LibertaCasaTrash/Karla
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add to remote, bumped version, readme, gitignore

Browse Source
This commit is contained in:
Pratyush Desai 2022-04-24 08:08:33 +05:30
commit 98b1059ccc
Signed by: pratyush
GPG Key ID: DBA5BB7505946FAD
4 changed files with 851 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
etc/hopm.conf
etc/Karla.conf

27
README.md Normal file
View File

@ -0,0 +1,27 @@
# Karla - IRC Hybrid Open Proxy Monitor
This is a `hopm` instance to detect and manage potentially abusive hosts via dnsbls and port scans
## Installation - Productionized
> Requires root priviledges
1. Add an unpriviledged role user `Karla` with the home `/opt/hopm/`.
2. Add yourself to the group `Karla`.
3. `cd /opt/hopm/` and `git clone <repo>`.
4. `cd Karla/` and `cp Karla.service /etc/systemd/system/`.
5. Check `/opt/hopm/Karla/etc/hopm.conf` and configure accordingly.
5. `systemctl daemon-reload` and `systemctl enable --now Karla.service`.
## Credentials
* Ensure `hopm.conf` and `Karla.conf` is in `.gitignore`
## TODO
* Deploy Utility which can pull the systemd unit file from `LibertaCasa/system` repo
* Lint checking before deploy

BIN
bin/hopm Executable file
View File

Binary file not shown.

822
etc/reference.conf Normal file
View File

@ -0,0 +1,822 @@
/*
* Hybrid Open Proxy Monitor - HOPM sample configuration
*
* Copyright (c) 2014-2022 ircd-hybrid development team
*
* $Id$
*/
/*
* Shell style (#), C++ style (//) and C style comments are supported.
*
* Files may be included by either:
* .include "filename"
* .include <filename>
*
* Times/durations are written as:
* 12 hours 30 minutes 1 second
*
* Valid units of time:
* year, month, week, day, hour, minute, second
*
* Valid units of size:
* megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
*
* Sizes and times may be singular or plural.
*/
options {
/*
* Full path and filename for storing the process ID of the running
* HOPM.
*/
pidfile = "var/run/hopm.pid";
/*
* Maximum commands to queue. Set to 0 if you don't want HOPM
* to process commands.
*/
command_queue_size = 64;
/*
* Interval to check command queue for timed out commands.
*/
command_interval = 10 seconds;
/*
* Timeout of commands.
*/
command_timeout = 180 seconds;
/*
* How long to store the IP address of hosts which are confirmed
* (by previous scans) to be secure. New users from these
* IP addresses will not be scanned again until this amount of time
* has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
* DIRECTIVE, but it is provided due to demand.
*
* The main reason for not using this feature is that anyone capable
* of running a proxy can get abusers onto your network - all they
* need do is shut the proxy down, connect themselves, restart the
* proxy, and tell their friends to come flood.
*
* Keep this directive commented out to disable negative caching.
*/
# negcache = 1 hour;
/*
* How long between rebuilds of the negative cache. The negcache
* is only rebuilt to free up memory used by entries that are too old.
* You probably don't need to tweak this unless you have huge amounts
* of people connecting (hundreds per minute). Default is 12 hours.
*/
negcache_rebuild = 12 hours;
/*
* Amount of file descriptors to allocate to asynchronous DNS. 64
* should be plenty for almost anyone.
*/
dns_fdlimit = 64;
/*
* Amount of time the resolver waits until a response is received
* from a name server.
*/
dns_timeout = 5 seconds;
/*
* Put the full path and filename of a logfile here if you wish to log
* every scan done. Normally HOPM only logs successfully detected
* proxies in the hopm.log, but you may get abuse reports to your ISP
* about portscanning. Being able to show that it was HOPM that did
* the scan in question can be useful. Leave commented for no
* logging.
*/
# scanlog = "var/log/scan.log";
};
irc {
/*
* IP address to bind to for the IRC connection. You only need to
* use this if you wish HOPM to use a particular interface
* (virtual host, IP alias, ...) when connecting to the IRC server.
* There is another "bind" setting in the scan {} block below for
* the actual portscans. Note that this directive expects an IP address,
* not a hostname. Please leave this commented out if you do not
* understand what it does, as most people don't need it.
