The Blitzed Open Proxy Monitor, or BOPM, is a piece of software that performs proxy scans and DNSBL lookups on users connecting to the network. If it thinks a user is connecting through an open proxy it will kline the user.
An instance of BOPM will only take care of connections on the local server hence why all Ambernet servers are required to run BOPM.
Contents |
Start off by fetching the latest stable release of BOPM.
Unpack the tarball:
$ tar zxf bopm-3.1.3.tar.gz
Run configure. If you don't want bopms root directory to be $HOME/bopm you can use the --prefix directive.
$ ./configure
Time to compile and install:
$ make $ make install
You will find a standard example conf bundled with the BOPM source (and it should be in $PREFIX/bopm/etc now) containing plenty of comments and explanations of the settings. For an Ambernet BOPM setup you should use the config below.
When BOPM scans a connecting client it actually tries to use the client as a proxy to connect to whatever IP is set in target_ip. If it succeeds the client is klined. Therefore it's very important that you change the target_ip to some ip that's actually open for IRC connections, for example your own IRC server! You must also change the target_string setting to match some string that your IRC server sends upon connection. If you skip doing this BOPM will only be able to kline based on dnsbl lookups.
Here's an example of an Ambernet BOPM config:
options {
pidfile = "/home/bopm/bopm/var/irc.ankeborg.nu.pid";
dns_fdlimit = 64;
/*
* You can use this to log ALL port scans that are done. This is
* optional and may be useful if you ever have to deal with abuse
* reports.
*/
# scanlog = "/home/bopm/bopm/var/irc.ankeborg.nu.scan.log";
};
IRC {
# vhost = "0.0.0.0";
nick = "sebopm";
realname = "Blitzed Open Proxy Monitor";
username = "bopm";
server = "irc.ankeborg.nu";
# password = "secret";
port = 6667;
/*
* Your BOPM will need a registered nick and be identified to it, to get
* into #wg. (see below)
*/
oper = "user pass";
mode = "+c-h";
away = "I'm a bot. Your messages will be ignored.";
channel {
/* The channel is set invite only. Ask an admin to add your bopms hostmask
* to the invite list.
*/
name = "#bopm";
};
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
/*
* "kline" controls the command used when an open proxy is confirmed.
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
*
* You're required to use the following kline_command:
*/
kline = "KLINE 1440 *@%h ON * :Open Proxy found on your IP %i . Please check your system and fix it.";
};
OPM {
/* DroneBL (see http://www.dronebl.org/howtouse.do for details) */
blacklist {
name = "dnsbl.dronebl.org";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Sample";
3 = "IRC Drone";
5 = "Bottler";
6 = "Unknown spambot or drone";
7 = "DDOS Drone";
8 = "SOCKS Proxy";
9 = "HTTP Proxy";
10 = "ProxyChain";
255 = "Unknown";
};
kline = "KLINE 1440 *@%i ON * :Host listed in the DroneBL. For more information visit http://dronebl.org/lookup.do?ip=%i";
};
/* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
blacklist {
name = "rbl.efnetrbl.org";
type = "A record reply";
reply {
1 = "Open proxy";
2 = "Trojan spreader";
3 = "Trojan infected client";
5 = "Drones / Flooding";
};
ban_unknown = no;
kline = "KLINE 1440 *@%i ON * :Listed in rbl.efnetrbl.org. See http://rbl.efnetrbl.org/?i=%i";
};
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "KLINE 1440 *@%i ON * :Tor exit server detected. Visit www.sectoor.de/tor.php?ip=%i for info.";
};
blacklist {
name = "tor.dan.me.uk"
type = "A record reply";
reply {
100 = "Tor exit server";
};
ban_unknown = no;
kline = "KLINE 1440 *@%i ON * :Tor exit server detected.";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "Tor exit server";
};
ban_unknown = no;
kline = "KLINE 1440 *@%i ON * :Tor exit server detected.";
};
};
scanner {
name="default";
/*
*
* The next block of protocols is generated from the
* generated weekly blitzed lists and by a generated
* list of all newly found open proxies via the anal
* scans performed by the XS4ALL BOPM bots.
