]>
Commit | Line | Data |
---|---|---|
2e2a3d93 | 1 | /* |
65ee1e17 | 2 | |
2e2a3d93 | 3 | BOPM sample configuration |
65ee1e17 | 4 | |
2e2a3d93 | 5 | */ |
65ee1e17 | 6 | |
2e2a3d93 | 7 | options { |
8e5c4d64 | 8 | /* |
9 | * Full path and filename for storing the process ID of the running | |
10 | * bopm. | |
11 | */ | |
12 | pidfile = "/some/path/bopm.pid"; | |
6a4b304c | 13 | |
8e5c4d64 | 14 | /* |
15 | * How many seconds to store the IP address of hosts which are | |
16 | * confirmed (by previous scans) to be secure. New users from these | |
17 | * IP addresses will not be scanned again until this amount of time | |
18 | * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS | |
19 | * DIRECTIVE, but it is provided due to demand. Reasons for not using | |
20 | * this feature: | |
21 | * 1) It makes BOPM slower - every time a scan fails, the scan | |
22 | * list must be walked to see if all scans for this host have | |
23 | * failed. | |
24 | * 2) Anyone capable of running a proxy can get abusers onto your | |
25 | * network - all they need do is shut the proxy down, connect | |
26 | * themselves, restart the proxy, and tell their friends to | |
27 | * come flood. | |
28 | * | |
29 | * Keep this directive commented out to disable negative caching. | |
30 | */ | |
31 | # negcache = 3600; | |
6a4b304c | 32 | |
8e5c4d64 | 33 | /* |
34 | * Amount of file descriptors to allocate to asynchronous DNS. 64 | |
35 | * should be plenty for almost anyone - previous versions of bopm only | |
36 | * did one at a time! | |
37 | */ | |
f1cfd799 | 38 | dns_fdlimit = 64; |
8e5c4d64 | 39 | |
40 | /* | |
41 | * Put the full path and filename of a logfile here if you wish to log | |
42 | * every scan done. Normally bopm only logs successfully detected | |
43 | * proxies in the bopm.log, but you may get abuse reports to your ISP | |
44 | * about portscanning. Being able to show that it was bopm that did | |
45 | * the scan in question can be useful. Leave commented for no | |
46 | * logging. | |
47 | */ | |
48 | # scanlog = "/some/path/scan.log"; | |
2e2a3d93 | 49 | }; |
65ee1e17 | 50 | |
65ee1e17 | 51 | |
2e2a3d93 | 52 | IRC { |
8e5c4d64 | 53 | /* |
54 | * IP to bind to for the IRC connection. You only need to use this if | |
55 | * you wish bopm to use a particular interface (virtual host, IP | |
56 | * alias, ...) when connecting to the IRC server. There is another | |
57 | * "vhost" setting in the scan {} block below for the actual | |
58 | * portscans. Note that this directive expects an IP address, not a | |
59 | * hostname. Please leave this commented out if you do not | |
60 | * understand what it does, as most people don't need it. | |
61 | */ | |
62 | # vhost = "0.0.0.0"; | |
65ee1e17 | 63 | |
8e5c4d64 | 64 | /* |
65 | * Nickname for bopm to use. | |
66 | */ | |
2e2a3d93 | 67 | nick = "MyBopm"; |
65ee1e17 | 68 | |
8e5c4d64 | 69 | /* |
70 | * Text to appear in the "realname" field of bopm's /whois output. | |
71 | */ | |
b111ff5b | 72 | realname = "Blitzed Open Proxy Monitor"; |
8e5c4d64 | 73 | |
74 | /* | |
75 | * If you don't have an identd running, what username to use. | |
76 | */ | |
b111ff5b | 77 | username = "bopm"; |
65ee1e17 | 78 | |
8e5c4d64 | 79 | /* |
80 | * Hostname (or IP) of the IRC server which bopm will monitor | |
81 | * connections on. | |
82 | */ | |
b111ff5b | 83 | server = "myserver.blitzed.org"; |
8e5c4d64 | 84 | |
85 | /* | |
86 | * Port of the above server to connect to. This is what bopm uses to | |
87 | * get onto IRC itself, it is nothing to do with what ports/protocols | |
88 | * are scanned, nor do you need to list every port your ircd listens | |
89 | * on. | |
90 | */ | |
b111ff5b | 91 | port = 6667; |
65ee1e17 | 92 | |
8e5c4d64 | 93 | /* |
94 | * Command to execute to identify to NickServ (if your network uses | |
95 | * it). This is the raw IRC command text, and the below example | |
