ircd-hybrid / hopm Goto Github PK

The hybrid open proxy monitor fully based on BOPM

License: GNU General Public License v2.0

Shell 41.05% C 44.02% Lex 1.27% Yacc 1.62% Makefile 10.20% M4 1.83%

hopm's Introduction

HOPM ·

HOPM (Hybrid Open Proxy Monitor) is an open-proxy monitoring bot designed to monitor an individual server (all servers on the network have to run their own bot if the IRCd does not support the "far connect" user mode) with a local operator {} block and monitor connections. When a client connects to a server, HOPM will scan the connection for insecure proxies. Insecure proxies are determined by attempting to connect the proxy back to another host (usually the IRC server in question).

HOPM is written ground-up in C language and it is an improved fork of BOPM (blitzed open proxy monitor), which is a concept derived from wgmon. It improves on wgmon with HTTP support, faster scanning (it can scan clients simultaneously), better layout (scalability) and DNSBL support.

Requirements

An IRCd, which presents connection notices in a format, which HOPM recognizes;
A host with full connectivity for all the ports you wish to scan. i.e. is NOT transparently proxied -- many domestic internet connections have port 80 transparently proxied and this produces completely unpredictable results, sometimes as severe as 100% of clients being K:lined;
A UNIX OS with GNU make, a C99 compiler, etc.;
Permission from your users to portscan them for open proxies;
For HTTPS proxy detection, a working LibreSSL/OpenSSL library is required.

Compatibility

Bahamut 2.0.x
InspIRCd 3.5.x
ircd-hybrid 8.2.x
ircd-ratbox 3.0.x
ircu 2.10.x
ngIRCd 25
UnrealIRCd 5.0.x

HOPM is easily suitable for any other IRCd with little modification (connregex in hopm.conf). However, if an IRCd does not send IP addresses in a connection notice, HOPM will not work.

Command-line options

-c <name> Configuration filename. By default, HOPM reads hopm.conf, -c foo will cause HOPM to read foo.conf. The primary use for this is to run multiple HOPM from one directory.

-d Debug mode. HOPM will not fork and will write logs to stderr. Multiple -d increase debug level.

Operator channel commands

<bot> check <host> [scanner] Manually scans host for insecure proxies and outputs all errors. If scanner is not given, HOPM will scan on all scanners. NOTE: this will not add a kline if it finds a proxy.

<bot> stats Outputs scan stats, uptime and connection count.

<bot> fdstat Outputs info about file descriptors in use.

Also, if several HOPM are present in one channel, they will all respond to !all, for example !all stats.

Rehashing HOPM

A /quote KILL on HOPM will cause the process to restart, rehashing the configuration file and ending all queued scans. The same can be achieved with kill -HUP from the command line.

Logging

Once started, HOPM logs all significant events to a file called hopm.log, which by default can be found at $HOME/hopm/var/log/hopm.log. There is also a configuration option, scanlog, to log all proxy scans initiated, which can be quite useful if you receive an abuse report related to portscanning.

These log files, especially the scan.log, can grow quite large. It is suggested that you arrange for these files to be rotated periodically. You should send a USR1 signal to HOPM after moving its logfiles -- this will cause HOPM to reopen those files.

hopm's People

Contributors

Stargazers

Watchers

hopm's Issues

Re-setting up hopm

Hi,

So I just recently set up hopm. Unfortunately, when starting hopm, I get the following error:

./hopm -ddd
[2017-05-13T21:20:38+0000] MAIN -> Debug level 3
[2017-05-13T21:20:38+0000] MAIN -> HOPM TRUNK started.
[2017-05-13T21:20:38+0000] MAIN -> Reading configuration file...
[2017-05-13T21:20:38+0000] CONFIG -> Loading /home/dm/hopm/etc/hopm.conf
[2017-05-13T21:20:38+0000] CONFIG -> "/home/dm/hopm/etc/hopm.conf", line 501: syntax error: scanner {

Which doesn't make sense to me because I simply copied over reference.conf to hopm.conf in the etc directory and edited it. I left the scanner portion untouched, save for editing default to defaults in this section and the user section. Why would I be getting a syntax error if that's all I did?

Here's the scanner config section:

scanner {
	/*
	 * Unique name of this scanner. This is used further down in the
	 * user {} blocks to decide which users get affected by which
	 * scanners.
	 */
	name = "defaults";

	/*
	 * HTTP CONNECT - very common proxy protocol supported by widely known
	 * software such as Squid and Apache. The most common sort of
	 * insecure proxy and found on a multitude of weird ports too. Offers
	 * transparent two way TCP connections.
	 */
	protocol = HTTP:80;
	protocol = HTTP:8080;
	protocol = HTTP:3128;
	protocol = HTTP:6588;

	/*
	 * The SSL/TLS variant of HTTP
	 */
#	protocol = HTTPS:443;
#	protocol = HTTPS:8443;

	/*
	 * SOCKS4/5 - well known proxy protocols, probably the second most
	 * common for insecure proxies, also offers transparent two way TCP
	 * connections. Fortunately largely confined to port 1080.
	 */
	protocol = SOCKS4:1080;
	protocol = SOCKS5:1080;

	/*
	 * Cisco routers with a default password (yes, it really does happen).
	 * Also pretty much anything else that will let you telnet to anywhere
	 * else on the Internet. Fortunately these are always on port 23.
	 */
	protocol = ROUTER:23;

	/*
	 * WinGate is commercial windows proxy software which is now not so
	 * common, but still to be found, and helpfully presents an interface
	 * that can be used to telnet out, on port 23.
	 */
	protocol = WINGATE:23;

	/*
	 * Dreambox DVB receivers with a default password allowing
	 * full root access to telnet or install bouncers.
	 */
	protocol = DREAMBOX:23;

	/*
	 * The HTTP POST protocol, often dismissed when writing the access
	 * controls for proxies, but sadly can still be used to abused.
	 * Offers only the opportunity to send a single block of data, but
	 * enough of them at once can still make for a devastating flood.
	 * Found on the same ports that HTTP CONNECT proxies inhabit.
	 *
	 * Note that if your ircd has "ping cookies" then clients from HTTP
	 * POST proxies cannot actually ever get onto your network anyway. If
	 * you leave the checks in then you'll still find some (because some
	 * people IRC from boxes that run them), but if you use HOPM purely as
	 * a protective measure and you have ping cookies, you need not scan
	 * for HTTP POST.
	 */
	protocol = HTTPPOST:80;

	/*
	 * The SSL/TLS variant of HTTPPOST
	 */
#	protocol = HTTPSPOST:443;
#	protocol = HTTPSPOST:8443;

