
	167	*
	168	* Items in order MUST be: nick user host IP
	169	*
	170	* bopm will not work with ircds which do not send an IP in the
	171	* connection notice.
	172	*
	173	* This is fairly complicated stuff, and the consequences of getting
	174	* it wrong are the bopm does not scan anyone. Unless you know
	175	* absolutely what you are doing, please just uncomment the example
	176	* below that best matches the type of ircd you use.
	177	*/
862bbc52	178
8e5c4d64	179	/* Hybrid / Bahamut / Unreal (in HCN mode) */
8e5c4d64	180	connregex = "\\\\\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
9da50b33	181
8e5c4d64	182	/*
	183	* "kline" controls the command used when an open proxy is confirmed.
	184	* We suggest applying a temporary (no more than a few hours) KLINE on the host.
	185	*
	186	* <WARNING>
	187	* Please note that if you are matching against our DNSBL
	188	* opm.blitzed.org (see further below), then you will need some way to
	189	* let users know how they can be removed from this DNSBL. That is
	190	* the purpose of the blitzed.org URL in the example message, so
	191	* please do not remove it unless you also disable DNSBL lookups (or
	192	* if you use a different DNSBL).
	193	*
	194	* Also note that you cannot include ':' characters actually inside
	195	* the KLINE message (e.g. for a http:// address).
	196	*
	197	* Users rewriting this message into something that isn't even a valid
	198	* IRC command is the single most common cause of support requests and
	199	* therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
	200	* KLINE COMMANDS BELOW.
	201	* </WARNING>
	202	*
	203	* That said, should you wish to customise this text, several
	204	* printf-like placeholders are available:
	205	*
	206	* %n User's nick
	207	* %u User's username
	208	* %h User's irc hostname
	209	* %i User's IP address
	210	*
	211	*/
	212	kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
9da50b33	213
8e5c4d64	214	/*
	215	* If you would prefer very plain pages then try this one. There's
	216	* also an index3.phtml which is even more plain, useful for parsing
	217	* via your own pages if you are trying to make your own interface to
	218	* it. If you know XML though, talk to webmaster@blitzed.org about
	219	* use of the XML interface to it.
	220	*/
	221	# kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information.";
9da50b33	222
8e5c4d64	223	/* A GLINE example for IRCu: */
8e5c4d64	224	# kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
96f78544	225
8e5c4d64	226	/*
	227	* Text to send on connection, these can be stacked and will be sent in this order
	228	*
	229	* !!! UNREAL USERS PLEASE NOTE !!!
	230	* Unreal users will need PROTOCTL HCN to force hybrid connect
	231	* notices.
	232	*/
	233	# perform = "PROTOCTL HCN";
96f78544	234
4caa3ccc	235	};
4caa3ccc	236
6a4b304c	237
8e5c4d64	238	/*
	239	* OPM Block defines blacklists and information required to report new proxies
	240	* to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
	241	* file. In the case of opm.blitzed.org, we store the IP addresses of known
	242	* insecure proxy servers. By checking against this blacklist, bopms are able
	243	* to ban known proxies without having to scan them all.
	244	*
	245	* If you still don't underdstand what a DNSBL is, have a look at
	246	* http://www.blitzed.org/opm.
	247	*/
f1cfd799	248
4caa3ccc	249	OPM {
8e5c4d64	250	/*
	251	* Blacklist zones to check IPs against. If you would rather not
	252	* trust a remotely managed blacklist, you could set up your own, or
	253	* you could comment this out in which case every user will be
	254	* scanned.
	255	*
	256	* If you DO intend to send reports, please contact us first at
	257	* opm@lists.blitzed.org and let us know what you have set for
	258	* "dnsbl_from" and your server name (or network name if you're
	259	* reporting for a whole network). Until you do, all reports will be
	260	* bounced.
	261	*
	262	* Those who report should subscribe to the opm-announce mailing list.
	263	* This is an extremely low volume read-only mailing list that we use
	264	* to inform our reporters about important details relating to our
	265	* DNSBL. You can subscribe from:
	266	*
	267	* http://lists.blitzed.org/listinfo/opm-announce
	268	*
	269	* You may also be interested in opm-talk. That list is for user
	270	* discussion of our DNSBL service, feature requests etc.. Weekly
	271	* stats about our DNSBL such as how many addresses are in it, who
	272	* reports the most, etc. are also posted there. You can subscribe
	273	* from:
	274	*
	275	* http://lists.blitzed.org/listinfo/opm-talk
	276	*/
	277	blacklist = "opm.blitzed.org";
	278
	279	/*
	280	* You can specify multiple DNSBLs. Some people see "opm.blitzed.org"
	281	* and mindlessly change the "blitzed.org" part to be their own
	282	* domain. Please don't do this unless you really do run your own
	283	* DNSBL, all you will accomplish is filling your channels with DNS
	284	* error messages. opm.blitzed.org should be adequate for most
	285	* people.
	286	*/
	287	# blacklist = "opm.myhost.org";
	288
	289	/*
	290	* You can report the insecure proxies you find to our DNSBL also!
