· 6 years ago · Sep 14, 2019, 10:12 AM
1/*
2 * Hybrid Open Proxy Monitor - HOPM sample configuration
3 *
4 * Copyright (c) 2014-2017 ircd-hybrid development team
5 *
6 * $Id$
7 */
8
9/*
10 * Shell style (#), C++ style (//) and C style comments are supported.
11 *
12 * Files may be included by either:
13 * .include "filename"
14 * .include <filename>
15 *
16 * Times/durations are written as:
17 * 12 hours 30 minutes 1 second
18 *
19 * Valid units of time:
20 * year, month, week, day, hour, minute, second
21 *
22 * Valid units of size:
23 * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
24 *
25 * Sizes and times may be singular or plural.
26 */
27
28options {
29 /*
30 * Full path and filename for storing the process ID of the running
31 * HOPM.
32 */
33 pidfile = "/home/bmt/hopm/var/run/hopm.pid";
34
35 /*
36 * Maximum commands to queue. Set to 0 if you don't want HOPM
37 * to process commands.
38 */
39 command_queue_size = 64;
40
41 /*
42 * Interval to check command queue for timed out commands.
43 */
44 command_interval = 10 seconds;
45
46 /*
47 * Timeout of commands.
48 */
49 command_timeout = 180 seconds;
50
51 /*
52 * How long to store the IP address of hosts which are confirmed
53 * (by previous scans) to be secure. New users from these
54 * IP addresses will not be scanned again until this amount of time
55 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
56 * DIRECTIVE, but it is provided due to demand.
57 *
58 * The main reason for not using this feature is that anyone capable
59 * of running a proxy can get abusers onto your network - all they
60 * need do is shut the proxy down, connect themselves, restart the
61 * proxy, and tell their friends to come flood.
62 *
63 * Keep this directive commented out to disable negative caching.
64 */
65# negcache = 1 hour;
66
67 /*
68 * How long between rebuilds of the negative cache. The negcache
69 * is only rebuilt to free up memory used by entries that are too old.
70 * You probably don't need to tweak this unless you have huge amounts
71 * of people connecting (hundreds per minute). Default is 12 hours.
72 */
73 negcache_rebuild = 12 hours;
74
75 /*
76 * Amount of file descriptors to allocate to asynchronous DNS. 64
77 * should be plenty for almost anyone.
78 */
79 dns_fdlimit = 64;
80
81 /*
82 * Amount of time the resolver waits until a response is received
83 * from a name server.
84 */
85 dns_timeout = 5 seconds;
86
87 /*
88 * Put the full path and filename of a logfile here if you wish to log
89 * every scan done. Normally HOPM only logs successfully detected
90 * proxies in the hopm.log, but you may get abuse reports to your ISP
91 * about portscanning. Being able to show that it was HOPM that did
92 * the scan in question can be useful. Leave commented for no
93 * logging.
94 */
95# scanlog = "var/log/scan.log";
96};
97
98
99irc {
100 /*
101 * IP address to bind to for the IRC connection. You only need to
102 * use this if you wish HOPM to use a particular interface
103 * (virtual host, IP alias, ...) when connecting to the IRC server.
104 * There is another "vhost" setting in the scan {} block below for
105 * the actual portscans. Note that this directive expects an IP address,
106 * not a hostname. Please leave this commented out if you do not
107 * understand what it does, as most people don't need it.
108 */
109# vhost = "0.0.0.0";
110
111 /*
112 * Nickname for HOPM to use.
113 */
114 nick = "Hopm";
115
116 /*
117 * Text to appear in the "realname" field of HOPM's /whois output.
118 */
119 realname = "Hybrid Open Proxy Monitor";
120
121 /*
122 * If you don't have an identd running, what username to use.
123 */
124 username = "hopm";
125
126 /*
127 * Hostname (or IP address) of the IRC server which HOPM will monitor
128 * connections on. IPv6 is now supported.
129 */
130 server = "192.168.1.12";
131
132 /*
133 * Password used to connect to the IRC server (PASS)
134 */
135# password = "secret";
136
137 /*
138 * Port of the above server to connect to. This is what HOPM uses to
139 * get onto IRC itself, it is nothing to do with what ports/protocols
140 * are scanned, nor do you need to list every port your ircd listens
141 * on.