	/*
	 * IP address this scanner will bind to. Use this if you need your scans to
	 * come FROM a particular interface on the machine you run HOPM from.
	 * If you don't understand what this means, please leave this
	 * commented out, as this is a major source of support queries!
	 */
	vhost = "108.61.168.124";

	/*
	 * Maximum file descriptors this scanner can use. Remember that there
	 * will be one FD for each protocol listed above. As this example
	 * scanner has 8 protocols, it requires 8 FDs per user. With a 512 FD
	 * limit, this scanner can be used on 64 users _at the same time_.
	 * That should be adequate for most servers.
	 */
	fd = 512;

	/*
	 * Maximum data read from a proxy before considering it closed. Don't
	 * set this too high, some people have fun setting up lots of ports
	 * that send endless data to tie up your scanner. 4KB is plenty for
	 * any known proxy.
	 */
	max_read = 4 kbytes;

	/*
	 * Amount of time before a test is considered timed out.
	 * Again, all but the poorest slowest proxies will be detected within
	 * 30 seconds, and this helps keep resource usage low.
	 */
	timeout = 30 seconds;

	/*
	 * Target IP to tell the proxy to connect to
	 *
	 * !!! THIS MUST BE CHANGED !!!
	 *
	 * You cannot instruct the proxy to connect to itself! The easiest
	 * thing to do would be to set this to the IP address of your ircd
	 * and then keep the default target_strings.
	 *
	 * Please use an IP address that is publically reachable from anywhere
	 * on the Internet, because you have no way of knowing where the insecure
	 * proxies will be located. Just because you and your HOPM can
	 * connect to your ircd on some private IP address like 192.168.0.1,
	 * does not mean that the insecure proxies out there on the Internet will be
	 * able to. And if they never connect, you will never detect them.
	 *
	 * Remember to change this setting for every scanner you configure.
	 */
	target_ip = "108.61.168.124";

	/*
	 * Target port to tell the proxy to connect to. This is usually
	 * something like 6667. Basically any client-usable port.
	 */
	target_port = 6667;

	/*
	 * Target string we check for in the data read back by the scanner.
	 * This should be some string out of the data that your ircd usually
	 * sends on connect. Multiple target strings are allowed.
	 *
	 * NOTE: Try to keep the number of target strings to a minimum. Two
	 *       should be fine. One for normal connections and one for throttled
	 *       connections. Comment out any others for efficiency.
	 */

	/*
	 * Usually first line sent to client on connection to ircd.
	 * If your ircd supports a more specific line (see below),
	 * using it will reduce false positives.
	 */
	target_string = ":phoenix.nsw.au.darkmyst.org NOTICE * :*** Looking up your hostname";

	/*
	 * If you try to connect too fast, you'll be throttled by your own
	 * ircd. Here's what a hybrid throttle message looks like:
	 */
	target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
};


scanner {
	name = "extended";

	protocol = HTTP:81;
	protocol = HTTP:8000;
	protocol = HTTP:8001;
	protocol = HTTP:8081;

	protocol = HTTPPOST:81;
	protocol = HTTPPOST:6588;
	protocol = HTTPPOST:4480;
	protocol = HTTPPOST:8000;
	protocol = HTTPPOST:8001;
	protocol = HTTPPOST:8080;
	protocol = HTTPPOST:8081;

	/*
	 * IRCnet have seen many socks5 on these ports, more than on the
	 * standard ports even.
	 */
	protocol = SOCKS4:4914;
	protocol = SOCKS4:6826;
	protocol = SOCKS4:7198;
	protocol = SOCKS4:7366;
	protocol = SOCKS4:9036;

	protocol = SOCKS5:4438;
	protocol = SOCKS5:5104;
	protocol = SOCKS5:5113;
	protocol = SOCKS5:5262;
	protocol = SOCKS5:5634;
	protocol = SOCKS5:6552;
	protocol = SOCKS5:6561;
	protocol = SOCKS5:7464;
	protocol = SOCKS5:7810;
	protocol = SOCKS5:8130;
	protocol = SOCKS5:8148;
	protocol = SOCKS5:8520;
	protocol = SOCKS5:8814;
	protocol = SOCKS5:9100;
	protocol = SOCKS5:9186;
	protocol = SOCKS5:9447;
	protocol = SOCKS5:9578;
	protocol = SOCKS5:10000;
	protocol = SOCKS5:64101;

	/*
	 * These came courtsey of Keith Dunnett from a bunch of public open
	 * proxy lists.
	 */
	protocol = SOCKS4:29992;
	protocol = SOCKS4:38884;
	protocol = SOCKS4:18844;
	protocol = SOCKS4:17771;
	protocol = SOCKS4:31121;

	fd = 400;

	/*
	 * If required you can add settings such as target_ip here
	 * they will override the defaults set in the first scanner
	 * for this and subsequent scanners defined in the config file
	 * This affects the following options:
	 * fd, vhost, target_ip, target_port, target_string, timeout and
	 * max_read.
	 */
};

Add more default telnet logins

I've found some spambots using a default telnet login on a host

admin:admin

can this be added?

HOPM doesn't respect 'tls_hostname_verification' setting

On my IRCd (UnrealIRCd), I've tried to connect HOPM via localhost + ssl.

HOPM refuses to connect with the error below, even with tls_hostname_verification = no;.

[2021-02-01T22:49:10+0000] CONFIG -> Loading /home/unrealircd/hopm/etc/hopm.conf
[2021-02-01T22:49:10+0000] IRC -> Attempting to connect to 127.0.0.4[127.0.0.4]:6697
[2021-02-01T22:49:10+0000] IRC -> connect(): error performing TLS handshake with 127.0.0.4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[2021-02-01T22:49:10+0000] IRC -> Connection to (127.0.0.4) failed, reconnecting.
[2021-02-01T22:56:24+0000] MAIN -> HOPM TRUNK started.

Bug or some configuration setting that I'm overlooking?

Add support for SNI proxies

I've seen an increase in SNI proxies.

These proxies work by connecting to the domain indicated in SNI when connecting to a server and proxying the TLS connection to that domain through the proxy IP. Most are only for port 443, but if your ircd listens on port 443, or you have any cgiirc blocks(for things like mibbit, kiwiirc, etc.), they can use them to connect.

On a postive DNSBL lookup, fetch the reason from the DNSBL and use that in the gline/zline reason.

Hello, a lot of DNSBL's along with my own, publish TXT records alongside the A records indicating the reason the IP is listed. It would be nice if HOPM can one a positive A record lookup in a DNSBL, then lookup the TXT record and fetch the reason and substitute that for the reason in the gline/zline. If no TXT record was found, use the generic reason specified in the config.

