./configure has a few options which you might need:
- --prefix Sets the root of HOPM's install. By default this
+ --prefix Sets the root of HOPM's install. By default this
is $HOME/hopm, with binaries going in
$HOME/hopm/bin, config in $HOME/hopm/etc and logs
in $HOME/hopm/var.
- --bindir Specify the place to install binaries. By default
+ --bindir Specify the place to install binaries. By default
this is $PREFIX/bin. (see --prefix, above)
--localstatedir Specify the place where logs and PID files will be
- kept. By default this is $PREFIX/var. (see
+ kept. By default this is $PREFIX/var. (see
--prefix, above)
configure has many other options, see ./configure --help for more
details.
There are some further options in options.h which may be moved to
- configure at some point. If you think you need to change these then we
+ configure at some point. If you think you need to change these then we
assume you've read the code and know why.
Compilation of HOPM requires GNU Make (usually 'gmake' on BSD systems).
Configuration
-------------
- Edit hopm.conf as needed. Most options are self explanatory and
+ Edit hopm.conf as needed. Most options are self explanatory and
contain a short description.
Please take note of the target_string, this is new in version 2 onward and may be
- different for your ircd. Because we now check that we really have
+ different for your ircd. Because we now check that we really have
connected back onto IRC, HOPM needs to be told what your ircd says during
- the first part of a connection. If you're not sure, the best thing to do
+ the first part of a connection. If you're not sure, the best thing to do
is telnet to your ircd from your shell, e.g.:
[miwob@svn ~]$ telnet irc.ircd-hybrid.org 6667
reasons).
If you don't run an ircd at all (some people are using bopchecker for spam
- checking, etc.) then you're going to have to use a bit of ingenuity. You
+ checking, etc.) then you're going to have to use a bit of ingenuity. You
basically need any port on your own machine that responds with a plain text
challenge that is unlikely to appear anywhere else.
- NNTP servers are good examples because they give a banner. Don't be
+ NNTP servers are good examples because they give a banner. Don't be
tempted to use port 25 (SMTP) because although it looks like just what you
want, too many networks transparent proxy outgoing port 25 connections to
their own smart host, so you'll miss many proxies.
The same applies if you run some kind of ircd that has no form of
- banner at all (ircnet??). Worst case is you'll need to make something
+ banner at all (ircnet??). Worst case is you'll need to make something
listen on one of your ports that gives some predictable string.
Remember that your users might run their own ircd on some typical proxy
- port like 8080! If you can, put a banner in that contains your own
+ port like 8080! If you can, put a banner in that contains your own
server name, so that it is unlikely to be duplicated.
---------
You can run HOPM from any directory, the path to its config file is
- compiled into it. The bot will fork and connect to the IRC server
- immediately. Any errors and debug information can be found in
+ compiled into it. The bot will fork and connect to the IRC server
+ immediately. Any errors and debug information can be found in
$PREFIX/var/hopm.log.
You can tell HOPM to use a different config file with the -c argument,
this works the same way that wgmon's -c argument does, just give the name
- of the config file not including the ".conf". This also affects the log
+ of the config file not including the ".conf". This also affects the log
and PID files i.e. ./hopm -c myserver will read from myserver.conf, log to
- myserver.log and write PID to myserver.pid. If you do not use -c, the
- files hopm.conf, hopm.log and hopm.pid will be used by default. This can
- be altered in options.h. This is useful for running multiple HOPM on
+ myserver.log and write PID to myserver.pid. If you do not use -c, the
+ files hopm.conf, hopm.log and hopm.pid will be used by default. This can
+ be altered in options.h. This is useful for running multiple HOPM on
the same host.
- Further debugging can be enabled by using one or more -d switches. One or
+ Further debugging can be enabled by using one or more -d switches. One or
more -d switches will cause the bot to not fork on startup, and it will
send all log messages to stederr (i.e., your terminal) instead of its
- logfile. It will also cause extra debugging information that is not
- normally of interest to be sent to stderr. Two or more -d switches will
+ logfile. It will also cause extra debugging information that is not
+ normally of interest to be sent to stderr. Two or more -d switches will
enable logging of all IRC traffic received and sent.
The -c and -d arguments may appear in any order.
------------
HOPM (Hybrid Open Proxy Monitor) is an open proxy monitoring bot designed for
-Hybrid based ircds. The bot is designed to monitor an individual server (all
+Hybrid based ircds. The bot is designed to monitor an individual server (all
servers on the network have to run their own bot) with a local operator {}
-block and monitor connections. When a client connects to the server, HOPM will
-scan the connection for insecure proxies. Insecure proxies are determined by
+block and monitor connections. When a client connects to the server, HOPM will
+scan the connection for insecure proxies. Insecure proxies are determined by
attempting to connect the proxy back to another host (usually the IRC server in
question).