96 | * corresponds to "/msg nickserv identify password" in a client. If | |
97 | * you don't understand, just edit "password" in the line below to be | |
98 | * your bopm's nick password. Leave commented out if you don't need | |
99 | * to identify to NickServ. | |
100 | */ | |
101 | # nickserv = "privmsg nickserv :identify password"; | |
102 | ||
103 | /* | |
104 | * The username and password needed for bopm to oper up. | |
105 | */ | |
b111ff5b | 106 | oper = "bopm operpass"; |
6a4b304c | 107 | |
8e5c4d64 | 108 | /* |
109 | * Mode string that bopm needs to set on itself as soon as it opers | |
110 | * up. This needs to include the mode for seeing connection notices, | |
111 | * otherwise bopm won't scan anyone (that's usually umode +c). It's | |
112 | * often also a good idea to remove any helper modes so that users | |
113 | * don't try to talk to the bopm. | |
114 | * | |
115 | * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE | |
116 | * +c !! | |
117 | mode = "+c-h"; | |
118 | ||
119 | /* Example for Bahamut; +F gives bopm relaxed flood limits */ | |
120 | # mode = "+Fc-h"; | |
121 | ||
122 | /* | |
123 | * If this is set then bopm will use it as an /away message as soon as | |
124 | * it connects. | |
125 | */ | |
126 | away = "I'm a bot. Your messages will be ignored."; | |
127 | ||
128 | /* | |
129 | * Info about channels you wish bopm to join in order to accept | |
130 | * commands. bopm will also print messages in these channels every | |
131 | * time it detects a proxy. Only IRC operators can command bopm to do | |
132 | * anything, but some of the things bopm reports to these channels | |
133 | * could be soncidered sensitive, so it's best not to put bopm into | |
134 | * public channels. | |
135 | */ | |
b111ff5b | 136 | channel { |
8e5c4d64 | 137 | /* |
138 | * Channel name. Local ("&") channels are supported if your ircd | |
139 | * supports them. | |
140 | */ | |
b111ff5b | 141 | name = "#bopm"; |
8e5c4d64 | 142 | |
143 | /* | |
144 | * If bopm will need to use a key to enter this channel, this is | |
145 | * where you specify it. | |
146 | */ | |
147 | # key = "somekey"; | |
148 | ||
149 | /* | |
150 | * If you use ChanServ then maybe you want to set the channel | |
151 | * invite-only and have each bopm do "/msg ChanServ invite" to get | |
152 | * itself in. Leave commented if you don't, or if this makes no | |
153 | * sense to you. | |
154 | */ | |
155 | # invite = "privmsg chanserv :invite #bopm"; | |
b111ff5b | 156 | }; |
6a4b304c | 157 | |
b111ff5b | 158 | /* |
159 | channel { | |
160 | name = "#other channel"; | |
161 | }; */ | |
d612c0f7 | 162 | |
8e5c4d64 | 163 | /* |
164 | * connregex is a POSIX regular expression used to parse connection | |
165 | * (+c) notices from the ircd. The complexity of the expression should | |
166 | * be kept to a minimum. | |
167 | * | |
168 | * Items in order MUST be: nick user host IP | |
169 | * | |
170 | * bopm will not work with ircds which do not send an IP in the | |
171 | * connection notice. | |
172 | * | |
173 | * This is fairly complicated stuff, and the consequences of getting | |
174 | * it wrong are the bopm does not scan anyone. Unless you know | |
175 | * absolutely what you are doing, please just uncomment the example | |
176 | * below that best matches the type of ircd you use. | |
177 | */ | |
862bbc52 | 178 | |
8e5c4d64 | 179 | /* Hybrid / Bahamut / Unreal (in HCN mode) */ |
180 | connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; | |
9da50b33 | 181 | |
8e5c4d64 | 182 | /* |
183 | * "kline" controls the command used when an open proxy is confirmed. | |
184 | * We suggest applying a temporary (no more than a few hours) KLINE on the host. | |
185 | * | |
186 | * <WARNING> | |
187 | * Please note that if you are matching against our DNSBL | |
188 | * opm.blitzed.org (see further below), then you will need some way to | |
