Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
001
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
002
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0
003
2023-01-22
jrmu
author=forero
004
2023-01-22
jrmu
charset=UTF-8
005
2023-01-22
jrmu
csum=fix typo
006
2023-01-22
jrmu
ctime=1614679909
007
2023-01-22
jrmu
host=2800:484:117a:82d4:ff02:54e2:26f6:dd1f
008
2023-01-22
jrmu
name=Hopm.Install
009
2023-01-22
jrmu
rev=54
010
2023-01-22
jrmu
targets=Stopm.Stopm,Rcd.Configure
011
2023-01-22
jrmu
text=(:title Hopm Install Guide:)%0a%0aIn this guide, we'll setup and configure [[https://github.com/ircd-hybrid/hopm|hopm]], an open proxy monitor that kills spam bots.%0a%0aAdvantages:%0a%0a# Pure C%0a# Compatible with every IRC server%0a# Fast scanning and DNSBL support.%0a%0aDisadvantages:%0a%0a# Occasionally bans innocent users because it cannot perform [[stopm/stopm|statistical analysis]]%0a%0aBefore you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README.md|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL.md|INSTALL]] docs.%0a%0a!! Installation%0aUpgrades from older versions of hopm can also follow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a%0aLet's create the user hopm:%0a%0a[@%0a$ doas useradd -m -g =uid -c "hopm" -d /home/hopm -s /bin/ksh hopm%0a@]%0a%0aThen we switch to the user hopm and change to its home folder:%0a%0a[@%0a$ doas su hopm%0a$ cd%0a@]%0a%0aWe download [[https://github.com/ircd-hybrid/hopm/tags|the latest release]], extract it, then build it:%0a%0a[@%0a$ ftp https://github.com/ircd-hybrid/hopm/archive/1.1.10.tar.gz%0a$ tar xvzf 1.1.10.tar.gz%0a$ cd hopm-1.1.10%0a$ ./configure%0a$ make%0a$ make install%0a@]%0a%0ahopm will now be installed in ~/hopm.%0a%0a[[https://github.com/ircd-hybrid/hopm/blob/master/doc/reference.conf|/home/hopm/hopm/etc/reference.conf]] contains a sample template.%0a%0aWe'll create a new /home/hopm/hopm/etc/hopm.conf from scratch to keep it short:%0a%0a[@%0aoptions {%0a pidfile = "var/run/hopm.pid";%0a command_queue_size = 64;%0a command_interval = 10 seconds;%0a command_timeout = 180 seconds;%0a negcache_rebuild = 12 hours;%0a dns_fdlimit = 64;%0a dns_timeout = 5 seconds;%0a scanlog = "var/log/scan.log";%0a};%0a@]%0a%0aThe only thing we change is we uncomment scanlog so that we have a record of all users that connect. It will be stored in @@/home/hopm/hopm/var/log/scan.log@@.%0a%0a[@%0airc {%0a nick = "MyHopm";%0a realname = "Hybrid Open Proxy Monitor";%0a username = "hopm";%0a server = "127.0.0.1";%0a port = 16667;%0a tls = no;%0a readtimeout = 15 minutes;%0a reconnectinterval = 30 seconds;%0a nickserv = "SQUERY NickServ :IDENTIFY MyHopm PASSWORD";%0a oper = "MyHopm PASSWORD";%0a mode = "+BcFiIoqRsw";%0a away = "I'm a bot. Your messages will be ignored.";%0a channel {%0a name = "#hopm";%0a key = "somekey";%0a invite = "SQUERY ChanServ :INVITE #hopm";%0a };%0a@]%0a@@ connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";@@%0a[@%0a kline = "KLINE *@%25h 3600 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a notice = "To prevent spam and abuse, we scan users for open proxies.";%0a};%0a@]%0a%0aChange the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS.%0a%0angircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ with the real nick and @@PASSWORD@@ with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a%0aWe change the [[https://github.com/ngircd/ngircd/blob/master/doc/Modes.txt|mode]] to @@+BcFiIoqRsw@@. I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a%0aFor @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work with old cloak hostmasks, which have been broken since April 2020. Note that '''hopm will not work with +x cloaking'''). You must also change the order for kline: in ngircd, kline expects the hostmask before the time. You will also want to replace @@support@example.com@@ with your actual support email.%0a%0a'''WARNING''': You must change the order for kline for ngircd:%0a%0a[@%0akline = "KLINE *@%25h 3600 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a@]%0a%0aThe hostmask must come before the time.%0a%0a[@%0aopm {%0a@]%0a%0aIn our OPM block, we will define a few blacklists: dronbl, efnet, and ircbl. %0a%0a[@%0a blacklist { %0a name = "dnsbl.dronebl.org";%0a address_family = ipv4, ipv6;%0a type = "A record reply";%0a ban_unknown = no;%0a reply {%0a 2 = "Sample data used for heuristical analysis";%0a 3 = "IRC spam drone (litmus/sdbot/fyle)";%0a 5 = "Bottler (experimental)";%0a 6 = "Unknown worm or spambot";%0a 7 = "DDoS drone";%0a 8 = "Open SOCKS proxy";%0a 9 = "Open HTTP proxy";%0a 10 = "ProxyChain";%0a 11 = "Web Page Proxy";%0a 12 = "Open DNS Resolver";%0a 13 = "Automated dictionary attacks";%0a 14 = "Open WINGATE proxy";%0a 15 = "Compromised router / gateway";%0a 16 = "Autorooting worms";%0a 17 = "Automatically determined botnet IPs (experimental)";%0a 18 = "Possibly compromised DNS/MX type hostname detected on IRC";%0a 19 = "Abused VPN Service";%0a 255 = "Uncategorized threat class";%0a };%0a kline = "KLINE *@%25h 3600 :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%25i&network=%3cyour_network_name>";%0a };%0a@]%0a%0aThe name of the first blacklist is [[https://dronebl.org/docs/howtouse|dnsbl.dronebl.org]]. It supports both ipv4 and ipv6 addresses. We use A record replies. We don't want to ban unknown types.%0a%0a'''Note''': Replace %3cyour_network_name> with a unique network name. The Network parameter set in ngircd.conf should suffice.%0a%0aFor the kline, we again make sure to put the hostmask before the time (as ngircd requires). We also use %25h instead of %25i to kline by hostmask instead of by IP, since ngircd may be cloaking user IPs.%0a%0a[@%0a blacklist {%0a name = "rbl.efnetrbl.org";%0a type = "A record reply";%0a ban_unknown = no;%0a reply {%0a 1 = "Open proxy";%0a 2 = "spamtrap666";%0a 3 = "spamtrap50";%0a 4 = "TOR";%0a 5 = "Drones / Flooding";%0a };%0a kline = "KLINE *@%25h 3600 :Blacklisted proxy found. For more information, visit https://rbl.efnetrbl.org/?i=%25i";%0a };%0a blacklist {%0a name = "tor.efnetrbl.org";%0a type = "A record reply";%0a ban_unknown = no;%0a reply {%0a 1 = "TOR";%0a };%0a kline = "KLINE *@%25h 3600 :TOR exit node found. For more information, visit https://rbl.efnetrbl.org/?i=%25i";%0a };%0a@]%0a%0aThe two blacklists from efnet are the same.