142 */
143 port = 6661;
144
145 /*
146 * Defines time in which bot will timeout if no data is received
147 */
148 readtimeout = 15 minutes;
149
150 /*
151 * Interval in how often we try to reconnect to the IRC server
152 */
153 reconnectinterval = 30 seconds;
154
155 /*
156 * Command to execute to identify to NickServ (if your network uses
157 * it). This is the raw IRC command text, and the below example
158 * corresponds to "/msg nickserv identify password" in a client. If
159 * you don't understand, just edit "password" in the line below to be
160 * your HOPM's nick password. Leave commented out if you don't need
161 * to identify to NickServ.
162 */
163 nickserv = "auth matrix a123456";
164
165 /*
166 * The username and password needed for HOPM to oper up.
167 */
168 oper = "darksis leetmoo";
169
170 /*
171 * Mode string that HOPM needs to set on itself as soon as it opers
172 * up. This needs to include the mode for seeing connection notices,
173 * otherwise HOPM won't scan anyone (that's usually umode +c).
174 */
175 mode = "+xs +16384";
176
177 /*
178 * If this is set then HOPM will use it as an /away message as soon as
179 * it connects.
180 */
181 away = "I'm a bot. Your messages will be ignored.";
182
183 /*
184 * Info about channels you wish HOPM to join in order to accept
185 * commands. HOPM will also print messages in these channels every
186 * time it detects a proxy. Only IRC operators can command HOPM to do
187 * anything, but some of the things HOPM reports to these channels
188 * could be considered sensitive, so it's best not to put HOPM into
189 * public channels.
190 */
191 channel {
192 /*
193 * Channel name. Local ("&") channels are supported if your ircd
194 * supports them.
195 */
196 name = "#hopm";
197
198 /*
199 * If HOPM will need to use a key to enter this channel, this is
200 * where you specify it.
201 */
202# key = "somekey";
203
204 /*
205 * If you use ChanServ then maybe you want to set the channel
206 * invite-only and have each HOPM do "/msg ChanServ invite" to get
207 * itself in. Leave commented if you don't, or if this makes no
208 * sense to you.
209 */
210# invite = "ChanServ INVITE #mIRCx MIRCX";
211 };
212
213
214 /*
215 * You can define a bunch of channels if you want:
216 *
217 * channel { name = "#mIRCx"; }; channel { name= "#channel"; }
218 */
219 channel { name = "#mIRCx";
220 };
221 /*
222 * connregex is a POSIX regular expression used to parse connection
223 * notices from the ircd. The complexity of the expression should
224 * be kept to a minimum.
225 *
226 * Items in order MUST be: nick user host IP
227 *
228 * HOPM will not work with ircds which do not send an IP address in the
229 * connection notice.
230 *
231 * This is fairly complicated stuff, and the consequences of getting
232 * it wrong are the HOPM does not scan anyone. Unless you know
233 * absolutely what you are doing, please just uncomment the example
234 * below that best matches the type of ircd you use.
235 */
236
237 /* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
238 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";
239 connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
240 /* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
241# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";
242
243 /* UnrealIRCd 4.0.x */
244# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";
245
246 /* InspIRCd */
247# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-fA-F\\.:]+)\\) \\[.*\\]";
248
249 /* ngIRCd */
250# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-fA-F\\.:]+)\\].*";
251
252 /*
253 * "kline" controls the command used when an open proxy is confirmed.
254 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
255 *
256 * <WARNING>
257 * Make sure if you need to change this string you also change the
258 * kline command for every DNSBL you enable below.
259 *
260 * Also note that some servers do not allow you to include ':' characters
261 * inside the KLINE message (e.g. for a http:// address).
262 *
263 * Users rewriting this message into something that isn't even a valid
264 * IRC command is the single most common cause of support requests and
265 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
266 * KLINE COMMANDS BELOW.