189 | * let users know how they can be removed from this DNSBL. That is | |
190 | * the purpose of the blitzed.org URL in the example message, so | |
191 | * please do not remove it unless you also disable DNSBL lookups (or | |
192 | * if you use a different DNSBL). | |
193 | * | |
194 | * Also note that you cannot include ':' characters actually inside | |
195 | * the KLINE message (e.g. for a http:// address). | |
196 | * | |
197 | * Users rewriting this message into something that isn't even a valid | |
198 | * IRC command is the single most common cause of support requests and | |
199 | * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE | |
200 | * KLINE COMMANDS BELOW. | |
201 | * </WARNING> | |
202 | * | |
203 | * That said, should you wish to customise this text, several | |
204 | * printf-like placeholders are available: | |
205 | * | |
206 | * %n User's nick | |
207 | * %u User's username | |
208 | * %h User's irc hostname | |
209 | * %i User's IP address | |
210 | * | |
211 | */ | |
212 | kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; | |
9da50b33 | 213 | |
8e5c4d64 | 214 | /* |
215 | * If you would prefer very plain pages then try this one. There's | |
216 | * also an index3.phtml which is even more plain, useful for parsing | |
217 | * via your own pages if you are trying to make your own interface to | |
218 | * it. If you know XML though, talk to webmaster@blitzed.org about | |
219 | * use of the XML interface to it. | |
220 | */ | |
221 | # kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/opm/index2.phtml?ip=%i for more information."; | |
9da50b33 | 222 | |
8e5c4d64 | 223 | /* A GLINE example for IRCu: */ |
224 | # kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information."; | |
96f78544 | 225 | |
8e5c4d64 | 226 | /* |
227 | * Text to send on connection, these can be stacked and will be sent in this order | |
228 | * | |
229 | * !!! UNREAL USERS PLEASE NOTE !!! | |
230 | * Unreal users will need PROTOCTL HCN to force hybrid connect | |
231 | * notices. | |
232 | */ | |
233 | # perform = "PROTOCTL HCN"; | |
96f78544 | 234 | |
4caa3ccc | 235 | }; |
236 | ||
6a4b304c | 237 | |
8e5c4d64 | 238 | /* |
239 | * OPM Block defines blacklists and information required to report new proxies | |
240 | * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone | |
241 | * file. In the case of opm.blitzed.org, we store the IP addresses of known | |
242 | * insecure proxy servers. By checking against this blacklist, bopms are able | |
243 | * to ban known proxies without having to scan them all. | |
244 | * | |
245 | * If you still don't underdstand what a DNSBL is, have a look at | |
246 | * http://www.blitzed.org/opm. | |
247 | */ | |
f1cfd799 | 248 | |
4caa3ccc | 249 | OPM { |
8e5c4d64 | 250 | /* |
251 | * Blacklist zones to check IPs against. If you would rather not | |
252 | * trust a remotely managed blacklist, you could set up your own, or | |
253 | * you could comment this out in which case every user will be | |
254 | * scanned. | |
255 | * | |
256 | * If you DO intend to send reports, please contact us first at | |
257 | * opm@lists.blitzed.org and let us know what you have set for | |
258 | * "dnsbl_from" and your server name (or network name if you're | |
259 | * reporting for a whole network). Until you do, all reports will be | |
260 | * bounced. | |
261 | * | |
262 | * Those who report should subscribe to the opm-announce mailing list. | |
263 | * This is an extremely low volume read-only mailing list that we use | |
264 | * to inform our reporters about important details relating to our | |
265 | * DNSBL. You can subscribe from: | |
266 | * | |
267 | * http://lists.blitzed.org/listinfo/opm-announce | |
268 | * | |
269 | * You may also be interested in opm-talk. That list is for user | |