%0a%0a[@%0a blacklist {%0a name = "rbl.ircbl.org";%0a type = "A record reply";%0a reply {%0a 2 = "Open proxy (2)";%0a 6 = "Mail or NS server (6)";%0a 10 = "D regex pattern (10)";%0a 11 = "Drone / compromised (11)";%0a 13 = "Join/part flood (13)";%0a 14 = "Drone / compromised 2 (14)";%0a 16 = "Spam bot (16)";%0a 17 = "Drone (17)";%0a 18 = "Drone 2 (18)";%0a 19 = "Web abuse (19)";%0a 20 = "Drone/flood bot (20)";%0a 21 = "Compromised host (21)";%0a 22 = "Open Proxy (22)";%0a 23 = "Open Proxy (23)";%0a 24 = "Mass advertising (24)";%0a 30 = "Drone (30)";%0a 31 = "Drone 2 (31)";%0a 32 = "Open proxy (32)";%0a 42 = "Open proxy (42)";%0a };%0a ban_unknown = yes;%0a kline = "KLINE *@%25h 3600 :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a };%0a blacklist {%0a name = "tor-irc.dnsbl.oftc.net";%0a type = "A record reply";%0a reply {%0a 2 = "Tor exit server";%0a };%0a ban_unknown = yes;%0a kline = "KLINE *@%25h 3600 :Please use our tor onion addresses. If this is in error, please email support@ircnow.org";%0a };%0a};%0a@]%0a%0a'''Note''': Again, replace %3cyour_network_name> with a unique network name. The Network parameter set in ngircd.conf should suffice.%0a%0aThis is another blacklist.%0a%0aNext, we define a scanner block. hopm will try to get the user to connect to the target_ip:target_port using the listed port/protocol. A target_string will be sent through the proxy and then checked. If the data is found, the user is an proxy.%0a%0a'''NOTE''': target_ip must be an actual ip address. Replace 127.0.0.1 with your public IPv4 address.%0a%0a[@%0ascanner {%0a name = "default";%0a protocol = HTTP:80;%0a protocol = HTTP:8080;%0a protocol = HTTP:3128;%0a protocol = HTTP:6588;%0a# protocol = HTTPS:443;%0a# protocol = HTTPS:8443;%0a protocol = SOCKS4:1080;%0a protocol = SOCKS5:1080;%0a protocol = ROUTER:23;%0a protocol = WINGATE:23;%0a protocol = DREAMBOX:23;%0a protocol = HTTPPOST:80;%0a# protocol = HTTPSPOST:443;%0a# protocol = HTTPSPOST:8443;%0a# bind = "127.0.0.1";%0a fd = 512;%0a max_read = 4 kbytes;%0a timeout = 30 seconds;%0a target_ip = "127.0.0.1";%0a target_port = 6667;%0a target_string = "NOTICE * :*** Looking up your hostname and checking ident";%0a};%0a@]%0a%0aTwo more scanner blocks:%0a%0a[@%0ascanner {%0a name = "extended";%0a protocol = HTTP:81;%0a protocol = HTTP:8000;%0a protocol = HTTP:8001;%0a protocol = HTTP:8081;%0a protocol = HTTPPOST:81;%0a protocol = HTTPPOST:6588;%0a protocol = HTTPPOST:4480;%0a protocol = HTTPPOST:8000;%0a protocol = HTTPPOST:8001;%0a protocol = HTTPPOST:8080;%0a protocol = HTTPPOST:8081;%0a protocol = SOCKS4:4914;%0a protocol = SOCKS4:6826;%0a protocol = SOCKS4:7198;%0a protocol = SOCKS4:7366;%0a protocol = SOCKS4:9036;%0a protocol = SOCKS5:4438;%0a protocol = SOCKS5:5104;%0a protocol = SOCKS5:5113;%0a protocol = SOCKS5:5262;%0a protocol = SOCKS5:5634;%0a protocol = SOCKS5:6552;%0a protocol = SOCKS5:6561;%0a protocol = SOCKS5:7464;%0a protocol = SOCKS5:7810;%0a protocol = SOCKS5:8130;%0a protocol = SOCKS5:8148;%0a protocol = SOCKS5:8520;%0a protocol = SOCKS5:8814;%0a protocol = SOCKS5:9100;%0a protocol = SOCKS5:9186;%0a protocol = SOCKS5:9447;%0a protocol = SOCKS5:9578;%0a protocol = SOCKS5:10000;%0a protocol = SOCKS5:64101;%0a protocol = SOCKS4:29992;%0a protocol = SOCKS4:38884;%0a protocol = SOCKS4:18844;%0a protocol = SOCKS4:17771;%0a protocol = SOCKS4:31121;%0a fd = 400;%0a};%0ascanner {%0a name = "ssh";%0a protocol = SSH:22;%0a target_string = "SSH-1.99-OpenSSH_5.1";%0a target_string = "SSH-2.0-dropbear_0.51";%0a target_string = "SSH-2.0-dropbear_0.52";%0a target_string = "SSH-2.0-dropbear_0.53.1";%0a target_string = "SSH-2.0-dropbear_2012.55";%0a target_string = "SSH-2.0-dropbear_2013.62";%0a target_string = "SSH-2.0-dropbear_2014.63";%0a target_string = "SSH-2.0-OpenSSH_4.3";%0a target_string = "SSH-2.0-OpenSSH_5.1";%0a target_string = "SSH-2.0-OpenSSH_5.5p1";%0a target_string = "SSH-2.0-ROSSSH";%0a target_string = "SSH-2.0-SSH_Server";%0a};%0a@]%0a%0a[@%0auser {%0a mask = "*!*@*";%0a scanner = "default";%0a};%0a%0auser {%0a mask = "*!~*@*";%0a mask = "*!squid@*";%0a mask = "*!nobody@*";%0a mask = "*!www-data@*";%0a mask = "*!cache@*";%0a mask = "*!CacheFlowS@*";%0a mask = "*!*@*www*";%0a mask = "*!*@*proxy*";%0a mask = "*!*@*cache*";%0a scanner = "extended";%0a};%0a%0aexempt {%0a mask = "*!*@127.0.0.1";%0a};%0a@]%0a%0a!! Run Hopm%0a%0a[@%0a$ /home/hopm/hopm/bin/hopm -d%0a@]%0a%0a!! Cronjob%0a%0aPut this script in /home/hopm/hopm/bin/autohopm%0a%0a[@%0a#!/bin/sh%0aHOPMPATH=/home/hopm/hopm%0a%0aif test -r $HOPMPATH/var/run/hopm.pid; then%0a HOPMPID=$(cat $HOPMPATH/var/run/hopm.pid)%0a if $(kill -0 $HOPMPID >/dev/null 2>&1)%0a then%0a exit 0%0a fi%0afi%0a$HOPMPATH/bin/hopm &> /dev/null%0a@]%0a%0aThen make sure execute privileges are set:%0a%0a[@%0a$ chmod 754 /home/hopm/hopm/bin/autohopm%0a@]%0a%0a[@%0a$ crontab -e%0a*/5 * * * * /home/hopm/hopm/bin/autohopm%0a@]%0a(:ifend:)%0a%0a!! Troubleshooting%0a%0aIf you see this error:%0a%0a[@%0a[2021-01-23T09:59:14-0600] IRC -> connect(): error connecting to username.coconut.ircnow.org: Connection refused %0a[2021-01-23T09:59:14-0600] IRC -> Connection to (username.coconut.ircnow.org) failed, reconnecting. %0a[2021-01-23T09:59:14-0600] IRC -> connect(): error connecting to username.coconut.ircnow.org: Connection refused%0a@]%0a%0aThis may be due to a configuration issue with ngircd. In particular, if the hostname has an AAAA record, hopm may be trying to connect via IPv6 but ngircd does not listen to IPv6 connections.%0a%0a[@%0a$ doas pkg_add torsocks%0a@]%0a%0a[@%0a$ torsocks nc irc.example.com 6667%0anick toruser%0auser toruser * * :toruser%0a@]%0a%0aIn the #hopm channel, you should see:%0a%0a[@%0a23:16 %3cMyHopm> DNSBL -> toruser!~toruser@vps-16fb7987.vps.ovh.ca [51.79.69.241] appears in BL zone rbl.efnetrbl.org (TOR)%0a@]%0a%0a!! Run Hopm as System Daemon%0a%0a[[Rcd/Configure|For this refer to this page]]\\%0a%0aAfter you've created the rc.d script, append to /etc/rc.conf.local:%0a[@ hopm_user=hopm @]%0a%0a# Syntax errors when hopm is running in foreground. This is either the result of missing brackets where needed in config file, or that the file has DOS encodings. See [[https://github.com/ircd-hybrid/hopm/issues/22#issuecomment-301276082]] here. The missing brackets where it was needed may come from the previous section, compared to the line/s where it is indicated by hopm when executed.%0a# If the service fails to start, check and make sure /home/hopm/hopm/var/log/hopm.log is owned by hopm.%0a
