מדריך התקנה hybrid open proxy monitor

מדריך התקנה hybrid open proxy monitor
שלום חברים המדריך התקנה נעשה באמצעות וידיאו ובוידאו תוכלו ללימוד כיצד מתקינים את הופם ולהגדיר את הקונפיג

התקנה

Code:


tar zxvf  hopm-1.1.4.tar.gz
cd hopm-1.1.4
./configure
make && make install
cd
cd hopm/etc
cp reference.conf hopm.conf
cd ..
cd bin
./hopm


בהגדרת החדרים שראיתם בוידיאו תמחקו את החדר מירקס ולמטה מתחת לCHANSERV יש לכם עוד אפשרות להוסיף חדר תוסיפו את הבלוק הזה למטה מתחת איפה שכתוב לכם את זה You can define a bunch of channels if you want

Code:


channel { name = "#mIRCx";
                };


הגדרות ל IRCU לא לשכוח בהגדרה אחרונה של unlimited_flood = yes; להיכנס ל IRCD.CONF ולהגדיר את זה בבלוק של אופר

Code:


mode = "+xs +16384";  
nickserv = "auth matrix asss23456";
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
"GLINE +*@%i * 86400 :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
unlimited_flood = yes;


תוכלו לעתיק את הקונפיג שסידרתי עבורכם
hopm.conf for inspircd

Code:


/*
 * Hybrid Open Proxy Monitor - HOPM sample configuration
 *
 * Copyright (c) 2014-2017 ircd-hybrid development team
 *
 * $Id$
 */

/*
 * Shell style (#), C++ style (//) and C style comments are supported.
 *
 * Files may be included by either:
 *        .include "filename"
 *        .include <filename>
 *
 * Times/durations are written as:
 *        12 hours 30 minutes 1 second
 *
 * Valid units of time:
 *        year, month, week, day, hour, minute, second
 *
 * Valid units of size:
 *        megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
 *
 * Sizes and times may be singular or plural.
 */

options {
 /*
 * Full path and filename for storing the process ID of the running
 * HOPM.
 */
 pidfile = "/home/bmt/hopm/var/run/hopm.pid";

 /*
 * Maximum commands to queue. Set to 0 if you don't want HOPM
 * to process commands.
 */
 command_queue_size = 64;

 /*
 * Interval to check command queue for timed out commands.
 */
 command_interval = 10 seconds;

 /*
 * Timeout of commands.
 */
 command_timeout = 180 seconds;

 /*
 * How long to store the IP address of hosts which are confirmed
 * (by previous scans) to be secure. New users from these
 * IP addresses will not be scanned again until this amount of time
 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
 * DIRECTIVE, but it is provided due to demand.
 *
 * The main reason for not using this feature is that anyone capable
 * of running a proxy can get abusers onto your network - all they
 * need do is shut the proxy down, connect themselves, restart the
 * proxy, and tell their friends to come flood.
 *
 * Keep this directive commented out to disable negative caching.
 */
# negcache = 1 hour;

 /*
 * How long between rebuilds of the negative cache. The negcache
 * is only rebuilt to free up memory used by entries that are too old.
 * You probably don't need to tweak this unless you have huge amounts
 * of people connecting (hundreds per minute). Default is 12 hours.
 */
 negcache_rebuild = 12 hours;

 /*
 * Amount of file descriptors to allocate to asynchronous DNS. 64
 * should be plenty for almost anyone.
 */
 dns_fdlimit = 64;

 /*
 * Amount of time the resolver waits until a response is received
 * from a name server.
 */
 dns_timeout = 5 seconds;

 /*
 * Put the full path and filename of a logfile here if you wish to log
 * every scan done. Normally HOPM only logs successfully detected
 * proxies in the hopm.log, but you may get abuse reports to your ISP
 * about portscanning. Being able to show that it was HOPM that did
 * the scan in question can be useful. Leave commented for no
 * logging.
 */
# scanlog = "var/log/scan.log";
};


irc {
 /*
 * IP address to bind to for the IRC connection. You only need to
 * use this if you wish HOPM to use a particular interface
 * (virtual host, IP alias, ...) when connecting to the IRC server.
 * There is another "vhost" setting in the scan {} block below for
 * the actual portscans. Note that this directive expects an IP address,
 * not a hostname. Please leave this commented out if you do not
 * understand what it does, as most people don't need it.
 */
# vhost = "0.0.0.0";

 /*
 * Nickname for HOPM to use.
 */
 nick = "MIRCX";

 /*
 * Text to appear in the "realname" field of HOPM's /whois output.
 */
 realname = "Hybrid Open Proxy Monitor";

 /*
 * If you don't have an identd running, what username to use.
 */
 username = "hopm";

 /*
 * Hostname (or IP address) of the IRC server which HOPM will monitor
 * connections on. IPv6 is now supported.
 */
 server = "192.168.1.219";

 /*
 * Password used to connect to the IRC server (PASS)
 */
# password = "secret";

 /*
 * Port of the above server to connect to. This is what HOPM uses to
 * get onto IRC itself, it is nothing to do with what ports/protocols
 * are scanned, nor do you need to list every port your ircd listens
 * on.
 */
 port = 6660;

 /*
 * Defines time in which bot will timeout if no data is received
 */
 readtimeout = 15 minutes;

 /*
 * Interval in how often we try to reconnect to the IRC server
 */
 reconnectinterval = 30 seconds;

 /*
 * Command to execute to identify to NickServ (if your network uses
 * it). This is the raw IRC command text, and the below example
 * corresponds to "/msg nickserv identify password" in a client. If
 * you don't understand, just edit "password" in the line below to be
 * your HOPM's nick password. Leave commented out if you don't need
 * to identify to NickServ.
 */
# nickserv = "NS IDENTIFY password";