270 | * discussion of our DNSBL service, feature requests etc.. Weekly | |
271 | * stats about our DNSBL such as how many addresses are in it, who | |
272 | * reports the most, etc. are also posted there. You can subscribe | |
273 | * from: | |
274 | * | |
275 | * http://lists.blitzed.org/listinfo/opm-talk | |
276 | */ | |
277 | blacklist = "opm.blitzed.org"; | |
278 | ||
279 | /* | |
280 | * You can specify multiple DNSBLs. Some people see "opm.blitzed.org" | |
281 | * and mindlessly change the "blitzed.org" part to be their own | |
282 | * domain. Please don't do this unless you really do run your own | |
283 | * DNSBL, all you will accomplish is filling your channels with DNS | |
284 | * error messages. opm.blitzed.org should be adequate for most | |
285 | * people. | |
286 | */ | |
287 | # blacklist = "opm.myhost.org"; | |
288 | ||
289 | /* | |
290 | * You can report the insecure proxies you find to our DNSBL also! | |
291 | * The remaining directives in this section are only needed if you | |
292 | * intend to do this. Reports are sent by email, one email per IP | |
293 | * address. The format does support multiple addresses in one email, | |
294 | * but we don't know of any servers that are detecting enough insecure | |
295 | * proxies for this to be really necessary. | |
296 | */ | |
297 | ||
298 | /* | |
299 | * Email address to send reports FROM. If you intend to send reports, | |
300 | * please pick an email address that we can actually send mail to | |
301 | * should we ever need to contact you. | |
302 | */ | |
303 | # dnsbl_from = "mybopm@myserver.org"; | |
304 | ||
305 | /* | |
306 | * Email address to send reports TO. This default is the one | |
307 | * currently in use by Blitzed. | |
308 | */ | |
309 | # dnsbl_to = "bopm@reports.blitzed.org"; | |
95b76d38 | 310 | |
8e5c4d64 | 311 | /* |
312 | * Full path to your sendmail binary. Even if your system does not | |
313 | * use sendmail, it probably does have a binary called "sendmail" | |
314 | * present in /usr/sbin or /usr/lib. If you don't set this, no | |
315 | * proxies will be reported. | |
316 | */ | |
317 | # sendmail = "/usr/sbin/sendmail"; | |
318 | }; | |
d219dea9 | 319 | |
f1cfd799 | 320 | |
8e5c4d64 | 321 | /* |
322 | * The short explanation: | |
323 | * | |
324 | * This is where you define what ports/protocols to check for. You can have | |
325 | * multiple scanner blocks and then choose which users will get scanned by | |
326 | * which scanners further down. | |
327 | * | |
328 | * The long explanation: | |
329 | * | |
330 | * Scanner defines a virtual scanner. For each user being scanned, a scanner | |
331 | * will use a file descriptor (and subsequent connection) for each protocol. | |
332 | * Once connecting it will negotiate the proxy to connect to | |
333 | * target_ip:target_port (target_ip MUST be an IP). | |
334 | * | |
335 | * Once connected, any data passed through the proxy will be checked to see if | |
336 | * target_string is contained within that data. If it is the proxy is | |
337 | * considered open. If the connection is closed at any point before | |
338 | * target_string is matched, or if at least max_read bytes are read from the | |
339 | * connection, the negotiation is considered failed. | |
340 | */ | |
f1cfd799 | 341 | |
d219dea9 | 342 | scanner { |
343 | ||
8e5c4d64 | 344 | /* |
345 | * Unique name of this scanner. This is used further down in the | |
346 | * user {} blocks to decide which users get affected by which | |
347 | * scanners. | |
348 | */ | |
b111ff5b | 349 | name="default"; |
d219dea9 | 350 | |
8e5c4d64 | 351 | /* |
352 | * HTTP CONNECT - very common proxy protocol supported by widely known | |
353 | * software such as Squid and Apache. The most common sort of | |
354 | * insecure proxy and found on a multitude of weird ports too. Offers | |
355 | * transparent two way TCP connections. | |
356 | */ | |