	291	* The remaining directives in this section are only needed if you
	292	* intend to do this. Reports are sent by email, one email per IP
	293	* address. The format does support multiple addresses in one email,
	294	* but we don't know of any servers that are detecting enough insecure
	295	* proxies for this to be really necessary.
	296	*/
	297
	298	/*
	299	* Email address to send reports FROM. If you intend to send reports,
	300	* please pick an email address that we can actually send mail to
	301	* should we ever need to contact you.
	302	*/
	303	# dnsbl_from = "mybopm@myserver.org";
	304
	305	/*
	306	* Email address to send reports TO. This default is the one
	307	* currently in use by Blitzed.
	308	*/
	309	# dnsbl_to = "bopm@reports.blitzed.org";
95b76d38	310
8e5c4d64	311	/*
	312	* Full path to your sendmail binary. Even if your system does not
	313	* use sendmail, it probably does have a binary called "sendmail"
	314	* present in /usr/sbin or /usr/lib. If you don't set this, no
	315	* proxies will be reported.
	316	*/
	317	# sendmail = "/usr/sbin/sendmail";
	318	};
d219dea9	319
f1cfd799	320
8e5c4d64	321	/*
	322	* The short explanation:
	323	*
	324	* This is where you define what ports/protocols to check for. You can have
	325	* multiple scanner blocks and then choose which users will get scanned by
	326	* which scanners further down.
	327	*
	328	* The long explanation:
	329	*
	330	* Scanner defines a virtual scanner. For each user being scanned, a scanner
	331	* will use a file descriptor (and subsequent connection) for each protocol.
	332	* Once connecting it will negotiate the proxy to connect to
	333	* target_ip:target_port (target_ip MUST be an IP).
	334	*
	335	* Once connected, any data passed through the proxy will be checked to see if
	336	* target_string is contained within that data. If it is the proxy is
	337	* considered open. If the connection is closed at any point before
	338	* target_string is matched, or if at least max_read bytes are read from the
	339	* connection, the negotiation is considered failed.
	340	*/
f1cfd799	341
d219dea9	342	scanner {
d219dea9	343
8e5c4d64	344	/*
	345	* Unique name of this scanner. This is used further down in the
	346	* user {} blocks to decide which users get affected by which
	347	* scanners.
	348	*/
b111ff5b	349	name="default";
d219dea9	350
8e5c4d64	351	/*
	352	* HTTP CONNECT - very common proxy protocol supported by widely known
	353	* software such as Squid and Apache. The most common sort of
	354	* insecure proxy and found on a multitude of weird ports too. Offers
	355	* transparent two way TCP connections.
	356	*/
b111ff5b	357	protocol = HTTP:80;
	358	protocol = HTTP:8080;
	359	protocol = HTTP:3128;
d219dea9	360
8e5c4d64	361	/*
	362	* SOCKS4/5 - well known proxy protocols, probably the second most
	363	* common for insecure proxies, also offers transparent two way TCP
	364	* connections. Fortunately largely confined to port 1080.
	365	*/
b111ff5b	366	protocol = SOCKS4:1080;
b111ff5b	367	protocol = SOCKS5:1080;
d219dea9	368
8e5c4d64	369	/*
	370	* Cisco routers with a default password (yes, it really does happen).
	371	* Also pretty much anything else that will let you telnet to anywhere
	372	* else on the internet. Fortunately these are always on port 23.
	373	*/
b111ff5b	374	protocol = ROUTER:23;
8e5c4d64	375
	376	/*
	377	* WinGate is commercial windows proxy software which is now not so
	378	* common, but still to be found, and helpfully presents an interface
	379	* that can be used to telnet out, on port 23.
	380	*/
b111ff5b	381	protocol = WINGATE:23;
d219dea9	382
8e5c4d64	383	/*
	384	* The HTTP POST protocol, often dismissed when writing the access
	385	* controls for proxies, but sadly can still be used to abused.
	386	* Offers only the opportunity to send a single block of data, but
	387	* enough of them at once can still make for a devastating flood.
	388	* Found on the same ports that HTTP CONNECT proxies inhabit.
	389	*
	390	* Note that if your ircd has "ping cookies" then clients from HTTP
	391	* POST proxies cannot actually ever get onto your network anyway. If
	392	* you leave the checks in then you'll still find some (because some
	393	* people IRC from boxes that run them), but if you use bopm purely as
	394	* a protective measure and you have ping cookies, you need not scan
	395	* for HTTP POST.
	396	*/
b111ff5b	397	protocol = HTTPPOST:80;
d219dea9	398
8e5c4d64	399	/*
	400	* IP this scanner will bind to. Use this if you need your scans to
	401	* come FROM a particular interface on the machine you run bopm from.
	402	* If you don't understand what this means, please leave this
	403	* commented out, as this is a major source of support queries!