-HOPM is written ground-up in C language, concept derived from wgmon. It
+HOPM is written ground-up in C language, concept derived from wgmon. It
improves on wgmon with HTTP support, faster scanning (it can scan clients
simultaneously), better layout (scalability), and dnsbl support.
o An IRCd which presents connection notices in a format which HOPM
recognises (see below).
-o A host with full connectivity for all the ports you wish to scan. i.e. is
+o A host with full connectivity for all the ports you wish to scan. i.e. is
NOT transparently proxied -- many domestic internet connections have port 80
transparently proxied and this produces completely unpredictable results,
sometimes as severe as 100% of clients being K:lined!
ircd-hybrid 8.2.1
-HOPM is designed for ircd-hybrid based ircds. It is easily suitable for any
+HOPM is designed for ircd-hybrid based ircds. It is easily suitable for any
other ircd with little modification (connregex in hopm.conf). However, if an
ircd does not send IP addresses in a connection notice, HOPM will not be
effective because the time it takes to resolve a hostname would be a
Command Line Options
--------------------
--c <name> Config name. By default HOPM reads hopm.conf, "-c foo"
- will cause HOPM to read foo.conf. The primary use for
+-c <name> Config name. By default HOPM reads hopm.conf, "-c foo"
+ will cause HOPM to read foo.conf. The primary use for
this is to run multiple HOPMs from one directory.
--d Debug mode. HOPM will not fork, and will write logs to stderr.
+-d Debug mode. HOPM will not fork, and will write logs to stderr.
Multiple -d increase debug level.
-------
Once started, HOPM logs all significant events to a file called "hopm.log"
-which by default can be found at $HOME/hopm/var/hopm.log. There is also a
+which by default can be found at $HOME/hopm/var/hopm.log. There is also a
config option to log all proxy scans initiated, which can be quite useful if
you receive an abuse report related to portscanning.
-These log files, especially the scan log, can grow quite large. It is
-suggested that you arrange for these files to be rotated periodically. An
-example shell script is provided in the contrib/logrotate directory. If you
+These log files, especially the scan log, can grow quite large. It is
+suggested that you arrange for these files to be rotated periodically. An
+example shell script is provided in the contrib/logrotate directory. If you
prefer to use the log rotation facilities of your operating system then you
should send a USR1 signal to HOPM after moving its logfiles - this will cause
HOPM to reopen those files.
/*
* How long to store the IP address of hosts which are confirmed
- * (by previous scans) to be secure. New users from these
+ * (by previous scans) to be secure. New users from these
* IP addresses will not be scanned again until this amount of time
* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
* DIRECTIVE, but it is provided due to demand.
# negcache = 1 hour;
/*
- * Amount of file descriptors to allocate to asynchronous DNS. 64
+ * Amount of file descriptors to allocate to asynchronous DNS. 64
* should be plenty for almost anyone.
*/
dns_fdlimit = 64;
/*
* Put the full path and filename of a logfile here if you wish to log
- * every scan done. Normally HOPM only logs successfully detected
+ * every scan done. Normally HOPM only logs successfully detected
* proxies in the hopm.log, but you may get abuse reports to your ISP
- * about portscanning. Being able to show that it was HOPM that did
- * the scan in question can be useful. Leave commented for no
+ * about portscanning. Being able to show that it was HOPM that did
+ * the scan in question can be useful. Leave commented for no
* logging.
*/
# scanlog = "/some/path/var/scan.log";
irc {
/*
- * IP to bind to for the IRC connection. You only need to use this if
+ * IP to bind to for the IRC connection. You only need to use this if
* you wish HOPM to use a particular interface (virtual host, IP
- * alias, ...) when connecting to the IRC server. There is another
+ * alias, ...) when connecting to the IRC server. There is another
* "vhost" setting in the scan {} block below for the actual
- * portscans. Note that this directive expects an IP address, not a
- * hostname. Please leave this commented out if you do not
+ * portscans. Note that this directive expects an IP address, not a
+ * hostname. Please leave this commented out if you do not
* understand what it does, as most people don't need it.
*/
# vhost = "0.0.0.0";
# password = "secret";
/*
- * Port of the above server to connect to. This is what HOPM uses to
+ * Port of the above server to connect to. This is what HOPM uses to
* get onto IRC itself, it is nothing to do with what ports/protocols
* are scanned, nor do you need to list every port your ircd listens
* on.