b111ff5b | 357 | protocol = HTTP:80; |
358 | protocol = HTTP:8080; | |
359 | protocol = HTTP:3128; | |
d219dea9 | 360 | |
8e5c4d64 | 361 | /* |
362 | * SOCKS4/5 - well known proxy protocols, probably the second most | |
363 | * common for insecure proxies, also offers transparent two way TCP | |
364 | * connections. Fortunately largely confined to port 1080. | |
365 | */ | |
b111ff5b | 366 | protocol = SOCKS4:1080; |
367 | protocol = SOCKS5:1080; | |
d219dea9 | 368 | |
8e5c4d64 | 369 | /* |
370 | * Cisco routers with a default password (yes, it really does happen). | |
371 | * Also pretty much anything else that will let you telnet to anywhere | |
372 | * else on the internet. Fortunately these are always on port 23. | |
373 | */ | |
b111ff5b | 374 | protocol = ROUTER:23; |
8e5c4d64 | 375 | |
376 | /* | |
377 | * WinGate is commercial windows proxy software which is now not so | |
378 | * common, but still to be found, and helpfully presents an interface | |
379 | * that can be used to telnet out, on port 23. | |
380 | */ | |
b111ff5b | 381 | protocol = WINGATE:23; |
d219dea9 | 382 | |
8e5c4d64 | 383 | /* |
384 | * The HTTP POST protocol, often dismissed when writing the access | |
385 | * controls for proxies, but sadly can still be used to abused. | |
386 | * Offers only the opportunity to send a single block of data, but | |
387 | * enough of them at once can still make for a devastating flood. | |
388 | * Found on the same ports that HTTP CONNECT proxies inhabit. | |
389 | * | |
390 | * Note that if your ircd has "ping cookies" then clients from HTTP | |
391 | * POST proxies cannot actually ever get onto your network anyway. If | |
392 | * you leave the checks in then you'll still find some (because some | |
393 | * people IRC from boxes that run them), but if you use bopm purely as | |
394 | * a protective measure and you have ping cookies, you need not scan | |
395 | * for HTTP POST. | |
396 | */ | |
b111ff5b | 397 | protocol = HTTPPOST:80; |
d219dea9 | 398 | |
8e5c4d64 | 399 | /* |
400 | * IP this scanner will bind to. Use this if you need your scans to | |
401 | * come FROM a particular interface on the machine you run bopm from. | |
402 | * If you don't understand what this means, please leave this | |
403 | * commented out, as this is a major source of support queries! | |
404 | */ | |
405 | # vhost = "127.0.0.1"; | |
d219dea9 | 406 | |
8e5c4d64 | 407 | /* Maximum file descriptors this scanner can use. Remember that there |
408 | * will be one FD for each protocol listed above. As this example | |
409 | * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD | |
410 | * limit, this scanner can be used on 64 users _at the same time_. | |
411 | * That should be adequate for most servers. | |
412 | */ | |
b111ff5b | 413 | fd = 512; |
d219dea9 | 414 | |
8e5c4d64 | 415 | /* |
416 | * Maximum data read from a proxy before considering it closed. Don't | |
417 | * set this too high, some people have fun setting up lots of ports | |
418 | * that send endless data to tie up your scanner. 4KB is plenty for | |
419 | * any known proxy. | |
420 | */ | |
b111ff5b | 421 | max_read = 4096; |
9da50b33 | 422 | |
8e5c4d64 | 423 | /* |
424 | * Amount of time (in seconds) before a test is considered timed out. | |
425 | * Again, all but the poorest slowest proxies will be detected within | |
426 | * 30 seconds, and this helps keep resource usage low. | |
427 | */ | |
b111ff5b | 428 | timeout = 30; |
9da50b33 | 429 | |
9fa35a38 | 430 | /* |
8e5c4d64 | 431 | * Target IP to tell the proxy to connect to |
432 | * | |
433 | * !!! THIS MUST BE CHANGED !!! | |
434 | * | |
435 | * You cannot instruct the proxy to connect to itself! The easiest | |
436 | * thing to do would be to set this to the IP of your ircd and then | |
437 | * keep the default target_strings. | |
438 | * | |