*/
# bind = "0.0.0.0";
/*
* Nickname for HOPM to use.
*/
nick = "MyHopm";
/*
* Text to appear in the "realname" field of HOPM's /whois output.
*/
realname = "Hybrid Open Proxy Monitor";
/*
* If you don't have an identd running, what username to use.
*/
username = "hopm";
/*
* Hostname (or IP address) of the IRC server which HOPM will monitor
* connections on. IPv6 is now supported.
*/
server = "irc.example.org";
/*
* Password used to connect to the IRC server (PASS)
*/
# password = "secret";
/*
* Port of the above server to connect to. This is what HOPM uses to
* get onto IRC itself, it is nothing to do with what ports/protocols
* are scanned, nor do you need to list every port your ircd listens
* on.
*/
port = 6667;
/*
* Whether to use TLS when connecting to the above server.
*/
tls = no;
/*
* rsa_private_key_file: the path to the file containing the RSA key.
*
* Once the RSA key is generated, it is highly recommended to lock down
* its file permissions:
*
* chown <ircd-user>.<ircd.group> rsa.key
* chmod 0600 rsa.key
*/
# rsa_private_key_file = "etc/rsa.key";
/*
* tls_certificate_file: the path to the file containing our
* TLS certificate for encrypted client connection.
*/
# tls_certificate_file = "etc/cert.pem";
/*
* Checks if the host name defined above matches the identity in the
* certificate.
*/
tls_hostname_verification = yes;
/*
* tls_disable_certificate_verification: setting this to 'yes' turns off
* verification of the remote peer's certificate. Turning off certificate
* verification is generally discouraged and should be done only for
* experimental purposes.
*/
tls_disable_certificate_verification = no;
/*
* Defines time in which bot will timeout if no data is received
*/
readtimeout = 15 minutes;
/*
* Interval in how often we try to reconnect to the IRC server
*/
reconnectinterval = 30 seconds;
/*
* Command to execute to identify to NickServ (if your network uses
* it). This is the raw IRC command text, and the below example
* corresponds to "/msg nickserv identify password" in a client. If
* you don't understand, just edit "password" in the line below to be
* your HOPM's nick password. Leave commented out if you don't need
* to identify to NickServ.
*/
# nickserv = "NS IDENTIFY password";
/*
* The username and password needed for HOPM to oper up.
*/
oper = "hopm operpass";
/*
* Mode string that HOPM needs to set on itself as soon as it opers
* up. This needs to include the mode for seeing connection notices,
* otherwise HOPM won't scan anyone (that's usually umode +c).
*/
mode = "+c";
/*
* If this is set then HOPM will use it as an /away message as soon as
* it connects.
*/
away = "I'm a bot. Your messages will be ignored.";
/*
* Info about channels you wish HOPM to join in order to accept
* commands. HOPM will also print messages in these channels every
* time it detects a proxy. Only IRC operators can command HOPM to do
* anything, but some of the things HOPM reports to these channels
* could be considered sensitive, so it's best not to put HOPM into
* public channels.
*/
channel {
/*
* Channel name. Local ("&") channels are supported if your ircd
* supports them.
*/
name = "#hopm";
/*
* If HOPM will need to use a key to enter this channel, this is
* where you specify it.
*/
# key = "somekey";
/*
* If you use ChanServ then maybe you want to set the channel
* invite-only and have each HOPM do "/msg ChanServ invite" to get
* itself in. Leave commented if you don't, or if this makes no
* sense to you.
*/
# invite = "CS INVITE #hopm";
};
/*
* You can define a bunch of channels if you want:
*
* channel { name = "#other"; }; channel { name= "#channel"; }
*/
/*
* connregex is a POSIX regular expression used to parse connection
* notices from the ircd. The complexity of the expression should
* be kept to a minimum.
*
* Items in order MUST be: nick user host IP
*
* HOPM will not work with ircds which do not send an IP address in the
* connection notice.
*
* This is fairly complicated stuff, and the consequences of getting
* it wrong are the HOPM does not scan anyone. Unless you know
* absolutely what you are doing, please just uncomment the example
* below that best matches the type of ircd you use.