 /*
 * The username and password needed for HOPM to oper up.
 */
 oper = "hopm 123456";

 /*
 * Mode string that HOPM needs to set on itself as soon as it opers
 * up. This needs to include the mode for seeing connection notices,
 * otherwise HOPM won't scan anyone (that's usually umode +c).
 */
 mode = "+s +cC";

 /*
 * If this is set then HOPM will use it as an /away message as soon as
 * it connects.
 */
 away = "I'm a bot. Your messages will be ignored.";

 /*
 * Info about channels you wish HOPM to join in order to accept
 * commands. HOPM will also print messages in these channels every
 * time it detects a proxy. Only IRC operators can command HOPM to do
 * anything, but some of the things HOPM reports to these channels
 * could be considered sensitive, so it's best not to put HOPM into
 * public channels.
 */
 channel {
 /*
 * Channel name. Local ("&") channels are supported if your ircd
 * supports them.
 */
 name = "#hopm";

 /*
 * If HOPM will need to use a key to enter this channel, this is
 * where you specify it.
 */
# key = "somekey";

 /*
 * If you use ChanServ then maybe you want to set the channel
 * invite-only and have each HOPM do "/msg ChanServ invite" to get
 * itself in. Leave commented if you don't, or if this makes no
 * sense to you.
 */
# invite = "CS INVITE #hopm";
 };

 /*
 * You can define a bunch of channels if you want:
 *
 * channel { name = "#other"; }; channel { name= "#channel"; }
 */

 /*
 * connregex is a POSIX regular expression used to parse connection
 * notices from the ircd. The complexity of the expression should
 * be kept to a minimum.
 *
 * Items in order MUST be: nick user host IP
 *
 * HOPM will not work with ircds which do not send an IP address in the
 * connection notice.
 *
 * This is fairly complicated stuff, and the consequences of getting
 * it wrong are the HOPM does not scan anyone. Unless you know
 * absolutely what you are doing, please just uncomment the example
 * below that best matches the type of ircd you use.
 */

 /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

 /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

 /* UnrealIRCd 4.0.x */
# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

 /* InspIRCd */
 connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-fA-F\\.:]+)\\) \\[.*\\]";

 /* ngIRCd */
# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

 /*
 * "kline" controls the command used when an open proxy is confirmed.
 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
 *
 * <WARNING>
 * Make sure if you need to change this string you also change the
 * kline command for every DNSBL you enable below.
 *
 * Also note that some servers do not allow you to include ':' characters
 * inside the KLINE message (e.g. for a http:// address).
 *
 * Users rewriting this message into something that isn't even a valid
 * IRC command is the single most common cause of support requests and
 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
 * KLINE COMMANDS BELOW.
 * </WARNING>
 *
 * That said, should you wish to customise this text, several
 * printf-like placeholders are available:
 *
 *  %n     User's nick
 *  %u     User's username
 *  %h     User's irc hostname
 *  %i     User's IP address
 *  %t     Protocol type which has triggered a positive scan
 */
 kline = "KLINE 180 *@%h :Open proxy found on your host.";

 /* A GLINE example for ircu */
# kline = "GLINE +*@%i 1800 :Open proxy found on your host.";

 /*
 * An AKILL example for services with OperServ. Your HOPM must have permission to
 * AKILL for this to work!
 */
# kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";

 /*
 * Text to send on connection, these can be stacked and will be sent in this order.
 *
 * !!! UNREAL USERS PLEASE NOTE !!!
 * Unreal users will need PROTOCTL HCN to force hybrid connect
 * notices.
 *
 * Yes Unreal users!  That means you!  That means you need the line
 * below!  See that thing at the start of the line?  That's what we
 * call a comment!  Remove it to UNcomment the line.
 *
 * Note that this is no longer needed as of UnrealIRCd 4.0.0.
 */
 perform = "PROTOCTL HCN";

 /*
 * Text to send, via NOTICE, immediately when a new client connects. These can be
 * stacked and will be sent in this order.
 */
 notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
};


/*
 * OPM Block defines blacklists and information required to report new proxies
 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
 * file. There are several blacklist that list IP addresses known to be open
 * proxies or other forms of IRC abuse. By checking against these blacklists,
 * HOPMs are able to ban known sources of abuse without completely scanning them.
 */
OPM {
 /*
 * Blacklist zones to check IPs against. If you would rather not
 * trust a remotely managed blacklist, you could set up your own, or
 * leave these commented out in which case every user will be
 * scanned. The use of at least one open proxy DNSBL is recommended
 * however.
 *
 * Please check the policies of each blacklist you use to check you
 * are comfortable with using them to block access to your server
 * (and that you are allowed to use them).
 */


 /* dnsbl.dronebl.org - http://dronebl.org */
 blacklist {
 /* The DNS name of the blacklist */
 name = "dnsbl.dronebl.org";

 /*
 * Address families that are supported by the blacklist. Default is 'ipv4'.
 */
 address_family = ipv4;

 /*
 * There are only two values that are valid for this
 * "A record bitmask" and "A record reply"
 * These options affect how the values specified to reply
 * below will be interpreted, a bitmask is where the reply
 * values are 2^n and more than one is added up, a reply is
 * simply where the last octet of the IP address is that number.
 * If you are not sure then the values set for dnsbl.dronebl.org
 * will work without any changes.
 */
 type = "A record bitmask";

 /*
 * Kline types not listed in the reply list below.
 *
 * For DNSBLs that are not IRC specific and you just wish to kline
 * certain types this can be enabled/disabled.
 */
 ban_unknown = yes;