439 | * Please use an IP that is publically reachable from anywhere on the | |
440 | * Internet, because you have no way of knowing where the insecure | |
441 | * proxies will be located. Just because you and your bopm can | |
442 | * connect to your ircd on some private IP like 192.168.0.1, does not | |
443 | * mean that the insecure proxies out there on the Internet will be | |
444 | * able to. And if they never connect, you will never detect them. | |
445 | * | |
446 | * Remember to change this setting for every scanner you configure. | |
447 | * | |
9fa35a38 | 448 | */ |
9fa35a38 | 449 | target_ip = "127.0.0.1"; |
d219dea9 | 450 | |
8e5c4d64 | 451 | /* |
452 | * Target port to tell the proxy to connect to. This is usually | |
453 | * something like 6667. Basically any client-usable port. | |
454 | */ | |
b111ff5b | 455 | target_port = 6667; |
d219dea9 | 456 | |
b111ff5b | 457 | /* |
8e5c4d64 | 458 | * Target string we check for in the data read back by the scanner. |
459 | * This should be some string out of the data that your ircd usually | |
460 | * sends on connect. The example below will work on most | |
461 | * hybrid/bahamut ircds. Multiple target strings are allowed. | |
462 | */ | |
fa7caa6b | 463 | |
8e5c4d64 | 464 | /* Usually first line sent to client on connection to ircd. */ |
465 | target_string = "Looking up your hostname..."; | |
fa7caa6b | 466 | |
8e5c4d64 | 467 | /* If you try to connect too fast, you'll be throttled by your own |
468 | * ircd. Here's what a hybrid throttle message looks like: | |
469 | */ | |
b111ff5b | 470 | target_string = "ERROR :Trying to reconnect too fast."; |
3b022c04 | 471 | |
8e5c4d64 | 472 | /* And the same for bahamut: */ |
473 | target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; | |
d219dea9 | 474 | }; |
475 | ||
476 | scanner { | |
9fa35a38 | 477 | name = "extended"; |
478 | protocol = HTTP:8001; | |
479 | protocol = HTTP:8002; | |
480 | protocol = HTTPPOST:8080; | |
481 | protocol = HTTPPOST:3128; | |
482 | #vhost = "127.0.0.1"; | |
483 | fd = 128; | |
484 | target_ip = "127.0.0.1"; /* !!! CHANGE ME !!! */ | |
485 | target_port = 6667; | |
486 | target_string = "Looking up your hostname..."; | |
d219dea9 | 487 | }; |
488 | ||
f1cfd799 | 489 | |
490 | ||
8e5c4d64 | 491 | /* |
492 | * User blocks define what scanners will be used to scan which hostmasks. When | |
493 | * a user connects they will be scanned on every scanner {} (above) that | |
494 | * matches their host. | |
495 | */ | |
f1cfd799 | 496 | |
2e2a3d93 | 497 | user { |
8e5c4d64 | 498 | /* |
499 | * Users matching this host mask will be scanned with all the | |
500 | * protocols in the scanner named. | |
501 | */ | |
2e2a3d93 | 502 | mask = "*!*@*"; |
503 | scanner = "default"; | |
504 | }; | |
ad429564 | 505 | |
2e2a3d93 | 506 | user { |
507 | mask = "*!*@*proxy*"; | |
508 | mask = "*!*@*www*"; | |
509 | scanner = "extended"; | |
510 | }; | |
ad429564 | 511 | |
f1cfd799 | 512 | |
8e5c4d64 | 513 | /* |
514 | * Exempt hosts matching certain strings from any form of scanning or dnsbl. | |
515 | * Note that bopm will not resolve IP addresses to hosts nor hosts to IP | |
516 | * addresses, so you will probably want to put both forms in here if you need | |
517 | * to use this at all. | |
518 | * | |
519 | * There are very few valid reasons to actually use "exempt". bopm should | |
520 | * never get false positives, and we would like to know very much if it does. | |
521 | * One possible scenario is that the machine bopm runs from is specifically | |
522 | * authorized to use certain hosts as proxies, and users from those hosts use | |
523 | * your network. In this case, without exempt, bopm will scan these hosts, | |
524 | * find itself able to use them as proxies, and ban them. | |
525 | */ | |
2e2a3d93 | 526 | exempt { |
527 | mask = "*!*@localhost"; | |
528 | mask = "*!*@127.0.0.1"; | |
96f78544 | 529 | }; |