[gtaxl@excession:dnsbl]./gnbl.sh chk 163.172.207.224
Listed in DNS: YES
Listed in API: YES, TTL: 1800 ID: 19885336
Date Listed: 2020-08-21T11:00:11Z
Reason: Bruteforcing Wordpress, TTL: 1800 ID: 19885337
[gtaxl@excession:dnsbl]host 224.207.172.163.bl.gtaxl.net
224.207.172.163.bl.gtaxl.net has address 127.0.0.2
[gtaxl@excession:dnsbl]host -t TXT 224.207.172.163.bl.gtaxl.net
224.207.172.163.bl.gtaxl.net descriptive text "Bruteforcing Wordpress"
[gtaxl@excession:dnsbl]./gnbl.sh chk 79.124.62.134
Listed in DNS: YES
Listed in API: YES, TTL: 60 ID: 21842972
Date Listed: 2021-01-10T19:56:39Z
Reason: Port Scanning, TTL: 60 ID: 21842973
[gtaxl@excession:dnsbl]host 134.62.124.79.bl.gtaxl.net
134.62.124.79.bl.gtaxl.net has address 127.0.0.2
[gtaxl@excession:dnsbl]host -t TXT 134.62.124.79.bl.gtaxl.net
134.62.124.79.bl.gtaxl.net descriptive text "Port Scanning"
[gtaxl@excession:dnsbl]

I think this would be smarter and more accurate than specifying each IP ending the old BOPM way. To save on queries and resources, the TXT lookups only should happen on a positive A record response...

Plenty of DNSBLs use multiple IPs, but mine currently just uses 127.0.0.2 and we specify the different reasons via the TXT record.

I think this would be a very useful feature.

Thanks!

IPv6 DNSBL Support

Dronebl has Supported IPv6 Addresses in its DNSBL for a bit now, I would like to be able to take advantage of them in HOPM.

Please consider adding fallback to WolfSSL support for TLS

Howdy,

Since some consider OpenSSL incompatible with the GPL, it would be handy to utilize WolfSSL's compatibility layer in hopm.

A (poor, I'm not good with autoconf/m4/make) example follows:

diff --git a/m4/ax_arg_openssl.m4 b/m4/ax_arg_openssl.m4
index 972dfd0..115bdd0 100644
--- a/m4/ax_arg_openssl.m4
+++ b/m4/ax_arg_openssl.m4
@@ -15,7 +15,8 @@ if test "$cf_enable_openssl" != "no"; then
     dnl Do the auto-probe here.  Check some common directory paths.
     for dirs in /usr/local/ssl /usr/pkg /usr/local /usr/lib /usr/lib/ssl\
                 /opt /opt/openssl /usr/local/openssl; do
-      if test -f "${dirs}/include/openssl/opensslv.h"; then
+      if test -f "${dirs}/include/openssl/opensslv.h" ||
+         test -f "${dirs}/include/wolfssl/openssl/opensslv.h"; then
         cf_openssl_basedir="${dirs}"
         break
       fi
@@ -28,6 +29,9 @@ if test "$cf_enable_openssl" != "no"; then
     if test -f "${cf_openssl_basedir}/include/openssl/opensslv.h"; then
       CPPFLAGS="-I${cf_openssl_basedir}/include $CPPFLAGS"
       LDFLAGS="-L${cf_openssl_basedir}/lib $LDFLAGS"
+    elif test -f "${cf_openssl_basedir}/include/wolfssl/openssl/opensslv.h"; then
+      CPPFLAGS="-I${cf_openssl_basedir}/include -I${cf_openssl_basedir}/include/wolfssl $CPPFLAGS"
+      LDFLAGS="-L${cf_openssl_basedir}/lib $LDFLAGS"
     else
       dnl OpenSSL wasn't found in the directory specified.  Naughty
       dnl administrator...
@@ -40,7 +44,8 @@ if test "$cf_enable_openssl" != "no"; then
     dnl We can't do this check above, because some people want two versions
     dnl of OpenSSL installed (stock FreeBSD 4.x/5.x and /usr/local/ssl)
     dnl and they want /usr/local/ssl to have preference.
-    if test -f "/usr/include/openssl/opensslv.h"; then
+    if test -f "/usr/include/openssl/opensslv.h" ||
+       test -f "/usr/include/wolfssl/openssl/opensslv.h"; then
       cf_openssl_basedir="/usr"
     fi
   fi
@@ -78,5 +83,12 @@ AS_IF([test "$cf_enable_openssl" != "no"],
     AS_IF([test "$ac_cv_lib_crypto_RSA_free" = "yes"],
       [AC_CHECK_LIB(ssl, SSL_connect)])
     ],[AC_MSG_RESULT(no - LibreSSL/OpenSSL support disabled)
+    cf_enable_openssl="no"])
+  AC_CHECK_HEADERS([wolfssl/openssl/ssl.h],
+    [AC_SEARCH_LIBS([wolfSSL_CTX_new], [wolfssl])
+    AC_DEFINE([HAVE_LIBWOLFSSL], 1, [Define to 1 if you have libwolfssl.])
+    AC_MSG_NOTICE(Using fallback WolfSSL support)
+    cf_enable_openssl="yes"
+    ],[AC_MSG_RESULT(no - LibreSSL/OpenSSL support disabled)
     cf_enable_openssl="no"])])
 ])
diff --git a/src/libopm/src/libopm.c b/src/libopm/src/libopm.c
index 89b376f..48be381 100644
--- a/src/libopm/src/libopm.c
+++ b/src/libopm/src/libopm.c
@@ -32,6 +32,10 @@
 #include <poll.h>
 #ifdef HAVE_LIBCRYPTO
 #include <openssl/ssl.h>
+#elif HAVE_LIBWOLFSSL
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
+#include <wolfssl/openssl/ssl.h>
 #endif
 
 #include "config.h"
@@ -546,7 +550,7 @@ libopm_scan_create(OPM_T *scanner, OPM_REMOTE_T *remote)
   OPM_SCAN_T *ret;
   OPM_CONNECTION_T *conn;
   OPM_NODE_T *node, *p;
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   static int tls_init = 0;
   static SSL_CTX *ctx_client;
 
@@ -572,7 +576,7 @@ libopm_scan_create(OPM_T *scanner, OPM_REMOTE_T *remote)
     conn->protocol = ((OPM_PROTOCOL_CONFIG_T *)p->data)->type;
     conn->port     = ((OPM_PROTOCOL_CONFIG_T *)p->data)->port;
 
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
     if (conn->protocol->use_tls)
       /* SSL_new does only fail if OOM in which case HOPM exits anyway */
       conn->tls_handle = SSL_new(ctx_client);
@@ -592,7 +596,7 @@ libopm_scan_create(OPM_T *scanner, OPM_REMOTE_T *remote)
     conn->protocol = ((OPM_PROTOCOL_CONFIG_T *)p->data)->type;
     conn->port     = ((OPM_PROTOCOL_CONFIG_T *)p->data)->port;
 