012
2023-01-22
jrmu
time=1672068766
013
2023-01-22
jrmu
title=Hopm Install Guide
014
2023-01-22
jrmu
author:1672068766=forero
015
2023-01-22
jrmu
csum:1672068766=fix typo
016
2023-01-22
jrmu
diff:1672068766:1666012289:minor=18c18%0a%3c Upgrades from older versions of hopm can also follow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a---%0a> Upgrades from older versions of hopm can also fallow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a
017
2023-01-22
jrmu
host:1672068766=2800:484:117a:82d4:ff02:54e2:26f6:dd1f
018
2023-01-22
jrmu
author:1666012289=izzyb
019
2023-01-22
jrmu
diff:1666012289:1666012190:minor=18c18%0a%3c Upgrades from older versions of hopm can also fallow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a---%0a> Upgrades from older version of hopm can also fallow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a
020
2023-01-22
jrmu
host:1666012289=68.148.177.239
021
2023-01-22
jrmu
author:1666012190=izzyb
022
2023-01-22
jrmu
diff:1666012190:1664828580:=18d17%0a%3c Upgrades from older version of hopm can also fallow these instructions. You can see the version running in the log file /home/hopm/hopm/var/log/hopm.log. %0a
023
2023-01-22
jrmu
host:1666012190=68.148.177.239
024
2023-01-22
jrmu
author:1664828580=izzyb
025
2023-01-22
jrmu
csum:1664828580=correction to kline in first efnet blacklist block
026
2023-01-22
jrmu
diff:1664828580:1664808762:=202c202%0a%3c kline = "KLINE *@%25h 3600 :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a---%0a> kline = "KLINE 180 *@%25h :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a
027
2023-01-22
jrmu
host:1664828580=68.148.177.239
028
2023-01-22
jrmu
author:1664808762=izzyb
029
2023-01-22
jrmu
diff:1664808762:1664808732:minor=15c15%0a%3c Before you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README.md|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL.md|INSTALL]] docs.%0a---%0a> Before you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README.md|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL|INSTALL.md]] docs.%0a
030
2023-01-22
jrmu
host:1664808762=68.148.177.239
031
2023-01-22
jrmu
author:1664808732=izzyb
032
2023-01-22
jrmu
csum:1664808732=fix broken links; files renamed to have a .md extention
033
2023-01-22
jrmu
diff:1664808732:1642881519:=15c15%0a%3c Before you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README.md|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL|INSTALL.md]] docs.%0a---%0a> Before you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL|INSTALL]] docs.%0a
034
2023-01-22
jrmu
host:1664808732=68.148.177.239
035
2023-01-22
jrmu
author:1642881519=jrmu
036
2023-01-22
jrmu
diff:1642881519:1638824319:=204,212d203%0a%3c blacklist {%0a%3c name = "tor-irc.dnsbl.oftc.net";%0a%3c type = "A record reply";%0a%3c reply {%0a%3c 2 = "Tor exit server";%0a%3c };%0a%3c ban_unknown = yes;%0a%3c kline = "KLINE *@%25h 3600 :Please use our tor onion addresses. If this is in error, please email support@ircnow.org";%0a%3c };%0a
037
2023-01-22
jrmu
host:1642881519=38.87.162.8
038
2023-01-22
jrmu
author:1638824319=xfnw
039
2023-01-22
jrmu
csum:1638824319=warn about +x
040
2023-01-22
jrmu
diff:1638824319:1637396578:=97c97%0a%3c For @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work with old cloak hostmasks, which have been broken since April 2020. Note that '''hopm will not work with +x cloaking'''). You must also change the order for kline: in ngircd, kline expects the hostmask before the time. You will also want to replace @@support@example.com@@ with your actual support email.%0a---%0a> For @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work when you cloak hostmasks). You must also change the order for kline: in ngircd, kline expects the hostmask before the time. You will also want to replace @@support@example.com@@ with your actual support email.%0a
041
2023-01-22
jrmu
host:1638824319=2001:470:8:651::4
042
2023-01-22
jrmu
author:1637396578=jrmu
043
2023-01-22
jrmu
diff:1637396578:1637391199:=202c202%0a%3c kline = "KLINE 180 *@%25h :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a---%0a> kline = "KLINE 180 *@%25i :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a
044
2023-01-22
jrmu
host:1637396578=38.87.162.8
045
2023-01-22
jrmu
author:1637391199=bugzbunny
046
2023-01-22
jrmu
diff:1637391199:1632726144:=111,112c111,112%0a%3c In our OPM block, we will define a few blacklists: dronbl, efnet, and ircbl. %0a%3c %0a---%0a> In our OPM block, we define two blacklists: one for dronbl, and another for efnet. %0a> %0a139c139%0a%3c kline = "KLINE *@%25h 3600 :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%25i&network=%3cyour_network_name>";%0a---%0a> kline = "KLINE *@%25h 3600 :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%25i&network=Network";%0a145,146d144%0a%3c '''Note''': Replace %3cyour_network_name> with a unique network name. The Network parameter set in ngircd.conf should suffice.%0a%3c %0a206,207d203%0a%3c %0a%3c '''Note''': Again, replace %3cyour_network_name> with a unique network name. The Network parameter set in ngircd.conf should suffice.%0a
047
2023-01-22
jrmu
host:1637391199=72.78.238.236
048
2023-01-22
jrmu
author:1632726144=Miniontoby
049
2023-01-22
jrmu
diff:1632726144:1631250603:=169a170%0a> };%0a175c176%0a%3c blacklist {%0a---%0a> blacklist {%0a202d202%0a%3c };%0a204,205c204%0a%3c %0a%3c This is another blacklist.%0a---%0a> This one is used as another blacklist, and blocks ircbots.%0a
050
2023-01-22
jrmu
host:1632726144=125.231.18.235
051
2023-01-22
jrmu