 /*
 * The actual values returned by the dnsbl.dronebl.org blacklist as
 * documented at http://dronebl.org/docs/howtouse
 */
 reply {
 2 = "Sample data used for heuristical analysis";
 3 = "IRC spam drone (litmus/sdbot/fyle)";
 5 = "Bottler (experimental)";
 6 = "Unknown worm or spambot";
 7 = "DDoS drone";
 8 = "Open SOCKS proxy";
 9 = "Open HTTP proxy";
 10 = "ProxyChain";
 11 = "Web Page Proxy";
 12 = "Open DNS Resolver";
 13 = "Automated dictionary attacks";
 14 = "Open WINGATE proxy";
 15 = "Compromised router / gateway";
 16 = "Autorooting worms";
 17 = "Automatically determined botnet IPs (experimental)";
 18 = "DNS/MX type hostname detected on IRC";
 255 = "Uncategorized threat class";
 };

 /*
 * The kline message sent for this specific blacklist, remember to put
 * the removal method in this.
 */
 kline = "ZLINE *@%i 1d :Host listed in the DroneBL. For more information visit   ://dronebl.org/lookup_branded?ip=%i&network=Network";
 };


 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
# blacklist {
# name = "tor.dnsbl.sectoor.de";
# type = "A record reply";
# ban_unknown = no;

# reply {
# 1 = "Tor exit server";
# };

# kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
# };

 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
 blacklist {
 name = "rbl.efnetrbl.org";
 type = "A record bitmask";
 ban_unknown = yes;

 reply {
 1 = "Open proxy";
 2 = "spamtrap666";
 3 = "spamtrap50";
 4 = "TOR";
 5 = "Drones / Flooding";
 };

 kline = "ZLINE 180 *@%h :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
 };



 /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
# blacklist {
# name = "tor.efnetrbl.org";
# type = "A record reply";
# ban_unknown = no;

# reply {
# 1 = "TOR";
# };

# kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
# };

 /*
 * You can report the insecure proxies you find to a DNSBL also!
 * The remaining directives in this section are only needed if you
 * intend to do this. Reports are sent by email, one email per IP
 * address. The format does support multiple addresses in one email,
 * but we don't know of any servers that are detecting enough insecure
 * proxies for this to be really necessary.
 */

 /*
 * Email address to send reports FROM. If you intend to send reports,
 * please pick an email address that we can actually send mail to
 * should we ever need to contact you.
 */
# dnsbl_from = "mircx@walla.com";

 /*
 * Email address to send reports TO.
 * For example DroneBL:
 */
# dnsbl_to = "bopm-report@dronebl.org";

 /*
 * Full path to your sendmail binary. Even if your system does not
 * use sendmail, it probably does have a binary called "sendmail"
 * present in /usr/sbin or /usr/lib. If you don't set this, no
 * proxies will be reported.
 */
# sendmail = "/usr/sbin/sendmail";
};


/*
 * The short explanation:
 *
 * This is where you define what ports/protocols to check for. You can have
 * multiple scanner blocks and then choose which users will get scanned by
 * which scanners further down.
 *
 * The long explanation:
 *
 * Scanner defines a virtual scanner. For each user being scanned, a scanner
 * will use a file descriptor (and subsequent connection) for each protocol.
 * Once connecting it will negotiate the proxy to connect to
 * target_ip:target_port (target_ip MUST be an IP address).
 *
 * Once connected, any data passed through the proxy will be checked to see if
 * target_string is contained within that data. If it is the proxy is
 * considered open. If the connection is closed at any point before
 * target_string is matched, or if at least max_read bytes are read from the
 * connection, the negotiation is considered failed.
 */
scanner {
 /*
 * Unique name of this scanner. This is used further down in the
 * user {} blocks to decide which users get affected by which
 * scanners.
 */
          
 name = "default";

 /*
 * HTTP CONNECT - very common proxy protocol supported by widely known
 * software such as Squid and Apache. The most common sort of
 * insecure proxy and found on a multitude of weird ports too. Offers
 * transparent two way TCP connections.
 */
 protocol = HTTP:80;
 protocol = HTTP:8080;
 protocol = HTTP:3128;
 protocol = HTTP:6588;

 /*
 * The SSL/TLS variant of HTTP
 */
# protocol = HTTPS:443;
# protocol = HTTPS:8443;

 /*
 * SOCKS4/5 - well known proxy protocols, probably the second most
 * common for insecure proxies, also offers transparent two way TCP
 * connections. Fortunately largely confined to port 1080.
 */
 protocol = SOCKS4:1080;
 protocol = SOCKS5:1080;

 /*
 * Cisco routers with a default password (yes, it really does happen).
 * Also pretty much anything else that will let you telnet to anywhere
 * else on the Internet. Fortunately these are always on port 23.
 */
 protocol = ROUTER:23;

 /*
 * WinGate is commercial windows proxy software which is now not so
 * common, but still to be found, and helpfully presents an interface
 * that can be used to telnet out, on port 23.
 */
 protocol = WINGATE:23;

 /*
 * Dreambox DVB receivers with a default password allowing
 * full root access to telnet or install bouncers.
 */
 protocol = DREAMBOX:23;

 /*
 * The HTTP POST protocol, often dismissed when writing the access
 * controls for proxies, but sadly can still be used to abused.
 * Offers only the opportunity to send a single block of data, but
 * enough of them at once can still make for a devastating flood.
 * Found on the same ports that HTTP CONNECT proxies inhabit.
 *
 * Note that if your ircd has "ping cookies" then clients from HTTP
 * POST proxies cannot actually ever get onto your network anyway. If
 * you leave the checks in then you'll still find some (because some
 * people IRC from boxes that run them), but if you use HOPM purely as
 * a protective measure and you have ping cookies, you need not scan
 * for HTTP POST.
 */
 protocol = HTTPPOST:80;