*/
/* bahamut / charybdis / ircd-hybrid / ircd-ratbox / ircu / UnrealIRCd 3.2.x (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
/* ircd-hybrid with far connect notices (user mode +F) to scan clients on remote servers */
# connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
/* UnrealIRCd 4.0.x */
# connregex = "\\*\\*\\* Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
/* InspIRCd */
# connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9a-f\\.:]+)\\) \\[.*\\]";
/* ngIRCd */
# connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";
/*
* "kline" controls the command used when an open proxy is confirmed.
* We suggest applying a temporary (no more than a few hours) KLINE on the host.
*
* <WARNING>
* Make sure if you need to change this string you also change the
* kline command for every DNSBL you enable below.
*
* Also note that some servers do not allow you to include ':' characters
* inside the KLINE message (e.g. for a http:// address).
*
* Users rewriting this message into something that isn't even a valid
* IRC command is the single most common cause of support requests and
* therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
* KLINE COMMANDS BELOW.
* </WARNING>
*
* That said, should you wish to customise this text, several
* printf-like placeholders are available:
*
* %n User's nick
* %u User's username
* %h User's irc hostname
* %i User's IP address
* %t Protocol type which has triggered a positive scan
*/
/* A KLINE example for bahamut / charybdis / ircd-hybrid / ircd-ratbox */
kline = "KLINE 180 *@%i :Open proxy found on your host.";
/* A KLINE example for InspIRCd */
# kline = "KLINE *@%i 3h :Open proxy found on your host.";
/* A KLINE example for ngIRCd */
# kline = "KLINE *@%i 10800 :Open proxy found on your host.";
/* A GLINE example for ircu */
# kline = "GLINE +*@%i 10800 :Open proxy found on your host.";
/* A ZLINE example for UnrealIRCd */
# kline = "ZLINE *@%i 3h :Open proxy found on your host.";
/*
* An AKILL example for services with OperServ. Your HOPM must have permission to
* AKILL for this to work!
*/
# kline = "OS AKILL ADD +3h *@%i Open proxy found on your host.";
/*
* Text to send on connection, these can be stacked and will be sent in this order.
*
* !!! UNREAL USERS PLEASE NOTE !!!
* Unreal users will need PROTOCTL HCN to force hybrid connect
* notices.
*
* Yes Unreal users! That means you! That means you need the line
* below! See that thing at the start of the line? That's what we
* call a comment! Remove it to UNcomment the line.
*
* Note that this is no longer needed as of UnrealIRCd 4.0.0.
*/
# perform = "PROTOCTL HCN";
/*
* Text to send, via NOTICE, immediately when a new client connects. These can be
* stacked and will be sent in this order.
*/
# notice = "You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.";
};
/*
* OPM Block defines blacklists and information required to report new proxies
* to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
* file. There are several blacklist that list IP addresses known to be open
* proxies or other forms of IRC abuse. By checking against these blacklists,
* HOPMs are able to ban known sources of abuse without completely scanning them.
*/
#opm {
/*
* Blacklist zones to check IPs against. If you would rather not
* trust a remotely managed blacklist, you could set up your own, or
* leave these commented out in which case every user will be
* scanned. The use of at least one open proxy DNSBL is recommended
* however.
*
* Please check the policies of each blacklist you use to check you
* are comfortable with using them to block access to your server
* (and that you are allowed to use them).
*/
/* dnsbl.dronebl.org - https://dronebl.org */
# blacklist {
/* The DNS name of the blacklist */
# name = "dnsbl.dronebl.org";
/*
* Address families that are supported by the blacklist. Default is 'ipv4'.
*/
# address_family = ipv4, ipv6;
/*
* There are only two values that are valid for this
* "A record bitmask" and "A record reply"
* These options affect how the values specified to reply
* below will be interpreted, a bitmask is where the reply
* values are 2^n and more than one is added up, a reply is
* simply where the last octet of the IP address is that number.
* If you are not sure then the values set for dnsbl.dronebl.org
* will work without any changes.
*/
# type = "A record reply";
/*
* Kline types not listed in the reply list below.
*
* For DNSBLs that are not IRC specific and you just wish to kline
* certain types this can be enabled/disabled.