author:1631250603=jrmu
052
2023-01-22
jrmu
diff:1631250603:1626787053:=208c208%0a%3c '''NOTE''': target_ip must be an actual ip address. Replace 127.0.0.1 with your public IPv4 address.%0a---%0a> '''NOTE''': target_ip must be an actual ip address%0a
053
2023-01-22
jrmu
host:1631250603=38.87.162.8
054
2023-01-22
jrmu
author:1626787053=mkf
055
2023-01-22
jrmu
csum:1626787053=ircbl
056
2023-01-22
jrmu
diff:1626787053:1625542031:=174,204d173%0a%3c %0a%3c [@%0a%3c blacklist {%0a%3c name = "rbl.ircbl.org";%0a%3c type = "A record reply";%0a%3c reply {%0a%3c 2 = "Open proxy (2)";%0a%3c 6 = "Mail or NS server (6)";%0a%3c 10 = "D regex pattern (10)";%0a%3c 11 = "Drone / compromised (11)";%0a%3c 13 = "Join/part flood (13)";%0a%3c 14 = "Drone / compromised 2 (14)";%0a%3c 16 = "Spam bot (16)";%0a%3c 17 = "Drone (17)";%0a%3c 18 = "Drone 2 (18)";%0a%3c 19 = "Web abuse (19)";%0a%3c 20 = "Drone/flood bot (20)";%0a%3c 21 = "Compromised host (21)";%0a%3c 22 = "Open Proxy (22)";%0a%3c 23 = "Open Proxy (23)";%0a%3c 24 = "Mass advertising (24)";%0a%3c 30 = "Drone (30)";%0a%3c 31 = "Drone 2 (31)";%0a%3c 32 = "Open proxy (32)";%0a%3c 42 = "Open proxy (42)";%0a%3c };%0a%3c ban_unknown = yes;%0a%3c kline = "KLINE 180 *@%25i :Compromised host on this IP. See https://ircbl.org/lookup?ip=%25i&network=%3cyour_network_name> for more information.";%0a%3c };%0a%3c @]%0a%3c This one is used as another blacklist, and blocks ircbots.%0a
057
2023-01-22
jrmu
host:1626787053=198.251.81.133
058
2023-01-22
jrmu
author:1625542031=jrmu
059
2023-01-22
jrmu
diff:1625542031:1625214366:=278c278%0a%3c mask = "*!~*@*";%0a---%0a> # mask = "*!~*@*";%0a
060
2023-01-22
jrmu
host:1625542031=125.231.16.111
061
2023-01-22
jrmu
author:1625214366=jrmu
062
2023-01-22
jrmu
diff:1625214366:1624614137:=303,304c303%0a%3c Put this script in /home/hopm/hopm/bin/autohopm%0a%3c %0a---%0a> (:if false:)%0a306,327c305,306%0a%3c #!/bin/sh%0a%3c HOPMPATH=/home/hopm/hopm%0a%3c %0a%3c if test -r $HOPMPATH/var/run/hopm.pid; then%0a%3c HOPMPID=$(cat $HOPMPATH/var/run/hopm.pid)%0a%3c if $(kill -0 $HOPMPID >/dev/null 2>&1)%0a%3c then%0a%3c exit 0%0a%3c fi%0a%3c fi%0a%3c $HOPMPATH/bin/hopm &> /dev/null%0a%3c @]%0a%3c %0a%3c Then make sure execute privileges are set:%0a%3c %0a%3c [@%0a%3c $ chmod 754 /home/hopm/hopm/bin/autohopm%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ crontab -e%0a%3c */5 * * * * /home/hopm/hopm/bin/autohopm%0a---%0a> $ doas crontab -e -u hopm%0a> */5 * * * * /home/hopm/hopm/bin/hopm -dv >> /home/hopm/hopm/hopm.log 2>&1 &%0a
063
2023-01-22
jrmu
host:1625214366=38.81.163.143
064
2023-01-22
jrmu
author:1624614137=jrmu
065
2023-01-22
jrmu
diff:1624614137:1624202950:=202c202,203%0a%3c target_string = "NOTICE * :*** Looking up your hostname and checking ident";%0a---%0a> target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";%0a> target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";%0a
066
2023-01-22
jrmu
host:1624614137=38.81.163.143
067
2023-01-22
jrmu
author:1624202950=jrmu
068
2023-01-22
jrmu
diff:1624202950:1624196192:=304d303%0a%3c (:if false:)%0a309d307%0a%3c (:ifend:)%0a
069
2023-01-22
jrmu
host:1624202950=38.81.163.143
070
2023-01-22
jrmu
author:1624196192=jrmu
071
2023-01-22
jrmu
diff:1624196192:1624196139:=306c306%0a%3c */5 * * * * /home/hopm/hopm/bin/hopm -dv >> /home/hopm/hopm/hopm.log 2>&1 &%0a---%0a> */5 * * * * /home/hopm/hopm/bin/hopm >>/var/log/znc.log 2>&1 &%0a
072
2023-01-22
jrmu
host:1624196192=38.81.163.143
073
2023-01-22
jrmu
author:1624196139=jrmu
074
2023-01-22
jrmu
diff:1624196139:1622818981:=300,306d299%0a%3c @]%0a%3c %0a%3c !! Cronjob%0a%3c %0a%3c [@%0a%3c $ doas crontab -e -u hopm%0a%3c */5 * * * * /home/hopm/hopm/bin/hopm >>/var/log/znc.log 2>&1 &%0a
075
2023-01-22
jrmu
host:1624196139=38.81.163.143
076
2023-01-22
jrmu
author:1622818981=jrmu
077
2023-01-22
jrmu
diff:1622818981:1620176123:=331,333c331%0a%3c %0a%3c [[Rcd/Configure|For this refer to this page]]\\%0a%3c %0a---%0a> For this refer to this page https://ircnow.org/kb/doku.php?id=openbsd:rc.d\\%0a338c336%0a%3c # If the service fails to start, check and make sure /home/hopm/hopm/var/log/hopm.log is owned by hopm.%0a---%0a> # If the service fails to start, check and make sure /home/hopm/hopm/var/log/hopm.log is owned by hopm.%0a\ No newline at end of file%0a
078
2023-01-22
jrmu
host:1622818981=38.81.163.143
079
2023-01-22
jrmu
author:1620176123=sarah
080
2023-01-22
jrmu
diff:1620176123:1615099104:=331,336c331,333%0a%3c For this refer to this page https://ircnow.org/kb/doku.php?id=openbsd:rc.d\\%0a%3c After you've created the rc.d script, append to /etc/rc.conf.local:%0a%3c [@ hopm_user=hopm @]%0a%3c %0a%3c # Syntax errors when hopm is running in foreground. This is either the result of missing brackets where needed in config file, or that the file has DOS encodings. See [[https://github.com/ircd-hybrid/hopm/issues/22#issuecomment-301276082]] here. The missing brackets where it was needed may come from the previous section, compared to the line/s where it is indicated by hopm when executed.%0a%3c # If the service fails to start, check and make sure /home/hopm/hopm/var/log/hopm.log is owned by hopm. %0a\ No newline at end of file%0a---%0a> For this refer to this page https://ircnow.org/kb/doku.php?id=openbsd:rc.d%0a> %0a> # Syntax errors when hopm is running in foreground. This is either the result of missing brackets where needed in config file, or that the file has DOS encodings. See [[https://github.com/ircd-hybrid/hopm/issues/22#issuecomment-301276082]] here. The missing brackets where it was needed may come from the previous section, compared to the line/s where it is indicated by hopm when executed.%0a\ No newline at end of file%0a
081
2023-01-22
jrmu
host:1620176123=2001:470:ee05:0:80:893f:ae46:9e7f
082
2023-01-22
jrmu
author:1615099104=jrmu
083
2023-01-22
jrmu
diff:1615099104:1615098709:=175,178c175,176%0a%3c Next, we define a scanner block. hopm will try to get the user to connect to the target_ip:target_port using the listed port/protocol. A target_string will be sent through the proxy and then checked. If the data is found, the user is an proxy.%0a%3c %0a%3c '''NOTE''': target_ip must be an actual ip address%0a%3c %0a---%0a> Next, we define a scanner block:%0a> %0a207,208c205,206%0a%3c Two more scanner blocks:%0a%3c %0a---%0a> target_ip must be another IP%0a> %0a270,272c268%0a%3c @]%0a%3c %0a%3c [@%0a---%0a> %0a