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
     if (conn->protocol->use_tls)
       /* SSL_new does only fail if OOM in which case HOPM exits anyway */
       conn->tls_handle = SSL_new(ctx_client);
@@ -820,7 +824,7 @@ libopm_check_closed(OPM_T *scanner)
 
       if (conn->state == OPM_STATE_CLOSED)
       {
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
         if (conn->protocol->use_tls)
         {
           SSL_set_shutdown(conn->tls_handle, SSL_RECEIVED_SHUTDOWN);
@@ -842,7 +846,7 @@ libopm_check_closed(OPM_T *scanner)
 
       if (((present - conn->creation) >= timeout) && conn->state != OPM_STATE_UNESTABLISHED)
       {
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
         if (conn->protocol->use_tls)
         {
           SSL_set_shutdown(conn->tls_handle, SSL_RECEIVED_SHUTDOWN);
@@ -932,7 +936,7 @@ libopm_do_connect(OPM_T * scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
 
   connect(conn->fd, (struct sockaddr *)addr, sizeof(*addr));
 
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   if (conn->protocol->use_tls)
     SSL_set_fd(conn->tls_handle, conn->fd);
 #endif
@@ -1049,7 +1053,7 @@ libopm_check_poll(OPM_T *scanner)
 static int
 libopm_do_readready_tls(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
 {
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   int max_read, length;
   char readbuf[LIBOPM_TLS_RECORD_SIZE];
 
@@ -1256,7 +1260,7 @@ libopm_do_writeready(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
 {
   OPM_PROTOCOL_T *protocol;
 
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   if (conn->protocol->use_tls)
   {
     if (!SSL_is_init_finished(conn->tls_handle))
diff --git a/src/libopm/src/proxy.c b/src/libopm/src/proxy.c
index 84baadf..d198d89 100644
--- a/src/libopm/src/proxy.c
+++ b/src/libopm/src/proxy.c
@@ -27,6 +27,10 @@
 #include <string.h>
 #ifdef HAVE_LIBCRYPTO
 #include <openssl/ssl.h>
+#elif HAVE_LIBWOLFSSL
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
+#include <wolfssl/openssl/ssl.h>
 #endif
 
 #include "config.h"
@@ -276,7 +280,7 @@ libopm_proxy_dreambox_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *
 int
 libopm_proxy_https_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
 {
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   size_t len = snprintf(SENDBUF, SENDBUFLEN, "CONNECT %s:%d HTTP/1.0\r\n\r\n",
                         (char *)libopm_config(scanner->config, OPM_CONFIG_SCAN_IP),
                         *(int *)libopm_config(scanner->config, OPM_CONFIG_SCAN_PORT));
@@ -296,7 +300,7 @@ libopm_proxy_https_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *con
 int
 libopm_proxy_httpspost_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
 {
-#ifdef HAVE_LIBCRYPTO
+#if defined(HAVE_LIBCRYPTO) || defined(HAVE_LIBWOLFSSL)
   size_t len;
   int scan_port;
   char *scan_ip;

setting up hopm

Hi,

So I just recently set up hopm. Unfortunately, when starting hopm, I get the following error:

dos2unix: converting file hopm.conf to Unix format ...
[hopm@vps-20bcb71e bin]$ ./hopm -d
[2020-04-29T23:41:29+0200] MAIN -> Debug level 1
[2020-04-29T23:41:29+0200] MAIN -> HOPM TRUNK started.
[2020-04-29T23:41:29+0200] MAIN -> Reading configuration file...
[2020-04-29T23:41:29+0200] CONFIG -> Loading /home/hopm/hopm/etc/hopm.conf
[2020-04-29T23:41:29+0200] CONFIG -> "/home/hopm/hopm/etc/hopm.conf", line 452: syntax error: scanner {

Support for using wildcards "*" to create masks in the "target_string" value when scanning ports

Good afternoon. Many values in a directive target_string can have the same beginning, but completely different endings. To do this have to create many lines in order to make the bot respond to the detected open port.

target_string = "SSH-2.0-dropbear_0.51";
target_string = "SSH-2.0-dropbear_0.52";
target_string = "SSH-2.0-dropbear_0.53.1";
target_string = "SSH-2.0-dropbear_2012.55";
target_string = "SSH-2.0-dropbear_2013.62";
target_string = "SSH-2.0-dropbear_2014.63";

But this method is not efficient enough, because it is impossible to know in advance all the possible answers given by open ports.

Can I use wildcard "*" data masks to combine all of these values into one string to find similarities in different responses during a port scan?

For example:
target_string = "*SSH-2.0*"; or target_string = "*SSH-*.0*";

There is probably some other way to combine similar answers into one search string, but I do not know this and did not find descriptions in the documentation for your bot. If I am wrong, please tell me similar method.

If at the moment the use of such symbols is not possible to create masks, then please, make this improvement into the future update, because it will be very useful.

No longer builds on OpenBSD

If you dont know OpenBSD uses LibreSSL.

ld: error: undefined symbol: SSL_set_hostflags

Probably LibreSSL doesn't contain this function. Is this a recent OpenSSL function?

Do you know any workaround on doing the same without using this function ?

2 small requests

hello i have 2 small requests
1st is to add variable %p for port designation in kline output
and to add realname in #channel output
DNSBL -> nick!~identn@host:realname appears in BL zone rbl.efnetrbl.org (Open proxy)
thanks

Ability to run custom scripts

Would be great if a custom script could be run and based on exit code/stderr msg could do a defined action.
An example usage would be running custom api checks in other languages (python for me).

compatibility with unrealircd v4.2.0 (?)

hello,
unrealircd v4.2.0 came out on 30sep.

Compatibility

ircd-hybrid 8.2.x

ircd-ratbox 3.0.x

ircu 2.10.x

InspIRCd 2.0.x

UnrealIRCd 3.2.x, 4.0.x

ngIRCd 22

Bahamut 2.0.x

Charybdis 3.4.x

i wonder if the new version is supported or not.
i will try of course, however an update on the readme would be nice. :)

Sample working output?

Not really an issue, more of a request.

Can we get examples of a working setup? ie, let's say you have hopm working but you want to see sample output that hopm would make.

For example, now that I have my hopm working, I don't really have an easy way of testing to make sure that hopm actually scans for proxies and correctly gets rid of them. Maybe offer a way of doing limited testing?

I've obviously done a check on my own IP but, as this is an extremely small network, I don't exactly have a large enough sample to confirm for sure myself that hopm is working as it should be. I know the sample configs in reference.conf is a working sample but... as they say, seeing is believing, yeah?

Similar to other projects showing off screenshots of what you should expect when you get their project working.