 /*
 * The SSL/TLS variant of HTTPPOST
 */
# protocol = HTTPSPOST:443;
# protocol = HTTPSPOST:8443;

 /*
 * IP address this scanner will bind to. Use this if you need your scans to
 * come FROM a particular interface on the machine you run HOPM from.
 * If you don't understand what this means, please leave this
 * commented out, as this is a major source of support queries!
 */
# vhost = "127.0.0.1";

 /*
 * Maximum file descriptors this scanner can use. Remember that there
 * will be one FD for each protocol listed above. As this example
 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
 * limit, this scanner can be used on 64 users _at the same time_.
 * That should be adequate for most servers.
 */
 fd = 512;

 /*
 * Maximum data read from a proxy before considering it closed. Don't
 * set this too high, some people have fun setting up lots of ports
 * that send endless data to tie up your scanner. 4KB is plenty for
 * any known proxy.
 */
 max_read = 4 kbytes;

 /*
 * Amount of time before a test is considered timed out.
 * Again, all but the poorest slowest proxies will be detected within
 * 30 seconds, and this helps keep resource usage low.
 */
 timeout = 30 seconds;

 /*
 * Target IP to tell the proxy to connect to
 *
 * !!! THIS MUST BE CHANGED !!!
 *
 * You cannot instruct the proxy to connect to itself! The easiest
 * thing to do would be to set this to the IP address of your ircd
 * and then keep the default target_strings.
 *
 * Please use an IP address that is publically reachable from anywhere
 * on the Internet, because you have no way of knowing where the insecure
 * proxies will be located. Just because you and your HOPM can
 * connect to your ircd on some private IP address like 192.168.0.1,
 * does not mean that the insecure proxies out there on the Internet will be
 * able to. And if they never connect, you will never detect them.
 *
 * Remember to change this setting for every scanner you configure.
 */
 target_ip = "127.0.0.1";

 /*
 * Target port to tell the proxy to connect to. This is usually
 * something like 6667. Basically any client-usable port.
 */
 target_port = 6660;

 /*
 * Target string we check for in the data read back by the scanner.
 * This should be some string out of the data that your ircd usually
 * sends on connect. Multiple target strings are allowed.
 *
 * NOTE: Try to keep the number of target strings to a minimum. Two
 *       should be fine. One for normal connections and one for throttled
 *       connections. Comment out any others for efficiency.
 */

 /*
 * Usually first line sent to client on connection to ircd.
 * If your ircd supports a more specific line (see below),
 * using it will reduce false positives.
 */
 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";

 /*
 * If you try to connect too fast, you'll be throttled by your own
 * ircd. Here's what a hybrid throttle message looks like:
 */
 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};


scanner {
 name = "extended";

 protocol = HTTP:81;
 protocol = HTTP:8000;
 protocol = HTTP:8001;
 protocol = HTTP:8081;

 protocol = HTTPPOST:81;
 protocol = HTTPPOST:6588;
 protocol = HTTPPOST:4480;
 protocol = HTTPPOST:8000;
 protocol = HTTPPOST:8001;
 protocol = HTTPPOST:8080;
 protocol = HTTPPOST:8081;

 /*
 * IRCnet have seen many socks5 on these ports, more than on the
 * standard ports even.
 */
 protocol = SOCKS4:4914;
 protocol = SOCKS4:6826;
 protocol = SOCKS4:7198;
 protocol = SOCKS4:7366;
 protocol = SOCKS4:9036;

 protocol = SOCKS5:4438;
 protocol = SOCKS5:5104;
 protocol = SOCKS5:5113;
 protocol = SOCKS5:5262;
 protocol = SOCKS5:5634;
 protocol = SOCKS5:6552;
 protocol = SOCKS5:6561;
 protocol = SOCKS5:7464;
 protocol = SOCKS5:7810;
 protocol = SOCKS5:8130;
 protocol = SOCKS5:8148;
 protocol = SOCKS5:8520;
 protocol = SOCKS5:8814;
 protocol = SOCKS5:9100;
 protocol = SOCKS5:9186;
 protocol = SOCKS5:9447;
 protocol = SOCKS5:9578;
 protocol = SOCKS5:10000;
 protocol = SOCKS5:64101;

 /*
 * These came courtsey of Keith Dunnett from a bunch of public open
 * proxy lists.
 */
 protocol = SOCKS4:29992;
 protocol = SOCKS4:38884;
 protocol = SOCKS4:18844;
 protocol = SOCKS4:17771;
 protocol = SOCKS4:31121;

 fd = 400;

 /*
 * If required you can add settings such as target_ip here
 * they will override the defaults set in the first scanner
 * for this and subsequent scanners defined in the config file
 * This affects the following options:
 * fd, vhost, target_ip, target_port, target_string, timeout and
 * max_read.
 */
};


/*
 * User blocks define what scanners will be used to scan which hostmasks.
 * When a user connects they will be scanned on every scanner {} (above)
 * that matches their host.
 */
user {
 /*
 * Users matching this host mask will be scanned with all the
 * protocols in the scanner named.
 */
 mask = "*!*@*";
 scanner = "default";
};

user {
 /*
 * Connections without ident will match on a vast number of connections
 * very few proxies run ident though
 */
# mask = "*!~*@*";
 mask = "*!squid@*";
 mask = "*!nobody@*";
 mask = "*!www-data@*";
 mask = "*!cache@*";
 mask = "*!CacheFlowS@*";
 mask = "*!*@*www*";
 mask = "*!*@*proxy*";
 mask = "*!*@*cache*";

 scanner = "extended";
};


