File: [local] / acopm / dist / acopm.conf.example (download)
Revision 1.1.1.1 (vendor branch), Sat May 8 15:42:29 2021 UTC (3 years, 1 month ago) by bountyht
Branch: alphachat, MAIN
CVS Tags: start, HEAD Changes since 1.1: +0 -0 lines
Initial import
|
# This is an example configuration file for ACOPM
# It will be installed to your configuration directory with the same name
# You should rename the installed example to acopm.conf, and then edit that
/*
* File inclusion is supported by using the following syntax on its own line:
*
* @include "other-file.conf"
*
* This can occur at *any* point in the file. For example:
*
* server: {
* // ...
* @include "password.conf"
* }
*
* With the "password.conf" file containing:
* password = "secret";
*/
/*
* This section is entirely optional.
*/
options: {
/*
* Daemonise after connecting to the IRC server. Optional.
* Default: Don't.
*/
# daemonise = false;
/*
* Whether the server::conn_fmt setting (below) is a simple sscanf(3)
* format string, or an (extended) regular expression. If not given,
* it is assumed to be a simple sscanf(3) format string. Optional.
*/
# conn_regexp = false;
/*
* Logging mask. This is a bitmask (addition in this case because of
* no overlapping bits). Optional.
*
* Values:
* 0 - Nothing
* 1 - Show critical conditions
* 2 - Show error messages
* 4 - Show warning messages
* 8 - Show notice messages
* 16 - Show informational messages
* 32 - Show IRC traffic
* 64 - Show debugging messages
*
* For example, a value of 96 will show debugging messages and IRC
* traffic, while a value of 7 will show only critical conditions,
* error messages, and warning messages.
*
* If not given, the default for debug-enabled builds is to log
* everything, and the default otherwise is to show everything except
* IRC traffic and debug messages.
*
* This is also the value you would pass to the -l/--logmask command-
* line option, to affect the messages printed before parsing this
* option.
*/
# logmask = 15;
/*
* Logfile. Defaults to stderr if not given, otherwise give the full
* path to a file. Optional.
*/
# logfile = "/var/log/acopm.log";
};
/*
* These values control the connection to the IRC server.
* Some of them are optional, and commented out to demonstrate this.
*/
server: {
/*
* Hostnames and port to connect to IRCd. Required.
*
* Hostname entries can be literal IP addresses, DNS names, or names
* in /etc/hosts. The lookup order is each entry in the list in the
* order they appear here, but the order of the lookup results for
* each entry are wholly dependent on your system configuration.
*
* Most systems will prefer IPv6 addresses first if the name resolves
* to addresses of both types, and they will prefer entries in the
* /etc/hosts file before trying DNS, but consult /etc/nsswitch.conf
* ('hosts' entry) and /etc/gai.conf for the order if you are unsure.
* Note that these 2 files only affect the results if you use glibc.
*/
hostnames = ( "localhost", "irc.example.net" );
port = 6697;
/*
* IP addresses to bind connections from. Optional.
*
* These do not usually need to be given, as the operating system
* will choose a suitable source address for the connection when it
* is being made. However, if your system has many global-scope IP
* addresses and you want the program to use a particular non-default
* address when making a connection to the IRCd, specify that address
* here. If the machine does not have this address, or the address
* cannot be used as a source address on the interface that would be
* used by the connection based upon its destination address, then
* the connection will fail.
*
* These can each be given as hostnames; however, only the first
* lookup result will be used, as opposed to the hostnames to connect
* to above. When these are given as hostnames, a small startup delay
* may be incurred while the system resolves the names. If the names
* cannot be resolved, startup will fail.
*/
# bind4_addr = "192.0.2.80";
# bind6_addr = "2001:db8::c0:0:2:50";
/*
* If use_tls is enabled, certfp_method and certfp_values also have
* to be specified. Otherwise, they are all optional. However, your
* program must have been built with TLS support for these 3 options
* to have any effect. `./configure --enable-mbedtls' is a default.
*
* You can check the output of the program with the '--version'
* argument to see if TLS has been enabled at compile-time.