*/
# ban_unknown = no;
/*
* The actual values returned by the dnsbl.dronebl.org blacklist as
* documented at https://dronebl.org/docs/howtouse
*/
# reply {
# 2 = "Sample data used for heuristical analysis";
# 3 = "IRC spam drone (litmus/sdbot/fyle)";
# 5 = "Bottler (experimental)";
# 6 = "Unknown worm or spambot";
# 7 = "DDoS drone";
# 8 = "Open SOCKS proxy";
# 9 = "Open HTTP proxy";
# 10 = "ProxyChain";
# 11 = "Web Page Proxy";
# 12 = "Open DNS Resolver";
# 13 = "Automated dictionary attacks";
# 14 = "Open WINGATE proxy";
# 15 = "Compromised router / gateway";
# 16 = "Autorooting worms";
# 17 = "Automatically determined botnet IPs (experimental)";
# 18 = "Possibly compromised DNS/MX type hostname detected on IRC";
# 19 = "Abused VPN Service";
# 255 = "Uncategorized threat class";
# };
/*
* The kline message sent for this specific blacklist, remember to put
* the removal method in this.
*/
# kline = "KLINE 180 *@%i :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%i&network=Network";
# };
/* rbl.efnetrbl.org - https://rbl.efnetrbl.org/ */
# blacklist {
# name = "rbl.efnetrbl.org";
# type = "A record reply";
# ban_unknown = no;
# reply {
# 1 = "Open proxy";
# 2 = "spamtrap666";
# 3 = "spamtrap50";
# 4 = "TOR";
# 5 = "Drones / Flooding";
# };
# kline = "KLINE 180 *@%i :Blacklisted proxy found. For more information, visit https://rbl.efnetrbl.org/?i=%i";
# };
/* tor.efnetrbl.org - https://rbl.efnetrbl.org/ */
# blacklist {
# name = "tor.efnetrbl.org";
# type = "A record reply";
# ban_unknown = no;
# reply {
# 1 = "TOR";
# };
# kline = "KLINE 180 *@%i :TOR exit node found. For more information, visit https://rbl.efnetrbl.org/?i=%i";
# };
/*
* You can report the insecure proxies you find to a DNSBL also!
* The remaining directives in this section are only needed if you
* intend to do this. Reports are sent by email, one email per IP
* address. The format does support multiple addresses in one email,
* but we don't know of any servers that are detecting enough insecure
* proxies for this to be really necessary.
*/
/*
* Email address to send reports FROM. If you intend to send reports,
* please pick an email address that we can actually send mail to
* should we ever need to contact you.
*/
# dnsbl_from = "mybopm@myserver.org";
/*
* Email address to send reports TO.
* For example DroneBL:
*/
# dnsbl_to = "bopm-report@dronebl.org";
/*
* Full path to your sendmail binary. Even if your system does not
* use sendmail, it probably does have a binary called "sendmail"
* present in /usr/sbin or /usr/lib. If you don't set this, no
* proxies will be reported.
*/
# sendmail = "/usr/sbin/sendmail";
#};
/*
* The short explanation:
*
* This is where you define what ports/protocols to check for. You can have
* multiple scanner blocks and then choose which users will get scanned by
* which scanners further down.
*
* The long explanation:
*
* Scanner defines a virtual scanner. For each user being scanned, a scanner
* will use a file descriptor (and subsequent connection) for each protocol.
* Once connecting it will negotiate the proxy to connect to
* target_ip:target_port (target_ip MUST be an IP address).
*
* Once connected, any data passed through the proxy will be checked to see if
* target_string is contained within that data. If it is the proxy is
* considered open. If the connection is closed at any point before
* target_string is matched, or if at least max_read bytes are read from the
* connection, the negotiation is considered failed.
*/
scanner {
/*
* Unique name of this scanner. This is used further down in the
* user {} blocks to decide which users get affected by which
* scanners.
*/
name = "default";
/*
* HTTP CONNECT - very common proxy protocol supported by widely known
* software such as Squid and Apache. The most common sort of
* insecure proxy and found on a multitude of weird ports too. Offers
* transparent two way TCP connections.