267 * </WARNING>
268 *
269 * That said, should you wish to customise this text, several
270 * printf-like placeholders are available:
271 *
272 * %n User's nick
273 * %u User's username
274 * %h User's irc hostname
275 * %i User's IP address
276 * %t Protocol type which has triggered a positive scan
277 */
278 kline = "KLINE 180 *@%h :Open proxy found on your host.";
279
280 /* A GLINE example for ircu */
281# kline = "GLINE +*@%i 1800 :Open proxy found on your host.";
282
283 /*
284 * An AKILL example for services with OperServ. Your HOPM must have permission to
285 * AKILL for this to work!
286 */
287# kline = "OS AKILL ADD +3h *@%h Open proxy found on your host.";
288
289 /*
290 * Text to send on connection, these can be stacked and will be sent in this order.
291 *
292 * !!! UNREAL USERS PLEASE NOTE !!!
293 * Unreal users will need PROTOCTL HCN to force hybrid connect
294 * notices.
295 *
296 * Yes Unreal users! That means you! That means you need the line
297 * below! See that thing at the start of the line? That's what we
298 * call a comment! Remove it to UNcomment the line.
299 *
300 * Note that this is no longer needed as of UnrealIRCd 4.0.0.
301 */
302 perform = "PROTOCTL HCN";
303
304 /*
305 * Text to send, via NOTICE, immediately when a new client connects. These can be
306 * stacked and will be sent in this order.
307 */
308 notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
309};
310
311
312/*
313 * OPM Block defines blacklists and information required to report new proxies
314 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
315 * file. There are several blacklist that list IP addresses known to be open
316 * proxies or other forms of IRC abuse. By checking against these blacklists,
317 * HOPMs are able to ban known sources of abuse without completely scanning them.
318 */
319OPM {
320 /*
321 * Blacklist zones to check IPs against. If you would rather not
322 * trust a remotely managed blacklist, you could set up your own, or
323 * leave these commented out in which case every user will be
324 * scanned. The use of at least one open proxy DNSBL is recommended
325 * however.
326 *
327 * Please check the policies of each blacklist you use to check you
328 * are comfortable with using them to block access to your server
329 * (and that you are allowed to use them).
330 */
331
332
333 /* dnsbl.dronebl.org - http://dronebl.org */
334 blacklist {
335 /* The DNS name of the blacklist */
336 name = "dnsbl.dronebl.org";
337
338 /*
339 * Address families that are supported by the blacklist. Default is 'ipv4'.
340 */
341 address_family = ipv4;
342
343 /*
344 * There are only two values that are valid for this
345 * "A record bitmask" and "A record reply"
346 * These options affect how the values specified to reply
347 * below will be interpreted, a bitmask is where the reply
348 * values are 2^n and more than one is added up, a reply is
349 * simply where the last octet of the IP address is that number.
350 * If you are not sure then the values set for dnsbl.dronebl.org
351 * will work without any changes.
352 */
353 type = "A record bitmask";
354
355 /*
356 * Kline types not listed in the reply list below.
357 *
358 * For DNSBLs that are not IRC specific and you just wish to kline
359 * certain types this can be enabled/disabled.
360 */
361 ban_unknown = yes;
362
363 /*
364 * The actual values returned by the dnsbl.dronebl.org blacklist as
365 * documented at http://dronebl.org/docs/howtouse
366 */
367 reply {
368 2 = "Sample data used for heuristical analysis";
369 3 = "IRC spam drone (litmus/sdbot/fyle)";
370 5 = "Bottler (experimental)";
371 6 = "Unknown worm or spambot";
372 7 = "DDoS drone";
373 8 = "Open SOCKS proxy";
374 9 = "Open HTTP proxy";
375 10 = "ProxyChain";
376 11 = "Web Page Proxy";
377 12 = "Open DNS Resolver";
378 13 = "Automated dictionary attacks";
379 14 = "Open WINGATE proxy";
380 15 = "Compromised router / gateway";
381 16 = "Autorooting worms";
382 17 = "Automatically determined botnet IPs (experimental)";
383 18 = "DNS/MX type hostname detected on IRC";
384 255 = "Uncategorized threat class";
385 };
386
387 /*
388 * The kline message sent for this specific blacklist, remember to put
389 * the removal method in this.
