1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
/*
* BOPM sample configuration for Blitzed Admins. For explanations of what all
* the directives do, please see bopm.conf.sample.
*
* Most of this stuff is just suggestions. Any setting that is required will
* be noted as such.
*
*/
options {
pidfile = "/some/path/bopm.pid";
dns_fdlimit = 64;
/*
* You can use this to log ALL port scans that are done. This is
* optional and may be useful if you ever have to deal with abuse
* reports.
*/
# scanlog = "/some/path/scan.log";
};
IRC {
# vhost = "0.0.0.0";
/* You're required to keep to this naming scheme! */
nick = "servernameBOPM";
realname = "Blitzed Open Proxy Monitor";
username = "bopm";
server = "servername.blitzed.org";
/* It makes sense to put the nick password here so it ID's quicker. */
# password = "secret";
port = 6667;
/*
* Your BOPM will need a registered nick and be identified to it, to get
* into #wg. (see below)
*/
nickserv = "nickserv :identify bopm-nick-password";
oper = "bopm operpass";
/* Please use these modes, they're the only ones that make sense. */
mode = "+Fc-h";
away = "I'm a bot. Your messages will be ignored.";
channel {
/*
* This is where all of Blitzed's BOPMs are. The name "#wg" is left over
* from the days of dalnet's wgmon.
*/
name = "#wg";
/*
* Make sure your BOPM is set to ID to its nick, and that it has access
* enough in #wg to use the chanserv invite command. Anyone opped in #wg
* can add this access for you.
*/
invite = "chanserv :invite #wg";
};
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* "kline" controls the command used when an open proxy is confirmed.
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
*
* You're required to use the following kline_command:
*/
kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
};
OPM {
/* Our own blacklist. You're required to use this at least. */
blacklist {
name = "opm.blitzed.org";
type = "A record bitmask";
ban_unknown = yes;
reply {
1 = "WinGate";
2 = "Socks";
4 = "HTTP";
8 = "Router";
16 = "HTTP POST";
};
};
/*
* Use of NJABL is STRONGLY SUGGESTED, but not required.
*
* If you want to know more about it, see http://www.njabl.org/use.html or
* comment out if you decide you don't like it.
*/
blacklist {
name = "dnsbl.njabl.org";
type = "A record reply";
reply {
9 = "Open proxy";
};
ban_unknown = no;
kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
};
/* You must use a real email address below (that you actually read). */
dnsbl_from = "yournick@blitzed.org";
/* Don't change this, it's already the correct address. */
dnsbl_to = "bopm@reports.blitzed.org";
/* This is usually correct. */
sendmail = "/usr/sbin/sendmail";
};
scanner {
name = "default";
/*
* Any user will get scanned on these protocols. This is the top 10 list of
* protocol/ports found in our blacklist and you're required to test at
* least these.
*
* If you want to add more, ask the OPM people for some sensible
* suggestions.
*/
protocol = SOCKS4:1080;
protocol = SOCKS5:1080;
protocol = HTTP:6588;
protocol = HTTP:8080;
protocol = HTTP:5490;
protocol = SOCKS5:1075;
protocol = HTTPPOST:80;
protocol = HTTP:808;
protocol = HTTPPOST:8080;
protocol = WINGATE:23;
/*
* If your ircd is running from a machine with more than one interface,
* you'll need to specify the IP to scan from here. Particularly important
* if you're running on a shell server.
*/
# vhost = "127.0.0.1";
/* Don't bother changing these unless you know what they do. */
fd = 512;
max_read = 4096;
timeout = 30;
/* Don't forget to change this to the public IP of your server! */
target_ip = "127.0.0.1";
/* This needs to be a port that is available to normal clients. */
target_port = 6667;
/* Don't forget to change this to have your FULL server name here! */
target_string = ":somese.rv.er.blitzed.org NOTICE AUTH :*** Looking up your hostname...";
};
scanner {
/*
* Here's a bunch more tests to do on "suspicious-looking" clients. Again,
* these are the most popular ports/protocols found in our blacklist, but
* feel free to add/remove some if you know what you're doing.
*/
name = "extra";
protocol = WINGATE:1181;
protocol = SOCKS5:1180;
protocol = HTTPPOST:3128;
protocol = HTTP:3128;
protocol = HTTP:80;
protocol = ROUTER:23;
protocol = HTTPPOST:555;
protocol = HTTP:1182;
protocol = HTTPPOST:6588;
protocol = SOCKS5:1813;
protocol = HTTP:4480;
protocol = HTTP:8000;
protocol = HTTP:9778;
protocol = HTTP:25318;
protocol = SOCKS5:25791;
protocol = HTTPPOST:8000;
protocol = SOCKS5:5104;
protocol = HTTP:81;
protocol = HTTP:2282;
protocol = SOCKS5:5262;
protocol = HTTPPOST:5121;
protocol = SOCKS5:8814;
protocol = SOCKS5:6552;
protocol = SOCKS5:4438;
protocol = HTTPPOST:81;
protocol = SOCKS5:8148;
protocol = SOCKS5:4044;
protocol = HTTPPOST:4480;
protocol = SOCKS5:9186;
protocol = SOCKS5:8130;
protocol = HTTPPOST:8548;
protocol = SOCKS5:5634;
/* Less fds are given to this scanner */
fd = 400;
};
user {
scanner = "default";
mask = "*!*@*";
};
user {
scanner = "extra";
/*
* If the user matches any of these masks they will get the extra scans
* too.
*
* Connections without ident will match on a vast number of connections;
* very few proxies run ident though.
*/
mask = "*!~*@*";
mask = "*!squid@*";
mask = "*!nobody@*";
mask = "*!www-data@*";
mask = "*!cache@*";
mask = "*!CacheFlowS@*";
mask = "*!*@*www*";
mask = "*!*@*proxy*";
mask = "*!*@*cache*";
};
/*
* You can use exempts to deliberately allow certain insecure proxies onto the
* network, but this should never be necessary! Please consult BOPM people
* before using this. If you think you have found a false positive then they
* really need to know.
*/
/*
exempt {
mask = "*!*@127.0.0.1";
};
*/
|
