scanner { /* * Unique name of this scanner. This is used further down in the * user {} blocks to decide which users get affected by which * scanners. */ name = "default"; /* * HTTP CONNECT - very common proxy protocol supported by widely known * software such as Squid and Apache. The most common sort of * insecure proxy and found on a multitude of weird ports too. Offers * transparent two way TCP connections. */ protocol = HTTP:80; protocol = HTTP:8080; protocol = HTTP:3128; protocol = HTTP:6588; /* * The SSL/TLS variant of HTTP */ # protocol = HTTPS:443; # protocol = HTTPS:8443; /* * SOCKS4/5 - well known proxy protocols, probably the second most * common for insecure proxies, also offers transparent two way TCP * connections. Fortunately largely confined to port 1080. */ protocol = SOCKS4:1080; protocol = SOCKS5:1080; /* * Cisco routers with a default password (yes, it really does happen). * Also pretty much anything else that will let you telnet to anywhere * else on the Internet. Fortunately these are always on port 23. */ protocol = ROUTER:23; /* * WinGate is commercial windows proxy software which is now not so * common, but still to be found, and helpfully presents an interface * that can be used to telnet out, on port 23. */ protocol = WINGATE:23; /* * Dreambox DVB receivers with a default password allowing * full root access to telnet or install bouncers. */ protocol = DREAMBOX:23; /* * The HTTP POST protocol, often dismissed when writing the access * controls for proxies, but sadly can still be used to abused. * Offers only the opportunity to send a single block of data, but * enough of them at once can still make for a devastating flood. * Found on the same ports that HTTP CONNECT proxies inhabit. * * Note that if your ircd has "ping cookies" then clients from HTTP * POST proxies cannot actually ever get onto your network anyway. If * you leave the checks in then you'll still find some (because some * people IRC from boxes that run them), but if you use HOPM purely as * a protective measure and you have ping cookies, you need not scan * for HTTP POST. */ protocol = HTTPPOST:80; /* * The SSL/TLS variant of HTTPPOST */ # protocol = HTTPSPOST:443; # protocol = HTTPSPOST:8443; /* * IP address this scanner will bind to. Use this if you need your scans to * come FROM a particular interface on the machine you run HOPM from. * If you don't understand what this means, please leave this * commented out, as this is a major source of support queries! */ # vhost = "127.0.0.1"; /* * Maximum file descriptors this scanner can use. Remember that there * will be one FD for each protocol listed above. As this example * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD * limit, this scanner can be used on 64 users _at the same time_. * That should be adequate for most servers. */ fd = 512; /* * Maximum data read from a proxy before considering it closed. Don't * set this too high, some people have fun setting up lots of ports * that send endless data to tie up your scanner. 4KB is plenty for * any known proxy. */ max_read = 4 kbytes; /* * Amount of time before a test is considered timed out. * Again, all but the poorest slowest proxies will be detected within * 30 seconds, and this helps keep resource usage low. */ timeout = 30 seconds; /* * Target IP to tell the proxy to connect to * * !!! THIS MUST BE CHANGED !!! * * You cannot instruct the proxy to connect to itself! The easiest * thing to do would be to set this to the IP address of your ircd * and then keep the default target_strings. * * Please use an IP address that is publically reachable from anywhere * on the Internet, because you have no way of knowing where the insecure * proxies will be located. Just because you and your HOPM can * connect to your ircd on some private IP address like 192.168.0.1, * does not mean that the insecure proxies out there on the Internet will be * able to. And if they never connect, you will never detect them. * * Remember to change this setting for every scanner you configure. */ target_ip = "127.0.0.1"; /* * Target port to tell the proxy to connect to. This is usually * something like 6667. Basically any client-usable port. */ target_port = 6667; /* * Target string we check for in the data read back by the scanner. * This should be some string out of the data that your ircd usually * sends on connect. Multiple target strings are allowed. * * NOTE: Try to keep the number of target strings to a minimum. Two * should be fine. One for normal connections and one for throttled * connections. Comment out any others for efficiency. */ /* * Usually first line sent to client on connection to ircd. * If your ircd supports a more specific line (see below), * using it will reduce false positives. */ target_string = ":irc.example.org NOTICE * :*** Looking up your hostname"; /* * If you try to connect too fast, you'll be throttled by your own * ircd. Here's what a hybrid throttle message looks like: */ target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled."; }; scanner { name = "extended"; protocol = HTTP:81; protocol = HTTP:8000; protocol = HTTP:8001; protocol = HTTP:8081; protocol = HTTPPOST:81; protocol = HTTPPOST:6588; protocol = HTTPPOST:4480; protocol = HTTPPOST:8000; protocol = HTTPPOST:8001; protocol = HTTPPOST:8080; protocol = HTTPPOST:8081; /* * IRCnet have seen many socks5 on these ports, more than on the * standard ports even. */ protocol = SOCKS4:4914; protocol = SOCKS4:6826; protocol = SOCKS4:7198; protocol = SOCKS4:7366; protocol = SOCKS4:9036; protocol = SOCKS5:4438; protocol = SOCKS5:5104; protocol = SOCKS5:5113; protocol = SOCKS5:5262; protocol = SOCKS5:5634; protocol = SOCKS5:6552; protocol = SOCKS5:6561; protocol = SOCKS5:7464; protocol = SOCKS5:7810; protocol = SOCKS5:8130; protocol = SOCKS5:8148; protocol = SOCKS5:8520; protocol = SOCKS5:8814; protocol = SOCKS5:9100; protocol = SOCKS5:9186; protocol = SOCKS5:9447; protocol = SOCKS5:9578; protocol = SOCKS5:10000; protocol = SOCKS5:64101; /* * These came courtsey of Keith Dunnett from a bunch of public open * proxy lists. */ protocol = SOCKS4:29992; protocol = SOCKS4:38884; protocol = SOCKS4:18844; protocol = SOCKS4:17771; protocol = SOCKS4:31121; fd = 400; /* * If required you can add settings such as target_ip here * they will override the defaults set in the first scanner * for this and subsequent scanners defined in the config file * This affects the following options: * fd, vhost, target_ip, target_port, target_string, timeout and * max_read.