/*
 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
 * HOPM will check each string against both the hostname and the IP address of
 * the user.
 *
 * There are very few valid reasons to actually use "exempt". HOPM should
 * never get false positives, and we would like to know very much if it does.
 * One possible scenario is that the machine HOPM runs from is specifically
 * authorized to use certain hosts as proxies, and users from those hosts use
 * your network. In this case, without exempt, HOPM will scan these hosts,
 * find itself able to use them as proxies, and ban them.
 */
exempt {
 mask = "*!*@127.0.0.1";
};


hopm.conf for ircu2.10.12-pk

Code:


/*
 * Hybrid Open Proxy Monitor - HOPM sample configuration
 *
 * Copyright (c) 2014-2017 ircd-hybrid development team
 *
 * $Id$
 */

/*
 * Shell style (#), C++ style (//) and C style comments are supported.
 *
 * Files may be included by either:
 *        .include "filename"
 *        .include <filename>
 *
 * Times/durations are written as:
 *        12 hours 30 minutes 1 second
 *
 * Valid units of time:
 *        year, month, week, day, hour, minute, second
 *
 * Valid units of size:
 *        megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
 *
 * Sizes and times may be singular or plural.
 */

options {
   /*
    * Full path and filename for storing the process ID of the running
    * HOPM.
    */
   pidfile = "/home/asher/hopm/var/run/hopm.pid";

   /*
    * Maximum commands to queue. Set to 0 if you don't want HOPM
    * to process commands.
    */
   command_queue_size = 64;

   /*
    * Interval to check command queue for timed out commands.
    */
   command_interval = 10 seconds;

   /*
    * Timeout of commands.
    */
   command_timeout = 180 seconds;

   /*
    * How long to store the IP address of hosts which are confirmed
    * (by previous scans) to be secure. New users from these
    * IP addresses will not be scanned again until this amount of time
    * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
    * DIRECTIVE, but it is provided due to demand.
    *
    * The main reason for not using this feature is that anyone capable
    * of running a proxy can get abusers onto your network - all they
    * need do is shut the proxy down, connect themselves, restart the
    * proxy, and tell their friends to come flood.
    *
    * Keep this directive commented out to disable negative caching.
    */
#   negcache = 1 hour;

   /*
    * How long between rebuilds of the negative cache. The negcache
    * is only rebuilt to free up memory used by entries that are too old.
    * You probably don't need to tweak this unless you have huge amounts
    * of people connecting (hundreds per minute). Default is 12 hours.
    */
   negcache_rebuild = 12 hours;

   /*
    * Amount of file descriptors to allocate to asynchronous DNS. 64
    * should be plenty for almost anyone.
    */
   dns_fdlimit = 64;

   /*
    * Amount of time the resolver waits until a response is received
    * from a name server.
    */
   dns_timeout = 5 seconds;

   /*
    * Put the full path and filename of a logfile here if you wish to log
    * every scan done. Normally HOPM only logs successfully detected
    * proxies in the hopm.log, but you may get abuse reports to your ISP
    * about portscanning. Being able to show that it was HOPM that did
    * the scan in question can be useful. Leave commented for no
    * logging.
    */
#   scanlog = "var/log/scan.log";
};


irc {
   /*
    * IP address to bind to for the IRC connection. You only need to
    * use this if you wish HOPM to use a particular interface
    * (virtual host, IP alias, ...) when connecting to the IRC server.
    * There is another "vhost" setting in the scan {} block below for
    * the actual portscans. Note that this directive expects an IP address,
    * not a hostname. Please leave this commented out if you do not
    * understand what it does, as most people don't need it.
    */
#   vhost = "0.0.0.0";

   /*
    * Nickname for HOPM to use.
    */
   nick = "MIRCX";

   /*
    * Text to appear in the "realname" field of HOPM's /whois output.
    */
   realname = "Hybrid Open Proxy Monitor";

   /*
    * If you don't have an identd running, what username to use.
    */
   username = "hopm";

   /*
    * Hostname (or IP address) of the IRC server which HOPM will monitor
    * connections on. IPv6 is now supported.
    */
   server = "192.168.1.14";

   /*
    * Password used to connect to the IRC server (PASS)
    */
#   password = "secret";

   /*
    * Port of the above server to connect to. This is what HOPM uses to
    * get onto IRC itself, it is nothing to do with what ports/protocols
    * are scanned, nor do you need to list every port your ircd listens
    * on.
    */
   port = 6661;

   /*
    * Defines time in which bot will timeout if no data is received
    */
   readtimeout = 15 minutes;

   /*
    * Interval in how often we try to reconnect to the IRC server
    */
   reconnectinterval = 30 seconds;

   /*
    * Command to execute to identify to NickServ (if your network uses
    * it). This is the raw IRC command text, and the below example
    * corresponds to "/msg nickserv identify password" in a client. If
    * you don't understand, just edit "password" in the line below to be
    * your HOPM's nick password. Leave commented out if you don't need
    * to identify to NickServ.
    */
   nickserv = "auth matrix a123456";

   /*
    * The username and password needed for HOPM to oper up.
    */
   oper = "darksis leetmoo";

   /*
    * Mode string that HOPM needs to set on itself as soon as it opers
    * up. This needs to include the mode for seeing connection notices,
    * otherwise HOPM won't scan anyone (that's usually umode +c).
    */
   mode = "+xs +16384";

   /*
    * If this is set then HOPM will use it as an /away message as soon as
    * it connects.
    */
   away = "I'm a bot. Your messages will be ignored.";