084
2023-01-22
jrmu
host:1615099104=198.251.81.119
085
2023-01-22
jrmu
author:1615098709=jrmu
086
2023-01-22
jrmu
diff:1615098709:1615098501:=171,177d170%0a%3c @]%0a%3c %0a%3c The two blacklists from efnet are the same.%0a%3c %0a%3c Next, we define a scanner block:%0a%3c %0a%3c [@%0a
087
2023-01-22
jrmu
host:1615098709=198.251.81.119
088
2023-01-22
jrmu
author:1615098501=jrmu
089
2023-01-22
jrmu
diff:1615098501:1615098416:=
090
2023-01-22
jrmu
host:1615098501=198.251.81.119
091
2023-01-22
jrmu
author:1615098416=jrmu
092
2023-01-22
jrmu
diff:1615098416:1615097718:=109,113d108%0a%3c @]%0a%3c %0a%3c In our OPM block, we define two blacklists: one for dronbl, and another for efnet. %0a%3c %0a%3c [@%0a118a114,118%0a> @]%0a> %0a> In our OPM block, we define two blacklists: one for dronbl, and another for efnet. %0a> %0a> [@%0a141,147d140%0a%3c @]%0a%3c %0a%3c The name of the first blacklist is [[https://dronebl.org/docs/howtouse|dnsbl.dronebl.org]]. It supports both ipv4 and ipv6 addresses. We use A record replies. We don't want to ban unknown types.%0a%3c %0a%3c For the kline, we again make sure to put the hostmask before the time (as ngircd requires). We also use %25h instead of %25i to kline by hostmask instead of by IP, since ngircd may be cloaking user IPs.%0a%3c %0a%3c [@%0a
093
2023-01-22
jrmu
host:1615098416=198.251.81.119
094
2023-01-22
jrmu
author:1615097718=jrmu
095
2023-01-22
jrmu
diff:1615097718:1615094839:=114,118d113%0a%3c @]%0a%3c %0a%3c In our OPM block, we define two blacklists: one for dronbl, and another for efnet. %0a%3c %0a%3c [@%0a
096
2023-01-22
jrmu
host:1615097718=125.231.24.85
097
2023-01-22
jrmu
author:1615094839=jrmu
098
2023-01-22
jrmu
diff:1615094839:1615093451:=74c74%0a%3c nickserv = "SQUERY NickServ :IDENTIFY MyHopm PASSWORD";%0a---%0a> nickserv = "SQUERY NickServ :IDENTIFY PASSWORD";%0a93c93%0a%3c ngircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ with the real nick and @@PASSWORD@@ with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a---%0a> ngircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY PASSWORD@@ -- you'll want to replace PASSWORD with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a
099
2023-01-22
jrmu
host:1615094839=198.251.81.119
100
2023-01-22
jrmu
author:1615093451=jrmu
101
2023-01-22
jrmu
diff:1615093451:1615093364:=71a72%0a> tls_hostname_verification = yes;%0a91,95c92,95%0a%3c Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS.%0a%3c %0a%3c ngircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY PASSWORD@@ -- you'll want to replace PASSWORD with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a%3c %0a%3c We change the [[https://github.com/ngircd/ngircd/blob/master/doc/Modes.txt|mode]] to @@+BcFiIoqRsw@@. I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a---%0a> %0a> Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password, and @@MyHopm@@ with the operator nick. Change [[https://github.com/ngircd/ngircd/blob/master/doc/Modes.txt|mode]] to @@+BcFiIoqRsw@@.%0a> %0a> I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a
102
2023-01-22
jrmu
host:1615093451=198.251.81.119
103
2023-01-22
jrmu
author:1615093364=jrmu
104
2023-01-22
jrmu
diff:1615093364:1615093294:=72d71%0a%3c tls_hostname_verification = yes;%0a92,95c91,95%0a%3c %0a%3c Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password, and @@MyHopm@@ with the operator nick. Change [[https://github.com/ngircd/ngircd/blob/master/doc/Modes.txt|mode]] to @@+BcFiIoqRsw@@.%0a%3c %0a%3c I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a---%0a> Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS.%0a> %0a> ngircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY PASSWORD@@ -- you'll want to replace PASSWORD with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a> %0a> We change the mode to @@+BcFiIoqRsw@@. I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a
105
2023-01-22
jrmu
host:1615093364=198.251.81.119
106
2023-01-22
jrmu
author:1615093294=jrmu
107
2023-01-22
jrmu
diff:1615093294:1615087042:=71a72%0a> tls_hostname_verification = yes;%0a91,95c92,95%0a%3c Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS.%0a%3c %0a%3c ngircd uses @@SQUERY@@ for @@nickserv@@: @@SQUERY NickServ :IDENTIFY PASSWORD@@ -- you'll want to replace PASSWORD with the real password. For oper: @@MyHopm PASSWORD@@ -- you'll want to replace @@MyHopm@@ and @@PASSWORD@@ with the operator name and password.%0a%3c %0a%3c We change the mode to @@+BcFiIoqRsw@@. I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a---%0a> %0a> Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password, and @@MyHopm@@ with the operator nick. Change mode to @@+BcFiIoqRsw@@.%0a> %0a> I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a
108
2023-01-22
jrmu
host:1615093294=198.251.81.119
109
2023-01-22
jrmu
author:1615087042=jrmu
110
2023-01-22
jrmu
diff:1615087042:1615032429:=62c62%0a%3c The only thing we change is we uncomment scanlog so that we have a record of all users that connect. It will be stored in @@/home/hopm/hopm/var/log/scan.log@@.%0a---%0a> The only thing we change is we uncomment scanlog so that we have a record of all users that connect. It will be stored in @@/home/hopm/var/log/scan.log@@.%0a
111
2023-01-22
jrmu
host:1615087042=198.251.81.119
112
2023-01-22
jrmu
author:1615032429=jrmu
113
2023-01-22
jrmu
diff:1615032429:1615032333:=97,105c97,98%0a%3c For @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work when you cloak hostmasks). You must also change the order for kline: in ngircd, kline expects the hostmask before the time. You will also want to replace @@support@example.com@@ with your actual support email.%0a%3c %0a%3c '''WARNING''': You must change the order for kline for ngircd:%0a%3c %0a%3c [@%0a%3c kline = "KLINE *@%25h 3600 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a%3c @]%0a%3c %0a%3c The hostmask must come before the time.%0a---%0a> For @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work when you cloak hostmasks). You will also want to replace @@support@example.com@@ with your actual support email.%0a> %0a