* The lists reflect the top hits in the period
* from 2007.01.01 - 2007.04.13
*
*/
protocol = ROUTER:23;
protocol = SOCKS4:559;
protocol = HTTPPOST:3128;
protocol = SOCKS4:1080;
protocol = HTTP:8080;
protocol = SOCKS5:1182;
protocol = HTTP:3128;
protocol = HTTPPOST:8080;
protocol = SOCKS4:9999;
protocol = HTTPPOST:80;
protocol = SOCKS5:1080;
protocol = HTTP:63000;
protocol = HTTP:8000;
protocol = HTTPPOST:808;
protocol = HTTP:80;
protocol = HTTPPOST:6588;
protocol = HTTP:6588;
protocol = SOCKS5:3128;
protocol = SOCKS5:10080;
protocol = HTTPPOST:4480;
protocol = SOCKS4:6664;
protocol = SOCKS4:63808;
protocol = HTTP:6667;
protocol = SOCKS4:19991;
protocol = SOCKS4:1098;
protocol = SOCKS4:10000;
protocol = SOCKS4:4471;
protocol = HTTP:65506;
protocol = HTTP:63809;
protocol = SOCKS5:9090;
protocol = HTTP:9090;
protocol = HTTP:6668;
protocol = SOCKS4:58;
protocol = SOCKS5:58;
protocol = SOCKS4:6969;
protocol = WINGATE:23;
protocol = SOCKS5:3380;
protocol = SOCKS4:40;
protocol = SOCKS5:443;
protocol = SOCKS4:8888;
protocol = HTTPPOST:9090;
protocol = HTTP:5490;
protocol = SOCKS4:8080;
protocol = SOCKS5:6969;
protocol = SOCKS4:1026;
protocol = SOCKS4:1025;
protocol = HTTP:8888;
protocol = HTTP:6669;
protocol = HTTP:8090;
protocol = HTTP:808;
protocol = SOCKS5:1029;
protocol = SOCKS4:41080;
protocol = SOCKS5:8020;
protocol = SOCKS5:6000;
protocol = HTTPPOST:8081;
protocol = HTTP:4480;
protocol = SOCKS5:1027;
protocol = SOCKS4:1028;
protocol = HTTP:3332;
protocol = SOCKS5:8888;
protocol = SOCKS5:1028;
protocol = SOCKS4:3330;
protocol = SOCKS4:29992;
protocol = SOCKS4:1234;
protocol = SOCKS4:1029;
protocol = HTTP:5000;
protocol = HTTP:443;
protocol = SOCKS5:1813;
protocol = SOCKS5:1081;
protocol = SOCKS5:1026;
protocol = SOCKS4:1337;
protocol = SOCKS4:1050;
protocol = HTTP:1080;
protocol = SOCKS5:9999;
protocol = SOCKS5:9100;
protocol = SOCKS5:19991;
protocol = SOCKS5:1098;
protocol = SOCKS4:9100;
protocol = SOCKS4:7080;
protocol = SOCKS4:1033;
protocol = HTTP:9000;
protocol = HTTP:5800;
protocol = HTTP:5634;
protocol = HTTP:4471;
protocol = HTTP:3382;
protocol = SOCKS5:1200;
protocol = SOCKS5:1039;
protocol = SOCKS5:1025;
protocol = SOCKS4:8002;
protocol = SOCKS4:6748;
protocol = SOCKS4:44548;
protocol = SOCKS4:3380;
protocol = SOCKS4:32167;
protocol = SOCKS4:2000;
protocol = SOCKS4:1979;
protocol = SOCKS4:12654;
protocol = SOCKS4:11225;
protocol = SOCKS4:1066;
protocol = SOCKS4:1030;
protocol = SOCKS4:1027;
protocol = SOCKS4:10099;
protocol = HTTP:81;
protocol = HTTP:6665;
protocol = HTTP:6664;
protocol = HTTP:6663;
protocol = SOCKS5:8278;
protocol = SOCKS5:6748;
protocol = SOCKS5:4914;
protocol = SOCKS5:4471;
protocol = SOCKS5:29992;
protocol = SOCKS5:17235;
protocol = SOCKS5:1234;
protocol = SOCKS5:1202;
protocol = SOCKS5:1180;
protocol = SOCKS5:1075;
protocol = SOCKS5:1033;
protocol = SOCKS5:10000;
protocol = SOCKS4:8020;
protocol = SOCKS4:4044;
protocol = SOCKS4:3128;
protocol = SOCKS4:3127;
protocol = SOCKS4:28882;
protocol = SOCKS4:24973;
protocol = SOCKS4:21421;
protocol = SOCKS4:1182;
protocol = SOCKS4:1032;
protocol = SOCKS4:10242;
protocol = HTTPPOST:8089;
protocol = HTTP:8082;
protocol = HTTP:6661;
protocol = HTTP:35233;
protocol = HTTP:19991;
protocol = HTTP:1098;
protocol = HTTP:1050;
protocol = SOCKS5:9988;
protocol = SOCKS5:8080;