	404	*/
	405	# vhost = "127.0.0.1";
d219dea9	406
8e5c4d64	407	/* Maximum file descriptors this scanner can use. Remember that there
	408	* will be one FD for each protocol listed above. As this example
	409	* scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
	410	* limit, this scanner can be used on 64 users _at the same time_.
	411	* That should be adequate for most servers.
	412	*/
b111ff5b	413	fd = 512;
d219dea9	414
8e5c4d64	415	/*
	416	* Maximum data read from a proxy before considering it closed. Don't
	417	* set this too high, some people have fun setting up lots of ports
	418	* that send endless data to tie up your scanner. 4KB is plenty for
	419	* any known proxy.
	420	*/
b111ff5b	421	max_read = 4096;
9da50b33	422
8e5c4d64	423	/*
	424	* Amount of time (in seconds) before a test is considered timed out.
	425	* Again, all but the poorest slowest proxies will be detected within
	426	* 30 seconds, and this helps keep resource usage low.
	427	*/
b111ff5b	428	timeout = 30;
9da50b33	429
9fa35a38	430	/*
8e5c4d64	431	* Target IP to tell the proxy to connect to
	432	*
	433	* !!! THIS MUST BE CHANGED !!!
	434	*
	435	* You cannot instruct the proxy to connect to itself! The easiest
	436	* thing to do would be to set this to the IP of your ircd and then
	437	* keep the default target_strings.
	438	*
	439	* Please use an IP that is publically reachable from anywhere on the
	440	* Internet, because you have no way of knowing where the insecure
	441	* proxies will be located. Just because you and your bopm can
	442	* connect to your ircd on some private IP like 192.168.0.1, does not
	443	* mean that the insecure proxies out there on the Internet will be
	444	* able to. And if they never connect, you will never detect them.
	445	*
	446	* Remember to change this setting for every scanner you configure.
	447	*
9fa35a38	448	*/
9fa35a38	449	target_ip = "127.0.0.1";
d219dea9	450
8e5c4d64	451	/*
	452	* Target port to tell the proxy to connect to. This is usually
	453	* something like 6667. Basically any client-usable port.
	454	*/
b111ff5b	455	target_port = 6667;
d219dea9	456
b111ff5b	457	/*
8e5c4d64	458	* Target string we check for in the data read back by the scanner.
	459	* This should be some string out of the data that your ircd usually
	460	* sends on connect. The example below will work on most
	461	* hybrid/bahamut ircds. Multiple target strings are allowed.
	462	*/
fa7caa6b	463
8e5c4d64	464	/* Usually first line sent to client on connection to ircd. */
8e5c4d64	465	target_string = "Looking up your hostname...";
fa7caa6b	466
8e5c4d64	467	/* If you try to connect too fast, you'll be throttled by your own
	468	* ircd. Here's what a hybrid throttle message looks like:
	469	*/
b111ff5b	470	target_string = "ERROR :Trying to reconnect too fast.";
3b022c04	471
8e5c4d64	472	/* And the same for bahamut: */
8e5c4d64	473	target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
d219dea9	474	};
	475
	476	scanner {
9fa35a38	477	name = "extended";
	478	protocol = HTTP:8001;
	479	protocol = HTTP:8002;
	480	protocol = HTTPPOST:8080;
	481	protocol = HTTPPOST:3128;
	482	#vhost = "127.0.0.1";
	483	fd = 128;
	484	target_ip = "127.0.0.1"; /* !!! CHANGE ME !!! */
	485	target_port = 6667;
	486	target_string = "Looking up your hostname...";
d219dea9	487	};
d219dea9	488
f1cfd799	489
f1cfd799	490
8e5c4d64	491	/*
	492	* User blocks define what scanners will be used to scan which hostmasks. When
	493	* a user connects they will be scanned on every scanner {} (above) that
	494	* matches their host.
	495	*/
f1cfd799	496
2e2a3d93	497	user {
8e5c4d64	498	/*
	499	* Users matching this host mask will be scanned with all the
	500	* protocols in the scanner named.
	501	*/
2e2a3d93	502	mask = "!@*";
	503	scanner = "default";
	504	};
ad429564	505
2e2a3d93	506	user {
	507	mask = "!@proxy";
	508	mask = "!@www";
	509	scanner = "extended";
	510	};
ad429564	511
f1cfd799	512
8e5c4d64	513	/*
	514	* Exempt hosts matching certain strings from any form of scanning or dnsbl.
	515	* Note that bopm will not resolve IP addresses to hosts nor hosts to IP
	516	* addresses, so you will probably want to put both forms in here if you need
	517	* to use this at all.
	518	*
	519	* There are very few valid reasons to actually use "exempt". bopm should
	520	* never get false positives, and we would like to know very much if it does.
	521	* One possible scenario is that the machine bopm runs from is specifically
	522	* authorized to use certain hosts as proxies, and users from those hosts use
	523	* your network. In this case, without exempt, bopm will scan these hosts,
	524	* find itself able to use them as proxies, and ban them.
	525	*/
2e2a3d93	526	exempt {
	527	mask = "!@localhost";
	528	mask = "!@127.0.0.1";
96f78544	529	};