Issue with hopm.conf

This is the result I get when I try ./hopm:

[2015-10-12T04:46:16+0000] CONFIG -> Loading /home/example/hopm/etc/hopm.conf
[2015-10-12T04:46:16+0000] CONFIG -> syntax error: line 451

See: http://wolf.furryavalon.net/hopm.txt because it looks fine to me?

Output automatic scan messages to specific channel.

HOPM currently is only outputting actions in a NOTICE to the connecting user when it scans automatically, a message to the set channel when a manual scan is run, when a blacklist is found, and possibly other things that I cannot test for.

BOPM would do all of that, but would also output automatic scan information to a channel, regardless if it resulted in a kline.

I am desiring a function to set a channel log to just show in the channel that it is scanning and who (nick, ip, or hostmask doesn't matter), and possibly a configurable log level for debug, informational, or full. This way I don't have to look in hopm log files.

not banning?

Hey, I didn't know where else I could contact you guys, didn't find anyone on #ircd-coders!

HOPM is running and somy proxys are giving bits back once scanned; but HOPM doesn't ban them, is there a way you assist me? I can't find the problem.

[2018-02-28T23:17:29+0100] SCAN -> Negotiation failed 97.107.138.109:80 (HTTP) [default] (523 bytes read)

..but not doing anything..??

Negotiation failed on verified and working proxy

I'm doing some test using https://github.com/AnonProgrammers/IRC-Flooder and this free http proxy list https://awmproxy.net/freeproxy.php.
Most of proxy are recognized from dnslbl but if i disable it (for test pourpose) most of them are not recognized from hopm scanner
I've try also using manual scan on single ip (so without the flood) with the same result.
I've try to increase timeout but nothing change.
I'm using inetd on port 6670 and this is my test scanner configuration :

scanner {
name = "proxy";

    protocol = HTTP:8080;

    fd = 40000;

    max_read = 4 kbytes;

    timeout = 30 seconds;

    target_ip = "XXXXXXXXXXX";
    target_port = 6670;
    target_string = "Proxy Check";

};

Obviously i've tested with the configured port.

Hopm dont start.

I've compiled successfully the hopm. then I do do: "cd hopm; cd bin; ./hopm" and nothing happens. hopm don't start. any clue?

On successful scan hit, execute custom command

Hello, I have another feature request. On a successful scanner hit, whether it be open proxy, vulnerable ssh, etc. execute a command on the shell. This would be very useful than having to parse HOPM log files or utilizing sending e-mails. We operate a DNSBL and would love to simplify this process. Allow say $ip and $reason variables to be passed as arguments to the command.

scan_command = "/home/gtaxl/dnsbl/gnbl.sh add $ip Open Proxy Found! $reason";

HOPM would execute via the command line as such,
/home/gtaxl/dnsbl/gnbl.sh add 1.2.3.4 Open Proxy Found! SOCKS5:1080
/home/gtaxl/dnsbl/gnbl.sh add 2.3.4.5 Open Proxy Found! HTTP:8080

Having it pass the proxy type and port for the reason would be very useful for the user to identify where the issue is, fix it, and request removal from our DNSBL.

Note! Don't reverse the IP order in the $ip variable, just pass the normal IP, our script, and other's scripts should be setup to reverse the IP order. :)

HOPM refuses to start

[2017-03-04T15:15:27+0000] CONFIG -> "/home/hopm/hopm/etc/hopm.conf", line 484: syntax error: scanner {
this is the error code i'm having.. no clue why, since i didnt touch anything there.

Request: CTCP Version Reply.

To allow HOPM to send ctcp version to users apon connection, and then
logs the reply.

So admins could monitor it with something like the following:
tail -f bopm.log | grep "CTCP VERSION REPLY".

Different levels of action based on different match strings (for e.g. non-open proxies)

We've recently seen a few cases where users have been connecting from proxies that aren't open but appear to be poorly-secured, judging by the low-quality troll traffic that's passing through them. We can't go around trying common usernames and passwords, so it's difficult to programmatically distinguish between well-secured and poorly-secured proxies through hopm.

I'd like to be able to continue k-lining for open proxies while also being able to set up lesser actions for any user whose port 443/80/etc output contains "Proxy" or "squid", like sending a message to a staff channel containing the user's nick and IP. Running two instances of hopm with different parameters is an obvious solution, but less than ideal because it would scan each user twice.

send data to IRC server once connected

Some IRCd's can be configured with accept(2) filtering, as a synflood mitigation, such as Charybdis, InspIRCd and the upcoming UnrealIRCd 4.0.

It would be desirable for HOPM to send data to IRCd in order to ensure a response is received due to the accept(2) filtering. That way a special listener does not need to be configured without accept(2) filtering.

Typical nick auto-complete won't trigger a command after commit 1ecde47

I just updated to the master branch (latest commit 24a10c4) and noticed no response from the bot in channel using the format:
botnick: check blah.blah
botnick: stats
Tested two other formats:
botnick stats
!all stats
Both worked, realizing that the ":" was causing it to fail.

Looks like this happened in commit 1ecde47.
Previously ",", ":", " " were all allowed at the end of the bot's nickname. These are typical suffixes of client auto-completes and would be nice to allow the "," and ":" again.

Syntax error with InspIRCd's connregex?

Hi there,

So today I was trying to run HOPM but it didn't start properly. Upon using ./hopm -d I got the following:

[2015-08-04T22:41:02-0400] MAIN -> Debug level 1
[2015-08-04T22:41:02-0400] MAIN -> HOPM TRUNK started.
[2015-08-04T22:41:02-0400] MAIN -> Reading configuration file...
[2015-08-04T22:41:02-0400] CONFIG -> Loading /home/ircd/HOPM/etc/hopm.conf
[2015-08-04T22:41:02-0400] CONFIG -> syntax error: line 217

Here is line 217 from the config file I'm using:

connregex = "\\*\\*\\* .*CONNECT: Client connecting.*: ([^ ]+)!([^@]+)@([^\\)]+) \\(([0-9\\.]+)\\) \\[.*\\]";

Any ideas?

Feature Request: Exempting users by private messaging the bot or in the channel !

Hi,
Although this is technically not an issue, it would be a nice feature to have and people would happy to use it. Being able to exempt user from scans or add them to a list based on Vhost would be a great feature to have. I started facing this problem when i wanted to exempt some user and saw that i had to edit the hopm.conf file on all servers which is a lot in my case.

Something like:
!all exempt add nickname

Maybe:
!all exempt vhost add testwebsite.com

And maybe even:
!all exempt ip 127.0.0.1

Thanks in advance ^_^

TLS certificate CN scanning

It'd be quite useful to have a scanner check and block based on the common name when checking defined TLS ports.