   /*
    * Info about channels you wish HOPM to join in order to accept
    * commands. HOPM will also print messages in these channels every
    * time it detects a proxy. Only IRC operators can command HOPM to do
    * anything, but some of the things HOPM reports to these channels
    * could be considered sensitive, so it's best not to put HOPM into
    * public channels.
    */
   channel {
      /*
       * Channel name. Local ("&") channels are supported if your ircd
       * supports them.
       */
      name = "#hopm";

      /*
       * If HOPM will need to use a key to enter this channel, this is
       * where you specify it.
       */
#      key = "somekey";

      /*
       * If you use ChanServ then maybe you want to set the channel
       * invite-only and have each HOPM do "/msg ChanServ invite" to get
       * itself in. Leave commented if you don't, or if this makes no
       * sense to you.
       */
#      invite = "ChanServ INVITE #mIRCx MIRCX";
   };

   
     /*
    * You can define a bunch of channels if you want:
    *
    * channel { name = "#mIRCx"; }; channel { name= "#channel"; }
    */
                channel { name = "#mIRCx";
                };
   /*
    * connregex is a POSIX regular expression used to parse connection
    * notices from the ircd. The complexity of the expression should
    * be kept to a minimum.
    *
    * Items in order MUST be: nick user host IP
    *
    * HOPM will not work with ircds which do not send an IP address in the
    * connection notice.
    *
    * This is fairly complicated stuff, and the consequences of getting
    * it wrong are the HOPM does not scan anyone. Unless you know
    * absolutely what you are doing, please just uncomment the example
    * below that best matches the type of ircd you use.
    */

   /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
   connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";
              connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
   /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
#   connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

   /* UnrealIRCd 4.0.x */
#   connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

   /* InspIRCd */
#   connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-fA-F\\.:]+)\\) \\[.*\\]";

   /* ngIRCd */
#   connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";

   /*
    * "kline" controls the command used when an open proxy is confirmed.
    * We suggest applying a temporary (no more than a few hours) KLINE on the host.
    *
    * <WARNING>
    * Make sure if you need to change this string you also change the
    * kline command for every DNSBL you enable below.
    *
    * Also note that some servers do not allow you to include ':' characters
    * inside the KLINE message (e.g. for a http:// address).
    *
    * Users rewriting this message into something that isn't even a valid
    * IRC command is the single most common cause of support requests and
    * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
    * KLINE COMMANDS BELOW.
    * </WARNING>
    *
    * That said, should you wish to customise this text, several
    * printf-like placeholders are available:
    *
    *  %n    User's nick
    *  %u    User's username
    *  %h    User's irc hostname
    *  %i    User's IP address
    *  %t    Protocol type which has triggered a positive scan
    */
   kline = "KLINE 180 *@%h :Open proxy found on your host.";

   /* A GLINE example for ircu */
#   kline = "GLINE +*@%i 1800 :Open proxy found on your host.";

   /*
    * An AKILL example for services with OperServ. Your HOPM must have permission to
    * AKILL for this to work!
    */
#   kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";

   /*
    * Text to send on connection, these can be stacked and will be sent in this order.
    *
    * !!! UNREAL USERS PLEASE NOTE !!!
    * Unreal users will need PROTOCTL HCN to force hybrid connect
    * notices.
    *
    * Yes Unreal users!  That means you!  That means you need the line
    * below!  See that thing at the start of the line?  That's what we
    * call a comment!  Remove it to UNcomment the line.
    *
    * Note that this is no longer needed as of UnrealIRCd 4.0.0.
    */
   perform = "PROTOCTL HCN";

   /*
    * Text to send, via NOTICE, immediately when a new client connects. These can be
    * stacked and will be sent in this order.
    */
   notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
};


/*
 * OPM Block defines blacklists and information required to report new proxies
 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
 * file. There are several blacklist that list IP addresses known to be open
 * proxies or other forms of IRC abuse. By checking against these blacklists,
 * HOPMs are able to ban known sources of abuse without completely scanning them.
 */
OPM {
   /*
    * Blacklist zones to check IPs against. If you would rather not
    * trust a remotely managed blacklist, you could set up your own, or
    * leave these commented out in which case every user will be
    * scanned. The use of at least one open proxy DNSBL is recommended
    * however.
    *
    * Please check the policies of each blacklist you use to check you
    * are comfortable with using them to block access to your server
    * (and that you are allowed to use them).
    */


   /* dnsbl.dronebl.org - http://dronebl.org */
   blacklist {
      /* The DNS name of the blacklist */
      name = "dnsbl.dronebl.org";

      /*
       * Address families that are supported by the blacklist. Default is 'ipv4'.
       */
      address_family = ipv4;

      /*
       * There are only two values that are valid for this
       * "A record bitmask" and "A record reply"
       * These options affect how the values specified to reply
       * below will be interpreted, a bitmask is where the reply
       * values are 2^n and more than one is added up, a reply is
       * simply where the last octet of the IP address is that number.
       * If you are not sure then the values set for dnsbl.dronebl.org
       * will work without any changes.
       */
      type = "A record bitmask";

      /*
       * Kline types not listed in the reply list below.
       *
       * For DNSBLs that are not IRC specific and you just wish to kline
       * certain types this can be enabled/disabled.
       */
      ban_unknown = yes;

      /*
       * The actual values returned by the dnsbl.dronebl.org blacklist as
       * documented at http://dronebl.org/docs/howtouse
       */
      reply {
         2 = "Sample data used for heuristical analysis";
         3 = "IRC spam drone (litmus/sdbot/fyle)";
         5 = "Bottler (experimental)";
         6 = "Unknown worm or spambot";
         7 = "DDoS drone";
         8 = "Open SOCKS proxy";
         9 = "Open HTTP proxy";
         10 = "ProxyChain";
         11 = "Web Page Proxy";
         12 = "Open DNS Resolver";
         13 = "Automated dictionary attacks";
         14 = "Open WINGATE proxy";
         15 = "Compromised router / gateway";
         16 = "Autorooting worms";
         17 = "Automatically determined botnet IPs (experimental)";
         18 = "DNS/MX type hostname detected on IRC";
         255 = "Uncategorized threat class";
      };