*/
protocol = HTTP:80;
protocol = HTTP:8080;
protocol = HTTP:3128;
protocol = HTTP:6588;
/*
* The SSL/TLS variant of HTTP
*/
# protocol = HTTPS:443;
# protocol = HTTPS:8443;
/*
* SOCKS4/5 - well known proxy protocols, probably the second most
* common for insecure proxies, also offers transparent two way TCP
* connections. Fortunately largely confined to port 1080.
*/
protocol = SOCKS4:1080;
protocol = SOCKS5:1080;
/*
* Cisco routers with a default password (yes, it really does happen).
* Also pretty much anything else that will let you telnet to anywhere
* else on the Internet. Fortunately these are always on port 23.
*/
protocol = ROUTER:23;
/*
* WinGate is commercial windows proxy software which is now not so
* common, but still to be found, and helpfully presents an interface
* that can be used to telnet out, on port 23.
*/
protocol = WINGATE:23;
/*
* Dreambox DVB receivers with a default password allowing
* full root access to telnet or install bouncers.
*/
protocol = DREAMBOX:23;
/*
* The HTTP POST protocol, often dismissed when writing the access
* controls for proxies, but sadly can still be used to abused.
* Offers only the opportunity to send a single block of data, but
* enough of them at once can still make for a devastating flood.
* Found on the same ports that HTTP CONNECT proxies inhabit.
*
* Note that if your ircd has "ping cookies" then clients from HTTP
* POST proxies cannot actually ever get onto your network anyway. If
* you leave the checks in then you'll still find some (because some
* people IRC from boxes that run them), but if you use HOPM purely as
* a protective measure and you have ping cookies, you need not scan
* for HTTP POST.
*/
protocol = HTTPPOST:80;
/*
* The SSL/TLS variant of HTTPPOST
*/
# protocol = HTTPSPOST:443;
# protocol = HTTPSPOST:8443;
/*
* IP address this scanner will bind to. Use this if you need your scans to
* come FROM a particular interface on the machine you run HOPM from.
* If you don't understand what this means, please leave this
* commented out, as this is a major source of support queries!
*/
# bind = "127.0.0.1";
/*
* Maximum file descriptors this scanner can use. Remember that there
* will be one FD for each protocol listed above. As this example
* scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
* limit, this scanner can be used on 64 users _at the same time_.
* That should be adequate for most servers.
*/
fd = 512;
/*
* Maximum data read from a proxy before considering it closed. Don't
* set this too high, some people have fun setting up lots of ports
* that send endless data to tie up your scanner. 4KB is plenty for
* any known proxy.
*/
max_read = 4 kbytes;
/*
* Amount of time before a test is considered timed out.
* Again, all but the poorest slowest proxies will be detected within
* 30 seconds, and this helps keep resource usage low.
*/
timeout = 30 seconds;
/*
* Target IP to tell the proxy to connect to
*
* !!! THIS MUST BE CHANGED !!!
*
* You cannot instruct the proxy to connect to itself! The easiest
* thing to do would be to set this to the IP address of your ircd
* and then keep the default target_strings.
*
* Please use an IP address that is publically reachable from anywhere
* on the Internet, because you have no way of knowing where the insecure
* proxies will be located. Just because you and your HOPM can
* connect to your ircd on some private IP address like 192.168.0.1,
* does not mean that the insecure proxies out there on the Internet will be
* able to. And if they never connect, you will never detect them.
*
* Remember to change this setting for every scanner you configure.
*/
target_ip = "127.0.0.1";
/*
* Target port to tell the proxy to connect to. This is usually
* something like 6667. Basically any client-usable port.
*/
target_port = 6667;
/*
* Target string we check for in the data read back by the scanner.
* This should be some string out of the data that your ircd usually
* sends on connect. Multiple target strings are allowed.
*
* NOTE: Try to keep the number of target strings to a minimum. Two
* should be fine. One for normal connections and one for throttled
* connections. Comment out any others for efficiency.
*/
/*
* Usually first line sent to client on connection to ircd.
* If your ircd supports a more specific line (see below),
* using it will reduce false positives.