Support SSL Connections to IRC Servers

HOPM should have the option to connect over SSL to the IRC server in order to receive connect notices and send the Z/K/GLINE. The connect notices and kills contain sensitive data that should have the option to be encrypted and secure.

Due to port-scanning policies by many providers, running HOPM as localhost is not always possible and at times it needs to be run on a separate server that allows for port scanning without potentially effecting the rest of the network

DNSBL -> Lookup result for (18.81.33.39.rbl.efnetrbl.org) 0.0.0.0 (error: 3)

DNSBL -> Lookup result for [email protected] (18.81.33.39.rbl.efnetrbl.org) 0.0.0.0 (error: 3)

Hello i have problem with config

Hello i have a problem when i will try load blacklist then i`m get error please i want to know how i can fix the error
[2017-10-08T05:55:02+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T05:55:02+0100] MAIN -> Reading configuration file...
[2017-10-08T05:55:02+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T05:55:02+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 463: syntax error: scanner {
[2017-10-08T05:57:41+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T05:57:41+0100] MAIN -> Reading configuration file...
[2017-10-08T05:57:41+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T05:57:41+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 430: syntax error: scanner {
[2017-10-08T10:27:41+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:27:41+0100] MAIN -> Reading configuration file...
[2017-10-08T10:27:41+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:27:41+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 464: syntax error: scanner {
[2017-10-08T10:33:12+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:33:12+0100] MAIN -> Reading configuration file...
[2017-10-08T10:33:12+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:33:12+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 491: syntax error: scanner {
[2017-10-08T10:34:35+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:34:35+0100] MAIN -> Reading configuration file...
[2017-10-08T10:34:35+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:34:36+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T10:36:00+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:36:00+0100] MAIN -> Reading configuration file...
[2017-10-08T10:36:00+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:36:01+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T10:37:50+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:37:50+0100] MAIN -> Reading configuration file...
[2017-10-08T10:37:50+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:37:51+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T10:43:04+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:43:04+0100] MAIN -> Reading configuration file...
[2017-10-08T10:43:04+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:43:05+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T10:44:28+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:44:28+0100] MAIN -> Reading configuration file...
[2017-10-08T10:44:28+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:44:29+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T10:49:28+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:49:28+0100] MAIN -> Reading configuration file...
[2017-10-08T10:49:28+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:49:28+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 418: syntax error: blacklist {
[2017-10-08T10:50:04+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T10:50:04+0100] MAIN -> Reading configuration file...
[2017-10-08T10:50:04+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T10:50:04+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 418: syntax error: blacklist {
[2017-10-08T13:38:28+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T13:38:28+0100] MAIN -> Reading configuration file...
[2017-10-08T13:38:28+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T13:38:28+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 429: syntax error: };
[2017-10-08T13:39:44+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T13:39:44+0100] MAIN -> Reading configuration file...
[2017-10-08T13:39:44+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T13:39:45+0100] IRC -> Connected to 192.168.1.219/6660
[2017-10-08T14:01:47+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:01:47+0100] MAIN -> Reading configuration file...
[2017-10-08T14:01:47+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:01:47+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 319: syntax error: connregex = "\\\* .CONNECT: Client connecting.: ([^ ]+)!([^@]+)@([^\\)]+) $([0-9a-f\.:]+)$ \[.\]";
[2017-10-08T14:02:05+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:02:05+0100] MAIN -> Reading configuration file...
[2017-10-08T14:02:05+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:02:05+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 319: syntax error: connregex = "\\\ .CONNECT: Client connecting.: ([^ ]+)!([^@]+)@([^\\)]+) $([0-9a-f\.:]+)$ \[.\]";
[2017-10-08T14:02:49+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:02:49+0100] MAIN -> Reading configuration file...
[2017-10-08T14:02:49+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:02:49+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 319: syntax error: connregex = "\\\ .CONNECT: Client connecting.: ([^ ]+)!([^@]+)@([^\\)]+) $([0-9a-f\.:]+)$ \[.*\]";
[2017-10-08T14:04:03+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:04:03+0100] MAIN -> Reading configuration file...
[2017-10-08T14:04:03+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:04:03+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 501: syntax error: scanner {
[2017-10-08T14:04:58+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:04:58+0100] MAIN -> Reading configuration file...
[2017-10-08T14:04:58+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:04:58+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 501: syntax error: scanner {
[2017-10-08T14:06:30+0100] MAIN -> HOPM TRUNK started.
[2017-10-08T14:06:30+0100] MAIN -> Reading configuration file...
[2017-10-08T14:06:30+0100] CONFIG -> Loading /home/asher/hopm/etc/hopm.conf
[2017-10-08T14:06:30+0100] CONFIG -> "/home/asher/hopm/etc/hopm.conf", line 501: syntax error: scanner {

HOPM scan ports

hi, below is how i added in hopm.conf protocols, however still people use to connect to my server with the proxy, question: is there any way that I can stop all proxies to connect to IRC server ?