      /*
       * The kline message sent for this specific blacklist, remember to put
       * the removal method in this.
       */
      kline = "GLINE +*@%i * 86400 :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
   };


   /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
#   blacklist {
#      name = "tor.dnsbl.sectoor.de";
#      type = "A record reply";
#      ban_unknown = no;

#      reply {
#         1 = "Tor exit server";
#      };

#      kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
#   };

   /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
   blacklist {
      name = "rbl.efnetrbl.org";
      type = "A record bitmask";
      ban_unknown = yes;

      reply {
         1 = "Open proxy";
         2 = "spamtrap666";
         3 = "spamtrap50";
         4 = "TOR";
         5 = "Drones / Flooding";
      };

      kline = "GLINE +*@%i * 86400 :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
   };



   /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
#   blacklist {
#      name = "tor.efnetrbl.org";
#      type = "A record reply";
#      ban_unknown = no;

#      reply {
#         1 = "TOR";
#      };

#      kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
#   };

   /*
    * You can report the insecure proxies you find to a DNSBL also!
    * The remaining directives in this section are only needed if you
    * intend to do this. Reports are sent by email, one email per IP
    * address. The format does support multiple addresses in one email,
    * but we don't know of any servers that are detecting enough insecure
    * proxies for this to be really necessary.
    */

   /*
    * Email address to send reports FROM. If you intend to send reports,
    * please pick an email address that we can actually send mail to
    * should we ever need to contact you.
    */
#   dnsbl_from = "mybopm@myserver.org";

   /*
    * Email address to send reports TO.
    * For example DroneBL:
    */
#   dnsbl_to = "bopm-report@dronebl.org";

   /*
    * Full path to your sendmail binary. Even if your system does not
    * use sendmail, it probably does have a binary called "sendmail"
    * present in /usr/sbin or /usr/lib. If you don't set this, no
    * proxies will be reported.
    */
#   sendmail = "/usr/sbin/sendmail";
};


/*
 * The short explanation:
 *
 * This is where you define what ports/protocols to check for. You can have
 * multiple scanner blocks and then choose which users will get scanned by
 * which scanners further down.
 *
 * The long explanation:
 *
 * Scanner defines a virtual scanner. For each user being scanned, a scanner
 * will use a file descriptor (and subsequent connection) for each protocol.
 * Once connecting it will negotiate the proxy to connect to
 * target_ip:target_port (target_ip MUST be an IP address).
 *
 * Once connected, any data passed through the proxy will be checked to see if
 * target_string is contained within that data. If it is the proxy is
 * considered open. If the connection is closed at any point before
 * target_string is matched, or if at least max_read bytes are read from the
 * connection, the negotiation is considered failed.
 */
scanner {
   /*
    * Unique name of this scanner. This is used further down in the
    * user {} blocks to decide which users get affected by which
    * scanners.
    */
   name = "default";

   /*
    * HTTP CONNECT - very common proxy protocol supported by widely known
    * software such as Squid and Apache. The most common sort of
    * insecure proxy and found on a multitude of weird ports too. Offers
    * transparent two way TCP connections.
    */
   protocol = HTTP:80;
   protocol = HTTP:8080;
   protocol = HTTP:3128;
   protocol = HTTP:6588;

   /*
    * The SSL/TLS variant of HTTP
    */
#   protocol = HTTPS:443;
#   protocol = HTTPS:8443;

   /*
    * SOCKS4/5 - well known proxy protocols, probably the second most
    * common for insecure proxies, also offers transparent two way TCP
    * connections. Fortunately largely confined to port 1080.
    */
   protocol = SOCKS4:1080;
   protocol = SOCKS5:1080;

   /*
    * Cisco routers with a default password (yes, it really does happen).
    * Also pretty much anything else that will let you telnet to anywhere
    * else on the Internet. Fortunately these are always on port 23.
    */
   protocol = ROUTER:23;

   /*
    * WinGate is commercial windows proxy software which is now not so
    * common, but still to be found, and helpfully presents an interface
    * that can be used to telnet out, on port 23.
    */
   protocol = WINGATE:23;

   /*
    * Dreambox DVB receivers with a default password allowing
    * full root access to telnet or install bouncers.
    */
   protocol = DREAMBOX:23;

   /*
    * The HTTP POST protocol, often dismissed when writing the access
    * controls for proxies, but sadly can still be used to abused.
    * Offers only the opportunity to send a single block of data, but
    * enough of them at once can still make for a devastating flood.
    * Found on the same ports that HTTP CONNECT proxies inhabit.
    *
    * Note that if your ircd has "ping cookies" then clients from HTTP
    * POST proxies cannot actually ever get onto your network anyway. If
    * you leave the checks in then you'll still find some (because some
    * people IRC from boxes that run them), but if you use HOPM purely as
    * a protective measure and you have ping cookies, you need not scan
    * for HTTP POST.
    */
   protocol = HTTPPOST:80;

   /*
    * The SSL/TLS variant of HTTPPOST
    */
#   protocol = HTTPSPOST:443;
#   protocol = HTTPSPOST:8443;

   /*
    * IP address this scanner will bind to. Use this if you need your scans to
    * come FROM a particular interface on the machine you run HOPM from.
    * If you don't understand what this means, please leave this
    * commented out, as this is a major source of support queries!
    */
#   vhost = "127.0.0.1";