114
2023-01-22
jrmu
host:1615032429=198.251.81.119
115
2023-01-22
jrmu
author:1615032333=jrmu
116
2023-01-22
jrmu
diff:1615032333:1614698507:=126c126,127%0a%3c kline = "KLINE *@%25h 3600 :You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%25i&network=Network";%0a---%0a> kline = "KLINE 3600 *@%25h :You have a host listed in the DroneBL. For mor%0a> e information, visit https://dronebl.org/lookup_branded?ip=%25i&network=Network";%0a139c140,141%0a%3c kline = "KLINE *@%25h 3600 :Blacklisted proxy found. For more information, visit https://rbl.efnetrbl.org/?i=%25i";%0a---%0a> kline = "KLINE 3600 *@%25h :Blacklisted proxy found. For more information,%0a> visit https://rbl.efnetrbl.org/?i=%25i";%0a148c150,151%0a%3c kline = "KLINE *@%25h 3600 :TOR exit node found. For more information, visit https://rbl.efnetrbl.org/?i=%25i";%0a---%0a> kline = "KLINE 3600 *@%25h :TOR exit node found. For more information, vis%0a> it https://rbl.efnetrbl.org/?i=%25i";%0a
117
2023-01-22
jrmu
host:1615032333=198.251.81.119
118
2023-01-22
jrmu
author:1614698507=jrmu
119
2023-01-22
jrmu
diff:1614698507:1614697020:=285,300d284%0a%3c %0a%3c [@%0a%3c $ doas pkg_add torsocks%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ torsocks nc irc.example.com 6667%0a%3c nick toruser%0a%3c user toruser * * :toruser%0a%3c @]%0a%3c %0a%3c In the #hopm channel, you should see:%0a%3c %0a%3c [@%0a%3c 23:16 %3cMyHopm> DNSBL -> toruser!~toruser@vps-16fb7987.vps.ovh.ca [51.79.69.241] appears in BL zone rbl.efnetrbl.org (TOR)%0a%3c @]%0a
120
2023-01-22
jrmu
host:1614698507=198.251.81.119
121
2023-01-22
jrmu
author:1614697020=jrmu
122
2023-01-22
jrmu
diff:1614697020:1614696943:=179,183d178%0a%3c @]%0a%3c %0a%3c target_ip must be another IP%0a%3c %0a%3c [@%0a
123
2023-01-22
jrmu
host:1614697020=198.251.81.119
124
2023-01-22
jrmu
author:1614696943=jrmu
125
2023-01-22
jrmu
diff:1614696943:1614696284:=76c76%0a%3c oper = "MyHopm PASSWORD";%0a---%0a> oper = "hopm PASSWORD";%0a93c93%0a%3c Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password, and @@MyHopm@@ with the operator nick. Change mode to @@+BcFiIoqRsw@@.%0a---%0a> Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password. Change mode to @@+BcFiIoqRsw@@.%0a
126
2023-01-22
jrmu
host:1614696943=198.251.81.119
127
2023-01-22
jrmu
author:1614696284=jrmu
128
2023-01-22
jrmu
diff:1614696284:1614696250:=64c64%0a%3c [@%0a---%0a> [=%0a84,86c84%0a%3c @]%0a%3c @@ connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";@@%0a%3c [@%0a---%0a> connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";%0a90c88%0a%3c @]%0a---%0a> =]%0a
129
2023-01-22
jrmu
host:1614696284=198.251.81.119
130
2023-01-22
jrmu
author:1614696250=jrmu
131
2023-01-22
jrmu
diff:1614696250:1614696193:=64c64%0a%3c [=%0a---%0a> [@%0a84c84,85%0a%3c connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";%0a---%0a> connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]%0a> +)\\].*";%0a88,89c89%0a%3c =]%0a%3c %0a---%0a> @]%0a
132
2023-01-22
jrmu
host:1614696250=198.251.81.119
133
2023-01-22
jrmu
author:1614696193=jrmu
134
2023-01-22
jrmu
diff:1614696193:1614695833:=84,85c84%0a%3c connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]%0a%3c +)\\].*";%0a---%0a> connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";%0a89a89%0a> %0a
135
2023-01-22
jrmu
host:1614696193=198.251.81.119
136
2023-01-22
jrmu
author:1614695833=jrmu
137
2023-01-22
jrmu
diff:1614695833:1614695806:=64c64%0a%3c [@%0a---%0a> [=%0a88c88%0a%3c @]%0a---%0a> =]%0a
138
2023-01-22
jrmu
host:1614695833=198.251.81.119
139
2023-01-22
jrmu
author:1614695806=jrmu
140
2023-01-22
jrmu
diff:1614695806:1614695686:=64c64%0a%3c [=%0a---%0a> [@%0a88c88%0a%3c =]%0a---%0a> @]%0a
141
2023-01-22
jrmu
host:1614695806=198.251.81.119
142
2023-01-22
jrmu
author:1614695686=jrmu
143
2023-01-22
jrmu
diff:1614695686:1614695622:=84c84,87%0a%3c connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]+)\\].*";%0a---%0a> @]%0a> @@ connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]@@%0a> [@%0a> +)\\].*";%0a
144
2023-01-22
jrmu
host:1614695686=198.251.81.119
145
2023-01-22
jrmu
author:1614695622=jrmu
146
2023-01-22
jrmu
diff:1614695622:1614695325:=84,86c84%0a%3c @]%0a%3c @@ connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]@@%0a%3c [@%0a---%0a> connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]%0a92d89%0a%3c %0a
147
2023-01-22
jrmu
host:1614695622=198.251.81.119
148
2023-01-22
jrmu
author:1614695325=jrmu
149
2023-01-22
jrmu
diff:1614695325:1614693600:=86c86%0a%3c kline = "KLINE *@%25h 3600 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a---%0a> kline = "KLINE *@%25h 10800 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a96,259d95%0a%3c %0a%3c [@%0a%3c opm {%0a%3c blacklist { %0a%3c name = "dnsbl.dronebl.org";%0a%3c address_family = ipv4, ipv6;%0a%3c type = "A record reply";%0a%3c ban_unknown = no;%0a%3c reply {%0a%3c 2 = "Sample data used for heuristical analysis";%0a%3c 3 = "IRC spam drone (litmus/sdbot/fyle)";%0a%3c 5 = "Bottler (experimental)";%0a%3c 6 = "Unknown worm or spambot";%0a%3c 7 = "DDoS drone";%0a%3c 8 = "Open SOCKS proxy";%0a%3c 9 = "Open HTTP proxy";%0a%3c 10 = "ProxyChain";%0a%3c 11 = "Web Page Proxy";%0a%3c 12 = "Open DNS Resolver";%0a%3c 13 = "Automated dictionary attacks";%0a%3c 14 = "Open WINGATE proxy";%0a%3c 15 = "Compromised router / gateway";%0a%3c 16 = "Autorooting worms";%0a%3c 17 = "Automatically determined botnet IPs (experimental)";%0a%3c 18 = "Possibly compromised DNS/MX type hostname detected on IRC";%0a%3c 19 = "Abused VPN Service";%0a%3c 255 = "Uncategorized threat class";%0a%3c };%0a%3c kline = "KLINE 3600 *@%25h :You have a host listed in the DroneBL. For mor%0a%3c e information, visit https://dronebl.org/lookup_branded?ip=%25i&network=Network";%0a%3c };%0a%3c blacklist {%0a%3c name = "rbl.efnetrbl.org";%0a%3c type = "A record reply";%0a%3c ban_unknown = no;%0a%3c reply {%0a%3c 1 = "Open proxy";%0a%3c 