*/
target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";
/*
* If you try to connect too fast, you'll be throttled by your own
* ircd. Here's what a hybrid throttle message looks like:
*/
target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};
scanner {
name = "extended";
protocol = HTTP:81;
protocol = HTTP:8000;
protocol = HTTP:8001;
protocol = HTTP:8081;
protocol = HTTPPOST:81;
protocol = HTTPPOST:6588;
protocol = HTTPPOST:4480;
protocol = HTTPPOST:8000;
protocol = HTTPPOST:8001;
protocol = HTTPPOST:8080;
protocol = HTTPPOST:8081;
/*
* IRCnet have seen many socks5 on these ports, more than on the
* standard ports even.
*/
protocol = SOCKS4:4914;
protocol = SOCKS4:6826;
protocol = SOCKS4:7198;
protocol = SOCKS4:7366;
protocol = SOCKS4:9036;
protocol = SOCKS5:4438;
protocol = SOCKS5:5104;
protocol = SOCKS5:5113;
protocol = SOCKS5:5262;
protocol = SOCKS5:5634;
protocol = SOCKS5:6552;
protocol = SOCKS5:6561;
protocol = SOCKS5:7464;
protocol = SOCKS5:7810;
protocol = SOCKS5:8130;
protocol = SOCKS5:8148;
protocol = SOCKS5:8520;
protocol = SOCKS5:8814;
protocol = SOCKS5:9100;
protocol = SOCKS5:9186;
protocol = SOCKS5:9447;
protocol = SOCKS5:9578;
protocol = SOCKS5:10000;
protocol = SOCKS5:64101;
/*
* These came courtsey of Keith Dunnett from a bunch of public open
* proxy lists.
*/
protocol = SOCKS4:29992;
protocol = SOCKS4:38884;
protocol = SOCKS4:18844;
protocol = SOCKS4:17771;
protocol = SOCKS4:31121;
fd = 400;
/*
* If required you can add settings such as target_ip here
* they will override the defaults set in the first scanner
* for this and subsequent scanners defined in the config file
* This affects the following options:
* fd, bind, target_ip, target_port, target_string, timeout and
* max_read.
*/
};
/*
* Scanner to detect vulnerable SSH versions that normally exist on hacked
* routers and IoT devices. Don't forget to add this scanner to a user block.
*/
scanner {
name = "ssh";
protocol = SSH:22;
target_string = "SSH-1.99-OpenSSH_5.1";
target_string = "SSH-2.0-dropbear_0.51";
target_string = "SSH-2.0-dropbear_0.52";
target_string = "SSH-2.0-dropbear_0.53.1";
target_string = "SSH-2.0-dropbear_2012.55";
target_string = "SSH-2.0-dropbear_2013.62";
target_string = "SSH-2.0-dropbear_2014.63";
target_string = "SSH-2.0-OpenSSH_4.3";
target_string = "SSH-2.0-OpenSSH_5.1";
target_string = "SSH-2.0-OpenSSH_5.5p1";
target_string = "SSH-2.0-ROSSSH";
target_string = "SSH-2.0-SSH_Server";
};
/*
* User blocks define what scanners will be used to scan which hostmasks.
* When a user connects they will be scanned on every scanner {} (above)
* that matches their host.
*/
user {
/*
* Users matching this host mask will be scanned with all the
* protocols in the scanner named.
*/
mask = "*!*@*";
scanner = "default";
};
user {
/*
* Connections without ident will match on a vast number of connections
* very few proxies run ident though
*/
# mask = "*!~*@*";
mask = "*!squid@*";
mask = "*!nobody@*";
mask = "*!www-data@*";
mask = "*!cache@*";
mask = "*!CacheFlowS@*";
mask = "*!*@*www*";
mask = "*!*@*proxy*";
mask = "*!*@*cache*";
scanner = "extended";
};
/*
* Exempt hosts matching certain strings from any form of scanning or dnsbl.
* HOPM will check each string against both the hostname and the IP address of
* the user.
*
* There are very few valid reasons to actually use "exempt". HOPM should
* never get false positives, and we would like to know very much if it does.
* One possible scenario is that the machine HOPM runs from is specifically
* authorized to use certain hosts as proxies, and users from those hosts use
* your network. In this case, without exempt, HOPM will scan these hosts,
* find itself able to use them as proxies, and ban them.
*/
exempt {
mask = "*!*@127.0.0.1";
};