   /*
    * Maximum file descriptors this scanner can use. Remember that there
    * will be one FD for each protocol listed above. As this example
    * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
    * limit, this scanner can be used on 64 users _at the same time_.
    * That should be adequate for most servers.
    */
   fd = 512;

   /*
    * Maximum data read from a proxy before considering it closed. Don't
    * set this too high, some people have fun setting up lots of ports
    * that send endless data to tie up your scanner. 4KB is plenty for
    * any known proxy.
    */
   max_read = 4 kbytes;

   /*
    * Amount of time before a test is considered timed out.
    * Again, all but the poorest slowest proxies will be detected within
    * 30 seconds, and this helps keep resource usage low.
    */
   timeout = 30 seconds;

   /*
    * Target IP to tell the proxy to connect to
    *
    * !!! THIS MUST BE CHANGED !!!
    *
    * You cannot instruct the proxy to connect to itself! The easiest
    * thing to do would be to set this to the IP address of your ircd
    * and then keep the default target_strings.
    *
    * Please use an IP address that is publically reachable from anywhere
    * on the Internet, because you have no way of knowing where the insecure
    * proxies will be located. Just because you and your HOPM can
    * connect to your ircd on some private IP address like 192.168.0.1,
    * does not mean that the insecure proxies out there on the Internet will be
    * able to. And if they never connect, you will never detect them.
    *
    * Remember to change this setting for every scanner you configure.
    */
   target_ip = "127.0.0.1";

   /*
    * Target port to tell the proxy to connect to. This is usually
    * something like 6667. Basically any client-usable port.
    */
   target_port = 6660;

   /*
    * Target string we check for in the data read back by the scanner.
    * This should be some string out of the data that your ircd usually
    * sends on connect. Multiple target strings are allowed.
    *
    * NOTE: Try to keep the number of target strings to a minimum. Two
    *      should be fine. One for normal connections and one for throttled
    *      connections. Comment out any others for efficiency.
    */

   /*
    * Usually first line sent to client on connection to ircd.
    * If your ircd supports a more specific line (see below),
    * using it will reduce false positives.
    */
   target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";

   /*
    * If you try to connect too fast, you'll be throttled by your own
    * ircd. Here's what a hybrid throttle message looks like:
    */
   target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};


scanner {
   name = "extended";

   protocol = HTTP:81;
   protocol = HTTP:8000;
   protocol = HTTP:8001;
   protocol = HTTP:8081;

   protocol = HTTPPOST:81;
   protocol = HTTPPOST:6588;
   protocol = HTTPPOST:4480;
   protocol = HTTPPOST:8000;
   protocol = HTTPPOST:8001;
   protocol = HTTPPOST:8080;
   protocol = HTTPPOST:8081;

   /*
    * IRCnet have seen many socks5 on these ports, more than on the
    * standard ports even.
    */
   protocol = SOCKS4:4914;
   protocol = SOCKS4:6826;
   protocol = SOCKS4:7198;
   protocol = SOCKS4:7366;
   protocol = SOCKS4:9036;

   protocol = SOCKS5:4438;
   protocol = SOCKS5:5104;
   protocol = SOCKS5:5113;
   protocol = SOCKS5:5262;
   protocol = SOCKS5:5634;
   protocol = SOCKS5:6552;
   protocol = SOCKS5:6561;
   protocol = SOCKS5:7464;
   protocol = SOCKS5:7810;
   protocol = SOCKS5:8130;
   protocol = SOCKS5:8148;
   protocol = SOCKS5:8520;
   protocol = SOCKS5:8814;
   protocol = SOCKS5:9100;
   protocol = SOCKS5:9186;
   protocol = SOCKS5:9447;
   protocol = SOCKS5:9578;
   protocol = SOCKS5:10000;
   protocol = SOCKS5:64101;

   /*
    * These came courtsey of Keith Dunnett from a bunch of public open
    * proxy lists.
    */
   protocol = SOCKS4:29992;
   protocol = SOCKS4:38884;
   protocol = SOCKS4:18844;
   protocol = SOCKS4:17771;
   protocol = SOCKS4:31121;

   fd = 400;

   /*
    * If required you can add settings such as target_ip here
    * they will override the defaults set in the first scanner
    * for this and subsequent scanners defined in the config file
    * This affects the following options:
    * fd, vhost, target_ip, target_port, target_string, timeout and
    * max_read.
    */
};


/*
 * User blocks define what scanners will be used to scan which hostmasks.
 * When a user connects they will be scanned on every scanner {} (above)
 * that matches their host.
 */
user {
   /*
    * Users matching this host mask will be scanned with all the
    * protocols in the scanner named.
    */
   mask = "*!*@*";
   scanner = "default";
};

user {
   /*
    * Connections without ident will match on a vast number of connections
    * very few proxies run ident though
    */
#   mask = "*!~*@*";
   mask = "*!squid@*";
   mask = "*!nobody@*";
   mask = "*!www-data@*";
   mask = "*!cache@*";
   mask = "*!CacheFlowS@*";
   mask = "*!*@*www*";
   mask = "*!*@*proxy*";
   mask = "*!*@*cache*";

   scanner = "extended";
};


/*
 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
 * HOPM will check each string against both the hostname and the IP address of
 * the user.
 *
 * There are very few valid reasons to actually use "exempt". HOPM should
 * never get false positives, and we would like to know very much if it does.
 * One possible scenario is that the machine HOPM runs from is specifically
 * authorized to use certain hosts as proxies, and users from those hosts use
 * your network. In this case, without exempt, HOPM will scan these hosts,
 * find itself able to use them as proxies, and ban them.
 */
exempt {
   mask = "*!*@127.0.0.1";
};


מדריך זה נכתב על ידי ASHER
בהצלחה בהתקנה