*
* Valid values for certfp_method are combinations of the following,
* joined with hyphens (-):
*
* Digested data:
* CERT For the whole certificate (the most common method)
* SPKI For the public key within the certificate only
*
* Digest algorithm:
* SHA1 The most common method, not recommended
* SHA256 Recommended
* SHA512 Paranoid
*
* Digest representation:
* HEX For hexadecimal output (the most common method)
* B64 For Base64-encoded output (smaller)
*
* Example: CERT-SHA1-HEX or SPKI-SHA256-B64
*
* The acopm-mkfingerprint.sh utility included with this program can
* be used to compute fingerprints with any of these methods, given a
* certificate file as input.
*
* The certfp values are provided as a list. If you only have one
* value, use a list with one value, like: certfp_values = ( "foo" )
*
* There is no (program-imposed) limit to the number of values that
* you can provide.
*
* All values must be computed with the same method. For this reason,
* the SPKI digest types are highly recommended (see below).
*
* The program will compute the server certificate's fingerprint with
* the same method, and compare it to the list given here. One of
* them must match, or the connection will not be made (because you
* are then vulnerable to an active man-in-the-middle attack).
*
* The SPKI digests are useful if your server certificates change
* frequently (for example, with Let's Encrypt certificates which
* are only valid for 3 months at a time). If the public key in your
* certificate does not change when you renew it, the SPKI finger-
* prints will not change either, easing configuration management.
*/
# use_tls = true;
# certfp_method = "SPKI-SHA256-B64";
# certfp_values = (
# "cnqredviWVt2Vo4Ww0CgwFog0KWP7gubF7E8IC0LjuQ=",
# "pcky/MCUI+Wfm+Pftedhs7yzjaYvpysWO9cst4K/07Q="
# );
/*
* TLS client certificate and private key. Optional.
*/
#cc_file = "acopm.ccrt";
#ck_file = "acopm.ckey";
/*
* The following 3 values are required and self-explanatory.
*/
nickname = "ACOPM";
username = "ACOPM";
password = "supersecret";
/*
* Set the realname for the client. Optional.
* Default: AlphaChat Open Proxy Monitor
*/
#realname = "AlphaChat Open Proxy Monitor"
/*
* acctuser and acctpass control identification to services accounts.
* If the username is set, but the password is not (or it is empty),
* SASL EXTERNAL authentication will be attempted. If both username
* and password are set, SASL PLAIN authentication will be attempted.
*
* Both values are optional. If neither are set (or the username is
* empty), IRCv3 will not be enabled, and SASL will not be used.
*/
# acctuser = "ACOPM";
# acctpass = "supersecret";
/*
* operuser and operpass control obtaining of IRC Operator status.
* Both are required.
*/
operuser = "ACOPM";
operpass = "supersecret";
/*
* Command to execute after connecting to server, identifying, and
* opering up, but before joining the log channel. Optional.
*
* If your server is too ancient to support SASL, this is a good
* place to put "PRIVMSG NickServ :IDENTIFY yourpassword" or such.
*/
#command = "PRIVMSG NickServ :IDENTIFY ACOPM supersecret";
/*
* Away string to apply after oper (and command) above. Optional.
*/
#away = "I am a robot. Your messages will be ignored.";
/*
* User mode string to apply after oper (and command, away) above.
* Optional.
*/
#mode = "+Qg-ix";
/*
* Log channel to join, its key, and the delay before joining.
* Optional.
*/
#logchan_name = "#opers";
#logchan_key = "";
#logchan_delay = 0;
/*
* Format string to use in parsing server notices, to determine when
* clients connect to the network, and from where. Required.
*
* If the options::conn_regexp setting (above) is false (or missing),
* this is a simple sscanf(3) format string. Otherwise, it is an
* (extended) regular expression (slower).
*
* If this is a regular expression, special characters like * must be
* escaped, using \ (e.g. "... \*\*\* ..."). Note that, however,
* because this program uses libconfig to parse strings instead of
* writing its own configuration file parser, the strings only need
* to be escaped once, unlike in HOPM where one would write "\\*".