2 = "spamtrap666";%0a%3c 3 = "spamtrap50";%0a%3c 4 = "TOR";%0a%3c 5 = "Drones / Flooding";%0a%3c };%0a%3c kline = "KLINE 3600 *@%25h :Blacklisted proxy found. For more information,%0a%3c visit https://rbl.efnetrbl.org/?i=%25i";%0a%3c };%0a%3c blacklist {%0a%3c name = "tor.efnetrbl.org";%0a%3c type = "A record reply";%0a%3c ban_unknown = no;%0a%3c reply {%0a%3c 1 = "TOR";%0a%3c };%0a%3c kline = "KLINE 3600 *@%25h :TOR exit node found. For more information, vis%0a%3c it https://rbl.efnetrbl.org/?i=%25i";%0a%3c };%0a%3c };%0a%3c scanner {%0a%3c name = "default";%0a%3c protocol = HTTP:80;%0a%3c protocol = HTTP:8080;%0a%3c protocol = HTTP:3128;%0a%3c protocol = HTTP:6588;%0a%3c # protocol = HTTPS:443;%0a%3c # protocol = HTTPS:8443;%0a%3c protocol = SOCKS4:1080;%0a%3c protocol = SOCKS5:1080;%0a%3c protocol = ROUTER:23;%0a%3c protocol = WINGATE:23;%0a%3c protocol = DREAMBOX:23;%0a%3c protocol = HTTPPOST:80;%0a%3c # protocol = HTTPSPOST:443;%0a%3c # protocol = HTTPSPOST:8443;%0a%3c # bind = "127.0.0.1";%0a%3c fd = 512;%0a%3c max_read = 4 kbytes;%0a%3c timeout = 30 seconds;%0a%3c target_ip = "127.0.0.1";%0a%3c target_port = 6667;%0a%3c target_string = ":irc.example.org NOTICE * :*** Looking up your hostname";%0a%3c target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";%0a%3c };%0a%3c scanner {%0a%3c name = "extended";%0a%3c protocol = HTTP:81;%0a%3c protocol = HTTP:8000;%0a%3c protocol = HTTP:8001;%0a%3c protocol = HTTP:8081;%0a%3c protocol = HTTPPOST:81;%0a%3c protocol = HTTPPOST:6588;%0a%3c protocol = HTTPPOST:4480;%0a%3c protocol = HTTPPOST:8000;%0a%3c protocol = HTTPPOST:8001;%0a%3c protocol = HTTPPOST:8080;%0a%3c protocol = HTTPPOST:8081;%0a%3c protocol = SOCKS4:4914;%0a%3c protocol = SOCKS4:6826;%0a%3c protocol = SOCKS4:7198;%0a%3c protocol = SOCKS4:7366;%0a%3c protocol = SOCKS4:9036;%0a%3c protocol = SOCKS5:4438;%0a%3c protocol = SOCKS5:5104;%0a%3c protocol = SOCKS5:5113;%0a%3c protocol = SOCKS5:5262;%0a%3c protocol = SOCKS5:5634;%0a%3c protocol = SOCKS5:6552;%0a%3c protocol = SOCKS5:6561;%0a%3c protocol = SOCKS5:7464;%0a%3c protocol = SOCKS5:7810;%0a%3c protocol = SOCKS5:8130;%0a%3c protocol = SOCKS5:8148;%0a%3c protocol = SOCKS5:8520;%0a%3c protocol = SOCKS5:8814;%0a%3c protocol = SOCKS5:9100;%0a%3c protocol = SOCKS5:9186;%0a%3c protocol = SOCKS5:9447;%0a%3c protocol = SOCKS5:9578;%0a%3c protocol = SOCKS5:10000;%0a%3c protocol = SOCKS5:64101;%0a%3c protocol = SOCKS4:29992;%0a%3c protocol = SOCKS4:38884;%0a%3c protocol = SOCKS4:18844;%0a%3c protocol = SOCKS4:17771;%0a%3c protocol = SOCKS4:31121;%0a%3c fd = 400;%0a%3c };%0a%3c scanner {%0a%3c name = "ssh";%0a%3c protocol = SSH:22;%0a%3c target_string = "SSH-1.99-OpenSSH_5.1";%0a%3c target_string = "SSH-2.0-dropbear_0.51";%0a%3c target_string = "SSH-2.0-dropbear_0.52";%0a%3c target_string = "SSH-2.0-dropbear_0.53.1";%0a%3c target_string = "SSH-2.0-dropbear_2012.55";%0a%3c target_string = "SSH-2.0-dropbear_2013.62";%0a%3c target_string = "SSH-2.0-dropbear_2014.63";%0a%3c target_string = "SSH-2.0-OpenSSH_4.3";%0a%3c target_string = "SSH-2.0-OpenSSH_5.1";%0a%3c target_string = "SSH-2.0-OpenSSH_5.5p1";%0a%3c target_string = "SSH-2.0-ROSSSH";%0a%3c target_string = "SSH-2.0-SSH_Server";%0a%3c };%0a%3c %0a%3c user {%0a%3c mask = "*!*@*";%0a%3c scanner = "default";%0a%3c };%0a%3c %0a%3c user {%0a%3c # mask = "*!~*@*";%0a%3c mask = "*!squid@*";%0a%3c mask = "*!nobody@*";%0a%3c mask = "*!www-data@*";%0a%3c mask = "*!cache@*";%0a%3c mask = "*!CacheFlowS@*";%0a%3c mask = "*!*@*www*";%0a%3c mask = "*!*@*proxy*";%0a%3c mask = "*!*@*cache*";%0a%3c scanner = "extended";%0a%3c };%0a%3c %0a%3c exempt {%0a%3c mask = "*!*@127.0.0.1";%0a%3c };%0a%3c @]%0a
150
2023-01-22
jrmu
host:1614695325=198.251.81.119
151
2023-01-22
jrmu
author:1614693600=jrmu
152
2023-01-22
jrmu
diff:1614693600:1614693431:=86,87c86,88%0a%3c kline = "KLINE *@%25h 10800 :Open proxy found on your host. Please contact support@example.com if this is in error.";%0a%3c notice = "To prevent spam and abuse, we scan users for open proxies.";%0a---%0a> kline = "KLINE *@%25i 10800 :Open proxy found on your host.";%0a> notice = "You are now being scanned for open proxies. If you have nothing to hid%0a> e, you have nothing to fear.";%0a94,95d94%0a%3c %0a%3c For @@kline@@, make sure to replace @@*@%25i@@ with @@*@%25h@@ (to allow hopm to work when you cloak hostmasks). You will also want to replace @@support@example.com@@ with your actual support email.%0a
153
2023-01-22
jrmu
host:1614693600=198.251.81.119
154
2023-01-22
jrmu
author:1614693431=jrmu
155
2023-01-22
jrmu
diff:1614693431:1614692395:=77c77%0a%3c mode = "+BcFiIoqRsw";%0a---%0a> mode = "+iC";%0a82c82%0a%3c invite = "SQUERY ChanServ :INVITE #hopm";%0a---%0a> invite = "CS INVITE #hopm";%0a92,95c92%0a%3c Change the @@nick@@, @@realname@@, @@username@@. @@server@@, @@port@@, @@tls@@ specify how to connect to your ircd. You will want to use 127.0.0.1 port 16667 with no TLS. @@nickserv@@ and @@oper@@ should be changed to match ngircd. You'll also want to replace @@PASSWORD@@ with the nickserv and oper password. Change mode to @@+BcFiIoqRsw@@.%0a%3c %0a%3c I recommend you change channel's @@name@@ from @@#hopm@@ to your team channel. @@invite@@ has been modified to match ngircd; replace @@#hopm@@ with your team channel.%0a%3c %0a---%0a> Change the @@nick@@, @@realname@@, @@username@@, @@server@@, @@port@@, @@tls@@. Replace @@PASSWORD@@ in @@nickserv@@ and @@PASSWORD@@ in @@oper@@ with the nickserv and oper password.%0a
156
2023-01-22
jrmu
host:1614693431=198.251.81.119
157
2023-01-22
jrmu
author:1614692395=jrmu
158
2023-01-22
jrmu
diff:1614692395:1614691856:=62,63c62,63%0a%3c The only thing we change is we uncomment scanlog so that we have a record of all users that connect. It will be stored in @@/home/hopm/var/log/scan.log@@.%0a%3c %0a---%0a> The only thing we change is we uncomment scanlog so that we have a record of all users that connect.%0a> %0a75,76c75,76%0a%3c nickserv = "SQUERY NickServ :IDENTIFY PASSWORD";%0a%3c oper = "hopm PASSWORD";%0a---%0a> nickserv = "NS IDENTIFY password";%0a> oper = "hopm operpass";%0a92d91%0a%3c Change the @@nick@@, @@realname@@, @@username@@, @@server@@, @@port@@, @@tls@@. Replace @@PASSWORD@@ in @@nickserv@@ and @@PASSWORD@@ in @@oper@@ with the nickserv and oper password.%0a