protocol = SOCKS5:8009;
protocol = SOCKS5:6561;
protocol = SOCKS5:24971;
protocol = SOCKS5:18844;
protocol = SOCKS5:1122;
protocol = SOCKS5:10777;
protocol = SOCKS5:1030;
protocol = SOCKS5:10130;
protocol = SOCKS5:10099;
protocol = SOCKS4:8751;
protocol = SOCKS4:8278;
protocol = SOCKS4:8111;
protocol = SOCKS4:7007;
protocol = SOCKS4:6551;
protocol = SOCKS4:5353;
protocol = SOCKS4:443;
protocol = SOCKS4:43341;
protocol = SOCKS4:3801;
protocol = SOCKS4:2280;
protocol = SOCKS4:1978;
protocol = SOCKS4:1212;
protocol = SOCKS4:1039;
protocolo= SOCKS4:1031;
protocol = HTTPPOST:81;
protocol = HTTP:9988;
protocol = HTTP:7868;
protocol = HTTP:7070;
protocol = HTTP:444;
protocol = HTTP:1200;
protocol = HTTP:1039;
fd = 10000;
max_read = 4096;
timeout = 12;
/* CHANGE THIS! */
target_ip = "83.176.253.77";
target_port = 6667;
/* CHANGE THIS! */
target_string = "*** Processing connection to irc.ankeborg.nu";
target_string = "ERROR :Trying to reconnect too fast.";
};
user {
scanner = "default";
mask = "*!*@*";
};
In order to be able to oper up your bot needs an auth block and an operator block with minimal privileges
For your BOPM bot to function properly it needs an auth and oper block present in the ircd configuration file. A typical bopm auth block looks like the following:
auth {
user = "bopm@your.host.com";
spoof = "irc.your.server.com.bopm";
flags = exceed_limit, flood_exempt;
class = opers;
};
Please keep the irc.your.server.com.bopm naming scheme. The irc.ankeborg.nu BOPM, for example, is on IRC as bopm@irc.ankeborg.nu.bopm. The exceed_limit flag is there to make sure BOPM is always able to get on the network, and the flood_exempt flag means BOPM can spam #bopm with scan results.
An example operator block for BOPM could look like this:
operator "bopm" {
user = "*@irc.your.server.com.bopm";
password = "encrypted password";
flags = kline, remote, hidden_oper;
}
There's no need for giving BOPM other operator privileges (it will never KILL, etc). hidden_oper will hide your bopm from the /stats p list.
Bopm supports a few commands in the control channel. Uptime and number of successful lookups can be reported:
< sjk> nlbopm stats < nlbopm> Uptime: 2 weeks, 5 days, 14:50:36 < nlbopm> DNSBL: 5 successful lookups from dnsbl.dronebl.org < nlbopm> DNSBL: 26 successful lookups from rbl.efnetrbl.org < nlbopm> Number of connects: 4669 (0.17/minute)
To see how many file descriptors the bot is using, use fdstat:
< sjk> nlbopm, fdstat < nlbopm> Total open FD: 2/256
One can also use bopm to manually scan a host using the "check" command:
< sjk> nlbopm check ankeborg.nu < nlbopm> CHECK -> Checking '82.103.139.184' for open proxies on all scanners < nlbopm> CHECK -> DNSBL -> 82.103.139.184 does not appear in BL zone dnsbl.dronebl.org < nlbopm> CHECK -> DNSBL -> 82.103.139.184 does not appear in BL zone rbl.efnetrbl.org < nlbopm> CHECK -> DNSBL -> 82.103.139.184 does not appear in BL zone tor.dnsbl.sectoor.de < nlbopm> CHECK -> DNSBL -> 82.103.139.184 does not appear in BL zone tor.dan.me.uk < nlbopm> CHECK -> DNSBL -> 82.103.139.184 does not appear in BL zone tor.ahbl.org < nlbopm> CHECK -> All tests on 82.103.139.184 completed.
To rehash a BOPM bot, simply kill it.
One can add a @reboot entry to crontab to start BOPM automatically at boot:
@reboot /path/to/bopm/bin/bopm