/*
* Command to execute to identify to NickServ (if your network uses
- * it). This is the raw IRC command text, and the below example
- * corresponds to "/msg nickserv identify password" in a client. If
+ * it). This is the raw IRC command text, and the below example
+ * corresponds to "/msg nickserv identify password" in a client. If
* you don't understand, just edit "password" in the line below to be
- * your HOPM's nick password. Leave commented out if you don't need
+ * your HOPM's nick password. Leave commented out if you don't need
* to identify to NickServ.
*/
# nickserv = "NS IDENTIFY password";
/*
* Mode string that HOPM needs to set on itself as soon as it opers
- * up. This needs to include the mode for seeing connection notices,
+ * up. This needs to include the mode for seeing connection notices,
* otherwise HOPM won't scan anyone (that's usually umode +c).
*/
mode = "+c";
/*
* Info about channels you wish HOPM to join in order to accept
- * commands. HOPM will also print messages in these channels every
- * time it detects a proxy. Only IRC operators can command HOPM to do
+ * commands. HOPM will also print messages in these channels every
+ * time it detects a proxy. Only IRC operators can command HOPM to do
* anything, but some of the things HOPM reports to these channels
* could be considered sensitive, so it's best not to put HOPM into
* public channels.
*/
channel {
/*
- * Channel name. Local ("&") channels are supported if your ircd
+ * Channel name. Local ("&") channels are supported if your ircd
* supports them.
*/
name = "#hopm";
/*
* If you use ChanServ then maybe you want to set the channel
* invite-only and have each HOPM do "/msg ChanServ invite" to get
- * itself in. Leave commented if you don't, or if this makes no
+ * itself in. Leave commented if you don't, or if this makes no
* sense to you.
*/
# invite = "CS INVITE #hopm";
* connection notice.
*
* This is fairly complicated stuff, and the consequences of getting
- * it wrong are the HOPM does not scan anyone. Unless you know
+ * it wrong are the HOPM does not scan anyone. Unless you know
* absolutely what you are doing, please just uncomment the example
* below that best matches the type of ircd you use.
*/
/*
* OPM Block defines blacklists and information required to report new proxies
- * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
+ * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
* file. There are several blacklist that list IP addresses known to be open
* proxies or other forms of IRC abuse. By checking against these blacklists,
* HOPMs are able to ban known sources of abuse without completely scanning them.
*/
opm {
/*
- * Blacklist zones to check IPs against. If you would rather not
+ * Blacklist zones to check IPs against. If you would rather not
* trust a remotely managed blacklist, you could set up your own, or
* leave these commented out in which case every user will be
* scanned. The use of at least one open proxy DNSBL is recommended
/*
* You can report the insecure proxies you find to a DNSBL also!
* The remaining directives in this section are only needed if you
- * intend to do this. Reports are sent by email, one email per IP
- * address. The format does support multiple addresses in one email,
+ * intend to do this. Reports are sent by email, one email per IP
+ * address. The format does support multiple addresses in one email,
* but we don't know of any servers that are detecting enough insecure
* proxies for this to be really necessary.
*/
/*
- * Email address to send reports FROM. If you intend to send reports,
+ * Email address to send reports FROM. If you intend to send reports,
* please pick an email address that we can actually send mail to
* should we ever need to contact you.
*/
# dnsbl_to = "bopm-report@dronebl.org";
/*
- * Full path to your sendmail binary. Even if your system does not
+ * Full path to your sendmail binary. Even if your system does not
* use sendmail, it probably does have a binary called "sendmail"
- * present in /usr/sbin or /usr/lib. If you don't set this, no
+ * present in /usr/sbin or /usr/lib. If you don't set this, no
* proxies will be reported.
*/
# sendmail = "/usr/sbin/sendmail";
/*
* The short explanation:
*
- * This is where you define what ports/protocols to check for. You can have
+ * This is where you define what ports/protocols to check for. You can have
* multiple scanner blocks and then choose which users will get scanned by
* which scanners further down.
*
* The long explanation:
*
- * Scanner defines a virtual scanner. For each user being scanned, a scanner
+ * Scanner defines a virtual scanner. For each user being scanned, a scanner
* will use a file descriptor (and subsequent connection) for each protocol.
* Once connecting it will negotiate the proxy to connect to
* target_ip:target_port (target_ip MUST be an IP).
*
* Once connected, any data passed through the proxy will be checked to see if
- * target_string is contained within that data. If it is the proxy is
+ * target_string is contained within that data. If it is the proxy is
* considered open. If the connection is closed at any point before
* target_string is matched, or if at least max_read bytes are read from the
* connection, the negotiation is considered failed.
scanner {
/*
- * Unique name of this scanner. This is used further down in the
+ * Unique name of this scanner. This is used further down in the
* user {} blocks to decide which users get affected by which
* scanners.