390 */
391 kline = "GLINE +*@%i * 86400 :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
392 };
393
394
395 /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
396# blacklist {
397# name = "tor.dnsbl.sectoor.de";
398# type = "A record reply";
399# ban_unknown = no;
400
401# reply {
402# 1 = "Tor exit server";
403# };
404
405# kline = "KLINE 180 *@%h :Tor exit server detected. For more information, visit http://www.sectoor.de/tor.php?ip=%i";
406# };
407
408 /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
409 blacklist {
410 name = "rbl.efnetrbl.org";
411 type = "A record bitmask";
412 ban_unknown = yes;
413
414 reply {
415 1 = "Open proxy";
416 2 = "spamtrap666";
417 3 = "spamtrap50";
418 4 = "TOR";
419 5 = "Drones / Flooding";
420 };
421
422 kline = "GLINE +*@%i * 86400 :Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
423 };
424
425
426
427 /* tor.efnetrbl.org - http://rbl.efnetrbl.org/ */
428# blacklist {
429# name = "tor.efnetrbl.org";
430# type = "A record reply";
431# ban_unknown = no;
432
433# reply {
434# 1 = "TOR";
435# };
436
437# kline = "KLINE 180 *@%h :TOR exit node found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
438# };
439
440 /*
441 * You can report the insecure proxies you find to a DNSBL also!
442 * The remaining directives in this section are only needed if you
443 * intend to do this. Reports are sent by email, one email per IP
444 * address. The format does support multiple addresses in one email,
445 * but we don't know of any servers that are detecting enough insecure
446 * proxies for this to be really necessary.
447 */
448
449 /*
450 * Email address to send reports FROM. If you intend to send reports,
451 * please pick an email address that we can actually send mail to
452 * should we ever need to contact you.
453 */
454# dnsbl_from = "mybopm@myserver.org";
455
456 /*
457 * Email address to send reports TO.
458 * For example DroneBL:
459 */
460# dnsbl_to = "bopm-report@dronebl.org";
461
462 /*
463 * Full path to your sendmail binary. Even if your system does not
464 * use sendmail, it probably does have a binary called "sendmail"
465 * present in /usr/sbin or /usr/lib. If you don't set this, no
466 * proxies will be reported.
467 */
468# sendmail = "/usr/sbin/sendmail";
469};
470
471
472/*
473 * The short explanation:
474 *
475 * This is where you define what ports/protocols to check for. You can have
476 * multiple scanner blocks and then choose which users will get scanned by
477 * which scanners further down.
478 *
479 * The long explanation:
480 *
481 * Scanner defines a virtual scanner. For each user being scanned, a scanner
482 * will use a file descriptor (and subsequent connection) for each protocol.
483 * Once connecting it will negotiate the proxy to connect to
484 * target_ip:target_port (target_ip MUST be an IP address).
485 *
486 * Once connected, any data passed through the proxy will be checked to see if
487 * target_string is contained within that data. If it is the proxy is
488 * considered open. If the connection is closed at any point before
489 * target_string is matched, or if at least max_read bytes are read from the
490 * connection, the negotiation is considered failed.
491 */
492scanner {
493 /*
494 * Unique name of this scanner. This is used further down in the
495 * user {} blocks to decide which users get affected by which
496 * scanners.
497 */
498 name = "default";
499
500 /*
501 * HTTP CONNECT - very common proxy protocol supported by widely known
502 * software such as Squid and Apache. The most common sort of
503 * insecure proxy and found on a multitude of weird ports too. Offers
504 * transparent two way TCP connections.
505 */
506 protocol = HTTP:80;
507 protocol = HTTP:8080;
508 protocol = HTTP:3128;
509 protocol = HTTP:6588;
510
511 /*
512 * The SSL/TLS variant of HTTP
513 */
514# protocol = HTTPS:443;
515# protocol = HTTPS:8443;
516
517 /*
518 * SOCKS4/5 - well known proxy protocols, probably the second most
519 * common for insecure proxies, also offers transparent two way TCP
520 * connections. Fortunately largely confined to port 1080.