159
2023-01-22
jrmu
host:1614692395=198.251.81.119
160
2023-01-22
jrmu
author:1614691856=jrmu
161
2023-01-22
jrmu
diff:1614691856:1614691431:=45,48c45,46%0a%3c [[https://github.com/ircd-hybrid/hopm/blob/master/doc/reference.conf|/home/hopm/hopm/etc/reference.conf]] contains a sample template.%0a%3c %0a%3c We'll create a new /home/hopm/hopm/etc/hopm.conf from scratch to keep it short:%0a%3c %0a---%0a> We'll copy the template conf file:%0a> %0a49a48,53%0a> $ cp /home/hopm/hopm/etc/reference.conf /home/hopm/hopm/etc/hopm.conf%0a> @]%0a> %0a> Then edit /home/hopm/hopm/etc/hopm.conf:%0a> %0a> [@%0a61,62d64%0a%3c %0a%3c The only thing we change is we uncomment scanlog so that we have a record of all users that connect.%0a
162
2023-01-22
jrmu
host:1614691856=198.251.81.119
163
2023-01-22
jrmu
author:1614691431=jrmu
164
2023-01-22
jrmu
diff:1614691431:1614681012:=52,92d51%0a%3c %0a%3c [@%0a%3c options {%0a%3c pidfile = "var/run/hopm.pid";%0a%3c command_queue_size = 64;%0a%3c command_interval = 10 seconds;%0a%3c command_timeout = 180 seconds;%0a%3c negcache_rebuild = 12 hours;%0a%3c dns_fdlimit = 64;%0a%3c dns_timeout = 5 seconds;%0a%3c scanlog = "var/log/scan.log";%0a%3c };%0a%3c @]%0a%3c %0a%3c [@%0a%3c irc {%0a%3c nick = "MyHopm";%0a%3c realname = "Hybrid Open Proxy Monitor";%0a%3c username = "hopm";%0a%3c server = "127.0.0.1";%0a%3c port = 16667;%0a%3c tls = no;%0a%3c tls_hostname_verification = yes;%0a%3c readtimeout = 15 minutes;%0a%3c reconnectinterval = 30 seconds;%0a%3c nickserv = "NS IDENTIFY password";%0a%3c oper = "hopm operpass";%0a%3c mode = "+iC";%0a%3c away = "I'm a bot. Your messages will be ignored.";%0a%3c channel {%0a%3c name = "#hopm";%0a%3c key = "somekey";%0a%3c invite = "CS INVITE #hopm";%0a%3c };%0a%3c connregex = "Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9a-f\\.:]%0a%3c +)\\].*";%0a%3c kline = "KLINE *@%25i 10800 :Open proxy found on your host.";%0a%3c notice = "You are now being scanned for open proxies. If you have nothing to hid%0a%3c e, you have nothing to fear.";%0a%3c };%0a%3c @]%0a
165
2023-01-22
jrmu
host:1614691431=198.251.81.119
166
2023-01-22
jrmu
author:1614681012=jrmu
167
2023-01-22
jrmu
diff:1614681012:1614680893:=39,40c39,40%0a%3c $ make%0a%3c $ make install%0a---%0a> $ gmake%0a> $ gmake install%0a
168
2023-01-22
jrmu
host:1614681012=198.251.81.119
169
2023-01-22
jrmu
author:1614680893=jrmu
170
2023-01-22
jrmu
diff:1614680893:1614680783:=
171
2023-01-22
jrmu
host:1614680893=198.251.81.119
172
2023-01-22
jrmu
author:1614680783=jrmu
173
2023-01-22
jrmu
diff:1614680783:1614680082:=36c36%0a%3c $ tar xvzf 1.1.10.tar.gz%0a---%0a> $ tar xvzf hopm-1.1.10.tar.gz%0a
174
2023-01-22
jrmu
host:1614680783=198.251.81.119
175
2023-01-22
jrmu
author:1614680082=jrmu
176
2023-01-22
jrmu
diff:1614680082:1614679909:=22c22%0a%3c $ doas useradd -m -g =uid -c "hopm" -d /home/hopm -s /bin/ksh hopm%0a---%0a> doas useradd -m -g =uid -c "hopm" -d /home/hopm -s /bin/ksh hopm%0a
177
2023-01-22
jrmu
host:1614680082=198.251.81.119
178
2023-01-22
jrmu
author:1614679909=jrmu
179
2023-01-22
jrmu
diff:1614679909:1614679909:=1,74d0%0a%3c (:title Hopm Install Guide:)%0a%3c %0a%3c In this guide, we'll setup and configure [[https://github.com/ircd-hybrid/hopm|hopm]], an open proxy monitor that kills spam bots.%0a%3c %0a%3c Advantages:%0a%3c %0a%3c # Pure C%0a%3c # Compatible with every IRC server%0a%3c # Fast scanning and DNSBL support.%0a%3c %0a%3c Disadvantages:%0a%3c %0a%3c # Occasionally bans innocent users because it cannot perform [[stopm/stopm|statistical analysis]]%0a%3c %0a%3c Before you begin, you must read the [[https://github.com/ircd-hybrid/hopm/blob/master/README|README]] and [[https://github.com/ircd-hybrid/hopm/blob/master/INSTALL|INSTALL]] docs.%0a%3c %0a%3c !! Installation%0a%3c %0a%3c Let's create the user hopm:%0a%3c %0a%3c [@%0a%3c doas useradd -m -g =uid -c "hopm" -d /home/hopm -s /bin/ksh hopm%0a%3c @]%0a%3c %0a%3c Then we switch to the user hopm and change to its home folder:%0a%3c %0a%3c [@%0a%3c $ doas su hopm%0a%3c $ cd%0a%3c @]%0a%3c %0a%3c We download [[https://github.com/ircd-hybrid/hopm/tags|the latest release]], extract it, then build it:%0a%3c %0a%3c [@%0a%3c $ ftp https://github.com/ircd-hybrid/hopm/archive/1.1.10.tar.gz%0a%3c $ tar xvzf hopm-1.1.10.tar.gz%0a%3c $ cd hopm-1.1.10%0a%3c $ ./configure%0a%3c $ gmake%0a%3c $ gmake install%0a%3c @]%0a%3c %0a%3c hopm will now be installed in ~/hopm.%0a%3c %0a%3c We'll copy the template conf file:%0a%3c %0a%3c [@%0a%3c $ cp /home/hopm/hopm/etc/reference.conf /home/hopm/hopm/etc/hopm.conf%0a%3c @]%0a%3c %0a%3c Then edit /home/hopm/hopm/etc/hopm.conf:%0a%3c %0a%3c !! Run Hopm%0a%3c %0a%3c [@%0a%3c $ /home/hopm/hopm/bin/hopm -d%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If you see this error:%0a%3c %0a%3c [@%0a%3c [2021-01-23T09:59:14-0600] IRC -> connect(): error connecting to username.coconut.ircnow.org: Connection refused %0a%3c [2021-01-23T09:59:14-0600] IRC -> Connection to (username.coconut.ircnow.org) failed, reconnecting. %0a%3c [2021-01-23T09:59:14-0600] IRC -> connect(): error connecting to username.coconut.ircnow.org: Connection refused%0a%3c @]%0a%3c %0a%3c This may be due to a configuration issue with ngircd. In particular, if the hostname has an AAAA record, hopm may be trying to connect via IPv6 but ngircd does not listen to IPv6 connections.%0a%3c %0a%3c !! Run Hopm as System Daemon%0a%3c For this refer to this page https://ircnow.org/kb/doku.php?id=openbsd:rc.d%0a%3c %0a%3c # Syntax errors when hopm is running in foreground. This is either the result of missing brackets where needed in config file, or that the file has DOS encodings. See [[https://github.com/ircd-hybrid/hopm/issues/22#issuecomment-301276082]] here. The missing brackets where it was needed may come from the previous section, compared to the line/s where it is indicated by hopm when executed.%0a\ No newline at end of file%0a
180
2023-01-22
jrmu
host:1614679909=198.251.81.119
IRCNow