*/
/*
* HTTP CONNECT - very common proxy protocol supported by widely known
- * software such as Squid and Apache. The most common sort of
- * insecure proxy and found on a multitude of weird ports too. Offers
+ * software such as Squid and Apache. The most common sort of
+ * insecure proxy and found on a multitude of weird ports too. Offers
* transparent two way TCP connections.
*/
protocol = HTTP:80;
/*
* SOCKS4/5 - well known proxy protocols, probably the second most
* common for insecure proxies, also offers transparent two way TCP
- * connections. Fortunately largely confined to port 1080.
+ * connections. Fortunately largely confined to port 1080.
*/
protocol = SOCKS4:1080;
protocol = SOCKS5:1080;
/*
* Cisco routers with a default password (yes, it really does happen).
* Also pretty much anything else that will let you telnet to anywhere
- * else on the internet. Fortunately these are always on port 23.
+ * else on the internet. Fortunately these are always on port 23.
*/
protocol = ROUTER:23;
* Found on the same ports that HTTP CONNECT proxies inhabit.
*
* Note that if your ircd has "ping cookies" then clients from HTTP
- * POST proxies cannot actually ever get onto your network anyway. If
+ * POST proxies cannot actually ever get onto your network anyway. If
* you leave the checks in then you'll still find some (because some
* people IRC from boxes that run them), but if you use HOPM purely as
* a protective measure and you have ping cookies, you need not scan
protocol = HTTPPOST:80;
/*
- * IP this scanner will bind to. Use this if you need your scans to
+ * IP this scanner will bind to. Use this if you need your scans to
* come FROM a particular interface on the machine you run HOPM from.
* If you don't understand what this means, please leave this
* commented out, as this is a major source of support queries!
*/
# vhost = "127.0.0.1";
- /* Maximum file descriptors this scanner can use. Remember that there
- * will be one FD for each protocol listed above. As this example
- * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
+ /* Maximum file descriptors this scanner can use. Remember that there
+ * will be one FD for each protocol listed above. As this example
+ * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
* limit, this scanner can be used on 64 users _at the same time_.
* That should be adequate for most servers.
*/
fd = 512;
/*
- * Maximum data read from a proxy before considering it closed. Don't
+ * Maximum data read from a proxy before considering it closed. Don't
* set this too high, some people have fun setting up lots of ports
- * that send endless data to tie up your scanner. 4KB is plenty for
+ * that send endless data to tie up your scanner. 4KB is plenty for
* any known proxy.
*/
max_read = 4kb;
*
* Please use an IP that is publically reachable from anywhere on the
* Internet, because you have no way of knowing where the insecure
- * proxies will be located. Just because you and your HOPM can
+ * proxies will be located. Just because you and your HOPM can
* connect to your ircd on some private IP like 192.168.0.1, does not
* mean that the insecure proxies out there on the Internet will be
- * able to. And if they never connect, you will never detect them.
+ * able to. And if they never connect, you will never detect them.
*
* Remember to change this setting for every scanner you configure.
*/
target_ip = "127.0.0.1";
/*
- * Target port to tell the proxy to connect to. This is usually
- * something like 6667. Basically any client-usable port.
+ * Target port to tell the proxy to connect to. This is usually
+ * something like 6667. Basically any client-usable port.
*/
target_port = 6667;
/*
* Target string we check for in the data read back by the scanner.
* This should be some string out of the data that your ircd usually
- * sends on connect. The example below will work on most
- * hybrid/bahamut ircds. Multiple target strings are allowed.
+ * sends on connect. The example below will work on most
+ * hybrid/bahamut ircds. Multiple target strings are allowed.
*
* NOTE: Try to keep the number of target strings to a minimum. Two
* should be fine. One for normal connections and one for throttled
/*
* If you try to connect too fast, you'll be throttled by your own
- * ircd. Here's what a hybrid throttle message looks like:
+ * ircd. Here's what a hybrid throttle message looks like:
*/
target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};
* HOPM will check each string against both the hostname and the IP address of
* the user.
*
- * There are very few valid reasons to actually use "exempt". HOPM should
+ * There are very few valid reasons to actually use "exempt". HOPM should
* never get false positives, and we would like to know very much if it does.
* One possible scenario is that the machine HOPM runs from is specifically
* authorized to use certain hosts as proxies, and users from those hosts use
- * your network. In this case, without exempt, HOPM will scan these hosts,
+ * your network. In this case, without exempt, HOPM will scan these hosts,
* find itself able to use them as proxies, and ban them.
*/
exempt {
projects / hopm.git / commitdiff