521 */
522 protocol = SOCKS4:1080;
523 protocol = SOCKS5:1080;
524
525 /*
526 * Cisco routers with a default password (yes, it really does happen).
527 * Also pretty much anything else that will let you telnet to anywhere
528 * else on the Internet. Fortunately these are always on port 23.
529 */
530 protocol = ROUTER:23;
531
532 /*
533 * WinGate is commercial windows proxy software which is now not so
534 * common, but still to be found, and helpfully presents an interface
535 * that can be used to telnet out, on port 23.
536 */
537 protocol = WINGATE:23;
538
539 /*
540 * Dreambox DVB receivers with a default password allowing
541 * full root access to telnet or install bouncers.
542 */
543 protocol = DREAMBOX:23;
544
545 /*
546 * The HTTP POST protocol, often dismissed when writing the access
547 * controls for proxies, but sadly can still be used to abused.
548 * Offers only the opportunity to send a single block of data, but
549 * enough of them at once can still make for a devastating flood.
550 * Found on the same ports that HTTP CONNECT proxies inhabit.
551 *
552 * Note that if your ircd has "ping cookies" then clients from HTTP
553 * POST proxies cannot actually ever get onto your network anyway. If
554 * you leave the checks in then you'll still find some (because some
555 * people IRC from boxes that run them), but if you use HOPM purely as
556 * a protective measure and you have ping cookies, you need not scan
557 * for HTTP POST.
558 */
559 protocol = HTTPPOST:80;
560
561 /*
562 * The SSL/TLS variant of HTTPPOST
563 */
564# protocol = HTTPSPOST:443;
565# protocol = HTTPSPOST:8443;
566
567 /*
568 * IP address this scanner will bind to. Use this if you need your scans to
569 * come FROM a particular interface on the machine you run HOPM from.
570 * If you don't understand what this means, please leave this
571 * commented out, as this is a major source of support queries!
572 */
573# vhost = "127.0.0.1";
574
575 /*
576 * Maximum file descriptors this scanner can use. Remember that there
577 * will be one FD for each protocol listed above. As this example
578 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
579 * limit, this scanner can be used on 64 users _at the same time_.
580 * That should be adequate for most servers.
581 */
582 fd = 512;
583
584 /*
585 * Maximum data read from a proxy before considering it closed. Don't
586 * set this too high, some people have fun setting up lots of ports
587 * that send endless data to tie up your scanner. 4KB is plenty for
588 * any known proxy.
589 */
590 max_read = 4 kbytes;
591
592 /*
593 * Amount of time before a test is considered timed out.
594 * Again, all but the poorest slowest proxies will be detected within
595 * 30 seconds, and this helps keep resource usage low.
596 */
597 timeout = 30 seconds;
598
599 /*
600 * Target IP to tell the proxy to connect to
601 *
602 * !!! THIS MUST BE CHANGED !!!
603 *
604 * You cannot instruct the proxy to connect to itself! The easiest
605 * thing to do would be to set this to the IP address of your ircd
606 * and then keep the default target_strings.
607 *
608 * Please use an IP address that is publically reachable from anywhere
609 * on the Internet, because you have no way of knowing where the insecure
610 * proxies will be located. Just because you and your HOPM can
611 * connect to your ircd on some private IP address like 192.168.0.1,
612 * does not mean that the insecure proxies out there on the Internet will be
613 * able to. And if they never connect, you will never detect them.
614 *
615 * Remember to change this setting for every scanner you configure.
616 */
617 target_ip = "127.0.0.1";
618
619 /*
620 * Target port to tell the proxy to connect to. This is usually
621 * something like 6667. Basically any client-usable port.
622 */
623 target_port = 6660;
624
625 /*
626 * Target string we check for in the data read back by the scanner.
627 * This should be some string out of the data that your ircd usually
628 * sends on connect. Multiple target strings are allowed.
629 *
630 * NOTE: Try to keep the number of target strings to a minimum. Two
631 * should be fine. One for normal connections and one for throttled
632 * connections. Comment out any others for efficiency.
633 */
634
635 /*
636 * Usually first line sent to client on connection to ircd.