 * HTTP CONNECT - very common proxy protocol supported by widely known
 * software such as Squid and Apache. The most common sort of
 * insecure proxy and found on a multitude of weird ports too. Offers
 * transparent two way TCP connections.
 */
	protocol = ROUTER:23;
    protocol = SOCKS4:559;
    protocol = HTTPPOST:3128;
    protocol = SOCKS4:1080;
    protocol = SOCKS5:60088;
    protocol = HTTP:8080;
    protocol = SOCKS5:1182;
    protocol = HTTP:3128;
    protocol = HTTPPOST:8080;
    protocol = SOCKS4:9999;
	protocol = SOCKS4:36073;
    protocol = HTTPPOST:80;
    protocol = SOCKS5:1080;
    protocol = HTTP:63000;
    protocol = HTTP:8000;
    protocol = HTTPPOST:808;
    protocol = HTTP:80;
    protocol = HTTPPOST:6588;
    protocol = HTTP:6588;
    protocol = SOCKS5:3128;
    protocol = SOCKS5:10080;
    protocol = HTTPPOST:4480;
    protocol = SOCKS4:6664;
    protocol = SOCKS4:63808;
    protocol = HTTP:6667;
    protocol = SOCKS4:19991;
    protocol = SOCKS4:1098;
    protocol = SOCKS4:10000;
    protocol = SOCKS4:4471;
    protocol = HTTP:65506;
    protocol = HTTP:63809;
    protocol = SOCKS5:9090;
    protocol = HTTP:9090;
    protocol = HTTP:6668;
    protocol = SOCKS4:58;
    protocol = SOCKS5:58;
    protocol = SOCKS4:6969;
    protocol = WINGATE:23;
    protocol = SOCKS5:3380;
    protocol = SOCKS4:40;
    protocol = SOCKS5:443;
    protocol = SOCKS4:8888;
    protocol = HTTPPOST:9090;
    protocol = HTTP:5490;
    protocol = SOCKS4:8080;
    protocol = SOCKS5:6969;
    protocol = SOCKS4:1026;
    protocol = SOCKS4:1025;
    protocol = HTTP:8888;
    protocol = HTTP:6669;
    protocol = HTTP:8090;
    protocol = HTTP:808;
    protocol = SOCKS5:1029;
    protocol = SOCKS4:41080;
    protocol = SOCKS5:8020;
    protocol = SOCKS5:6000;
    protocol = HTTPPOST:8081;
    protocol = HTTP:4480;
    protocol = SOCKS5:1027;
    protocol = SOCKS4:1028;
    protocol = HTTP:3332;
    protocol = SOCKS5:8888;
    protocol = SOCKS5:1028;
    protocol = SOCKS4:3330;
    protocol = SOCKS4:29992;
    protocol = SOCKS4:1234;
    protocol = SOCKS4:1029;
    protocol = HTTP:5000;
    protocol = HTTP:443;
    protocol = SOCKS5:1813;
    protocol = SOCKS5:1081;
    protocol = SOCKS5:1026;
    protocol = SOCKS4:1337;
    protocol = SOCKS4:1050;
    protocol = HTTP:1080;
    protocol = SOCKS5:9999;
    protocol = SOCKS5:9100;
    protocol = SOCKS5:19991;
    protocol = SOCKS5:1098;
    protocol = SOCKS4:9100;
    protocol = SOCKS4:7080;
    protocol = SOCKS4:1033;
    protocol = HTTP:9000;
    protocol = HTTP:5800;
    protocol = HTTP:5634;
    protocol = HTTP:4471;
    protocol = HTTP:3382;
    protocol = SOCKS5:1200;
    protocol = SOCKS5:1039;
    protocol = SOCKS5:1025;
    protocol = SOCKS4:8002;
    protocol = SOCKS4:6748;
    protocol = SOCKS4:44548;
    protocol = SOCKS4:3380;
    protocol = SOCKS4:32167;
    protocol = SOCKS4:2000;
    protocol = SOCKS4:1979;
    protocol = SOCKS4:12654;
    protocol = SOCKS4:11225;
    protocol = SOCKS4:1066;
    protocol = SOCKS4:1030;
    protocol = SOCKS4:1027;
    protocol = SOCKS4:10099;
    protocol = HTTP:81;
    protocol = HTTP:6665;
    protocol = HTTP:6664;
    protocol = HTTP:6663;
    protocol = SOCKS5:8278;
    protocol = SOCKS5:6748;
    protocol = SOCKS5:4914;
    protocol = SOCKS5:4471;
    protocol = SOCKS5:29992;
    protocol = SOCKS5:17235;
    protocol = SOCKS5:1234;
    protocol = SOCKS5:1202;
    protocol = SOCKS5:1180;
    protocol = SOCKS5:1075;
    protocol = SOCKS5:1033;
    protocol = SOCKS5:10000;
    protocol = SOCKS4:8020;
    protocol = SOCKS4:4044;
    protocol = SOCKS4:3128;
    protocol = SOCKS4:3127;
    protocol = SOCKS4:28882;
    protocol = SOCKS4:24973;
    protocol = SOCKS4:21421;
    protocol = SOCKS4:1182;
    protocol = SOCKS4:1032;
    protocol = SOCKS4:10242;
    protocol = HTTPPOST:8089;
    protocol = HTTP:8082;
    protocol = HTTP:6661;
    protocol = HTTP:35233;
    protocol = HTTP:19991;
    protocol = HTTP:1098;
    protocol = HTTP:1050;
    protocol = SOCKS5:9988;
    protocol = SOCKS5:8080;
    protocol = SOCKS5:8009;
    protocol = SOCKS5:6561;
    protocol = SOCKS5:24971;
    protocol = SOCKS5:18844;
    protocol = SOCKS5:1122;
    protocol = SOCKS5:10777;
    protocol = SOCKS5:1030;
    protocol = SOCKS5:10130;
    protocol = SOCKS5:10099;
    protocol = SOCKS4:8751;
    protocol = SOCKS4:8278;
    protocol = SOCKS4:8111;
    protocol = SOCKS4:7007;
    protocol = SOCKS4:6551;
    protocol = SOCKS4:5353;
    protocol = SOCKS4:443;
    protocol = SOCKS4:43341;
    protocol = SOCKS4:3801;
    protocol = SOCKS4:2280;
    protocol = SOCKS4:1978;
    protocol = SOCKS4:1212;
    protocol = SOCKS4:1039;
    protocol = SOCKS4:1031;
    protocol = HTTPPOST:81;
    protocol = HTTP:9988;
    protocol = HTTP:7868;
    protocol = HTTP:7070;
    protocol = HTTP:444;
    protocol = HTTP:1200;
    protocol = HTTP:1039;

/*

Hopm Help

Hi im wondering if you can add muaf port in hopm bots latest version.i would like to move the web users out of muaf port if any type of Attack takes place.thank you

Includes, either Local or Remote

Basically, the ability to define something like the following in the main hopm.conf file: .include extra.conf

Use case: When multiple servers are used with one HOPM instance per server (scanning only local connections), it would be nice if I were able to say, have something like ".include blacklist.conf" or ".include opm.conf". When utilized with rsync, it would make it very easy to keep blacklist settings synchronized between servers.

Ben

Hello if this possible set options for authserv

Hey i run hopm in ircu and i want ask if this possible set options when bot connect then identify to Authserv too?

Authserv = "Auth bla as12345";

if this a possible i to be happy

Add new protocol names "FTP" and "SMTP"

Is there a need to add some new protocol names "FTP" and "SMTP" in the next update to define them correctly? Or can they be defined as "HTTP"?

For example:
protocol = FTP:21;
protocol = SMTP:25;

unrealircd + Hopm

Hi, I m running an IRCD based on unrealircd and tried to install HOPM also till here is fine

HOPM is connecting to my IRC server however does not support SSL ports +6697, however, works in 6667 but IRCD won't give oper with the following Error

Failed OPER attempt by nickname (usernam@IP) [not using SSL/TLS]

/*
 * Port of the above server to connect to. This is what HOPM uses to
 * get onto IRC itself, it is nothing to do with what ports/protocols
 * are scanned, nor do you need to list every port your ircd listens
 * on.
 */
port = +6697;

appreciate your kind replay

Thanks

Doesn't seem to be catching definitely known open proxies?

For example, these IP's

178.162.222.100
46.48.134.74
186.1.180.70
118.174.170.38
119.28.129.49

Quick google search returns proxy lists with these in them, and the ports seem to be common ports that HOPM should be checking, yet HOPM returns with nothing for them?