637 * If your ircd supports a more specific line (see below),
638 * using it will reduce false positives.
639 */
640 target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
641
642 /*
643 * If you try to connect too fast, you'll be throttled by your own
644 * ircd. Here's what a hybrid throttle message looks like:
645 */
646 target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
647};
648
649
650scanner {
651 name = "extended";
652
653 protocol = HTTP:81;
654 protocol = HTTP:8000;
655 protocol = HTTP:8001;
656 protocol = HTTP:8081;
657
658 protocol = HTTPPOST:81;
659 protocol = HTTPPOST:6588;
660 protocol = HTTPPOST:4480;
661 protocol = HTTPPOST:8000;
662 protocol = HTTPPOST:8001;
663 protocol = HTTPPOST:8080;
664 protocol = HTTPPOST:8081;
665
666 /*
667 * IRCnet have seen many socks5 on these ports, more than on the
668 * standard ports even.
669 */
670 protocol = SOCKS4:4914;
671 protocol = SOCKS4:6826;
672 protocol = SOCKS4:7198;
673 protocol = SOCKS4:7366;
674 protocol = SOCKS4:9036;
675
676 protocol = SOCKS5:4438;
677 protocol = SOCKS5:5104;
678 protocol = SOCKS5:5113;
679 protocol = SOCKS5:5262;
680 protocol = SOCKS5:5634;
681 protocol = SOCKS5:6552;
682 protocol = SOCKS5:6561;
683 protocol = SOCKS5:7464;
684 protocol = SOCKS5:7810;
685 protocol = SOCKS5:8130;
686 protocol = SOCKS5:8148;
687 protocol = SOCKS5:8520;
688 protocol = SOCKS5:8814;
689 protocol = SOCKS5:9100;
690 protocol = SOCKS5:9186;
691 protocol = SOCKS5:9447;
692 protocol = SOCKS5:9578;
693 protocol = SOCKS5:10000;
694 protocol = SOCKS5:64101;
695
696 /*
697 * These came courtsey of Keith Dunnett from a bunch of public open
698 * proxy lists.
699 */
700 protocol = SOCKS4:29992;
701 protocol = SOCKS4:38884;
702 protocol = SOCKS4:18844;
703 protocol = SOCKS4:17771;
704 protocol = SOCKS4:31121;
705
706 fd = 400;
707
708 /*
709 * If required you can add settings such as target_ip here
710 * they will override the defaults set in the first scanner
711 * for this and subsequent scanners defined in the config file
712 * This affects the following options:
713 * fd, vhost, target_ip, target_port, target_string, timeout and
714 * max_read.
715 */
716};
717
718
719/*
720 * User blocks define what scanners will be used to scan which hostmasks.
721 * When a user connects they will be scanned on every scanner {} (above)
722 * that matches their host.
723 */
724user {
725 /*
726 * Users matching this host mask will be scanned with all the
727 * protocols in the scanner named.
728 */
729 mask = "*!*@*";
730 scanner = "default";
731};
732
733user {
734 /*
735 * Connections without ident will match on a vast number of connections
736 * very few proxies run ident though
737 */
738# mask = "*!~*@*";
739 mask = "*!squid@*";
740 mask = "*!nobody@*";
741 mask = "*!www-data@*";
742 mask = "*!cache@*";
743 mask = "*!CacheFlowS@*";
744 mask = "*!*@*www*";
745 mask = "*!*@*proxy*";
746 mask = "*!*@*cache*";
747
748 scanner = "extended";
749};
750
751
752/*
753 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
754 * HOPM will check each string against both the hostname and the IP address of
755 * the user.
756 *
757 * There are very few valid reasons to actually use "exempt". HOPM should
758 * never get false positives, and we would like to know very much if it does.
759 * One possible scenario is that the machine HOPM runs from is specifically
760 * authorized to use certain hosts as proxies, and users from those hosts use
761 * your network. In this case, without exempt, HOPM will scan these hosts,
762 * find itself able to use them as proxies, and ban them.
763 */
764exempt {
765 mask = "*!*@127.0.0.1";
766};