HOPM fails on blacklist checks

I'm having the current issue:
15:28:46 DNSBL -> Lookup error on 106.95.129.145.tor.efnetrbl.org: Server failure

Any idea of what's happening?

Best regards.

connregex, IPv6 and UnrealIRCd

UnrealIRCd has a new way of displaying connect notices to opers, that looks like this:

Locally:
connect.LOCAL_CLIENT_CONNECT [info] Client connecting: Guest-62142 ([email protected]) [67.228.26.34] [vhost: C6C1711B.8056F8D2.AE032BD3.IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: FR] [reputation: 10000] [security-groups: known-users,tls-and-known-users,tls-users]
Remotely:
connect.REMOTE_CLIENT_CONNECT [info] Client connecting: Guest-62142 ([email protected]) [67.228.26.34] [vhost: C6C1711B.8056F8D2.AE032BD3.IP] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: FR] [reputation: 10000] [security-groups: known-users,tls-and-known-users,tls-users]

My current connregex is:
connregex = ".*Client connecting: ([^ ]+) \$([^@]+)@([^\$]+)\\) \\[([0-9a-f\\.:]+)\\].*";

When a user connects using IPv4, all seems to work properly:

[2023-01-29T13:15:24+0100] IRC READ -> :irc3.ptirc.org NOTICE HOPM :14connect.REMOTE_CLIENT_CONNECT 03[info] Client connecting: vitor ([email protected]) [67.228.26.34] [vhost: C6C1711B.8056F8D2.AE032BD3.IP] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: FR] [reputation: 10000] [security-groups: known-users,tls-and-known-users,tls-users]
[2023-01-29T13:15:24+0100] IRC REGEX -> Regular expression caught connection notice. Parsing.
[2023-01-29T13:15:24+0100] IRC REGEX -> Parsed [email protected] [67.228.26.34] from connection notice.
[2023-01-29T13:15:24+0100] IRC SEND -> NOTICE vitor :You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.
[2023-01-29T13:15:24+0100] SCAN -> Passing [email protected] to scanner [default]
[2023-01-29T13:15:24+0100] SCAN -> Passing [email protected] to scanner [extended]
[2023-01-29T13:15:24+0100] SCAN -> Passing [email protected] to scanner [ssh]
[2023-01-29T13:15:24+0100] IRC READ -> :irc3.ptirc.org PRIVMSG #Control :03[info] Client connecting: vitor ([email protected]) [67.228.26.34] [vhost: C6C1711B.8056F8D2.AE032BD3.IP] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: FR] [reputation: 10000] [security-groups: known-users,tls-and-known-users,tls-users]
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:80 (HTTPPOST) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:23 (DREAMBOX) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:23 (WINGATE) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:23 (ROUTER) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:1080 (SOCKS5) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:1080 (SOCKS4) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:6588 (HTTP) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:3128 (HTTP) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8080 (HTTP) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:80 (HTTP) [default] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Scan 67.228.26.34 [default] completed
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:31121 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:17771 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:18844 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:38884 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:29992 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:64101 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:10000 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:9578 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:9447 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:9186 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:9100 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8814 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8520 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8148 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8130 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:7810 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:7464 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:6561 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:6552 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:5634 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:5262 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:5113 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:5104 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:4438 (SOCKS5) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:9036 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:7366 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:7198 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:6826 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:4914 (SOCKS4) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8081 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8080 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8001 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8000 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:4480 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:6588 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:81 (HTTPPOST) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8081 (HTTP) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8001 (HTTP) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:8000 (HTTP) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:81 (HTTP) [extended] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Scan 67.228.26.34 [extended] completed
[2023-01-29T13:15:53+0100] SCAN -> Negotiation timed out 67.228.26.34:22 (SSH) [ssh] (0 bytes read)
[2023-01-29T13:15:53+0100] SCAN -> Scan 67.228.26.34 [ssh] completed
[2023-01-29T13:15:53+0100] SCAN -> All tests on [email protected] [67.228.26.34] complete.

But when a user connects via IPv6 (now, I'm unsure if the issue is related to revdns), HOPM just hangs after Passing ... to scanner ...:

[2023-01-29T13:13:55+0100] IRC READ -> :irc1.ptirc.org NOTICE HOPM :14connect.LOCAL_CLIENT_CONNECT 03[info] Client connecting: Raiden ([email protected]) [2a01:2a02:2a03:2a04:2a05:2a06:2a07:2a08] [vhost: 5ECFF1A:C50BABED:3432A6B5:IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [account: Raiden] [country: DE] [reputation: 10000] [security-groups: known-users,tls-and-known-users,tls-users]
[2023-01-29T13:13:55+0100] IRC REGEX -> Regular expression caught connection notice. Parsing.
[2023-01-29T13:13:55+0100] IRC REGEX -> Parsed [email protected] [2a01:2a02:2a03:2a04:2a05:2a06:2a07:2a08] from connection notice.
[2023-01-29T13:13:55+0100] IRC SEND -> NOTICE Raiden :You are now being scanned for open proxies. If you have nothing to hide, you have nothing to fear.
[2023-01-29T13:13:55+0100] SCAN -> Passing [email protected] to scanner [default]
[2023-01-29T13:13:55+0100] SCAN -> Passing [email protected] to scanner [extended]
[2023-01-29T13:13:55+0100] SCAN -> Passing [email protected] to scanner [ssh]

Any help/ideas are greatly appreciatted.

Permission denied on creating log file causes hopm to exit silently

On my system with Debian 9/stretch, I'm experiencing an odd issue where hopm is only usable with the -d option. Without it, instead of forking, hopm exits silently with code 0. ~~A gdb analysis tells me that it's "failing" the check in main.c:147~~

~~If it's of any use, I configured hopm commit de41d9f using CFLAGS=-g ./configure --enable-assert --prefix=/usr/local. Let me know if any other details can be useful.~~

edit: running strace -f hopm gave more useful output https://gist.github.com/jlu5/0697f858f50144841a9e1e04227672c7

-snip-
close(0)                                = 0
close(1)                                = 0
close(2)                                = 0
open("/usr/local/var/log/hopm.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
dup(2)                                  = -1 EBADF (Bad file descriptor)
write(2, "Cannot open log file. Aborting.:"..., 51) = -1 EBADF (Bad file descriptor)
exit_group(1)                           = ?
+++ exited with 1 +++

It appears that hopm tries to log the "cannot open log file" error to stderr, but it already closed stderr.

ircd-hybrid / hopm Goto Github PK

hopm's Introduction

HOPM ·

Requirements

Compatibility

Command-line options

Operator channel commands

Rehashing HOPM

Logging

hopm's People

Contributors

Stargazers

Watchers

Forkers

hopm's Issues

Compatibility

Authserv = "Auth bla as12345";

Recommend Projects

Recommend Topics

Recommend Org