*
* The format string or expression must match 2 elements in a client
* connection notice: the nickname, followed by their IP address. If
* your server prints them in the other order, you will need to use
* positional matching parameters (see the manpage references below).
*
* Consult your IRCd documentation or developers, and the sscanf(3)
* or regex(7) manpages for the value to use here. The value below is
* given for the Charybdis IRCd with the +c snomask; and it is NOT a
* regular expression. You may need to adjust this value if you are
* using different IRCd software.
*/
conn_fmt = "*** Notice -- Client connecting: %s %*s [%[0-9A-Fa-f.:]] {%*s} [%*s]";
/*
* Notice to send to each client if they are going to be checked
* against DNSBLs or scanned for open proxies. Optional.
*/
#client_notice = "Your host is being checked against DNS blacklists, and scanned for open proxies.";
/*
* IRC command (raw) to execute if a host is listed on a DNSBL.
*
* It should have 3 "%s" tokens (printf(3)) which are replaced by
* the IP address, the DNSBL domain name, and the result description
* (if any).
*
* Optional. If not given, matching clients will only be logged.
*/
dnsbl_hit_cmd = "KLINE 4320 *@%s :Your host is listed on DNSBL %s (%s)";
/*
* IRC command (raw) to execute if a host is an open proxy.
*
* It should have 1 "%s" token (printf(3)) which is replaced by the
* IP address.
*
* Optional. If not given, matching clients will only be logged.
* (However, if you set proxy_hit_exe below, it will still run)
*/
proxy_hit_cmd = "KLINE 4320 *@%s :Open proxy detected on your host";
};
/*
* This section controls DNSBL lookups. Optional.
*/
blacklist: {
/*
* A timeout for lookups. Optional.
*/
#dns_timeout = 5;
/*
* List of nameservers to perform lookups against. Required.
* Supports the following address formats:
*
* "192.0.2.88"
* "192.0.2.88:53"
* "2001:db8:ee:3::5"
* "[2001:db8:ee:3::5]"
* "[2001:db8:ee:3::5]:53"
*/
nameservers: (
"192.0.2.88",
"[2001:db8:ee:3::5]:53"
);
/*
* List of DNSBL domain names to perform lookups against. Required.
*/
domains: (
{
/*
* Host name and address families supported.
*
* Valid values for family: 4 (IPv4), 6 (IPv6), or
* 10 (Both).
*
* Required.
*/
hostname = "dnsbl.dronebl.org";
family = 10;
/*
* Match constraints. DNSBL will only be considered
* hit if the result (return address for the lookup)
* matches one of these addresses.
*
* If not specified, DNSBL will be considered hit if
* the result matches 127.0.0.0/24.
*
* Optional.
*/
matches: (
{ addr = "127.0.0.3"; desc = "IRC Drone"; },
{ addr = "127.0.0.5"; desc = "Bottler"; },
{ addr = "127.0.0.7"; desc = "DDoS Drone"; },
{ addr = "127.0.0.8"; desc = "Open SOCKS Proxy"; },
{ addr = "127.0.0.9"; desc = "Open HTTP Proxy"; },
{ addr = "127.0.0.14"; desc = "Open WinGate Proxy"; }
);
}
);
};
/*
* This section controls proxy scanning. Optional.
*
* This is commented out by default because not all server providers
* permit you to run port scans on remote machines!
*
* Please consult your provider before enabling this feature.
*/
# proxyscan: {
/*
* Timeout for completing non-blocking connections (in seconds).
*
* Minimum value: 3
* Default value: 10
* Maximum value: 60
*/
#connect_timeout = 10;
/*
* Timeout for determining whether a port is a proxy (in seconds).
*
* Minimum value: 3
* Default value: 10
* Maximum value: 60
*/
#data_timeout = 10;
/*
* Size of recv and send buffers (in bytes).
*
* Only consider adjusting these values if you are running into
* memory allocation problems when scanning a large number of ports.
*
* recvbuf min/def/max 256/2048/262144
* sendbuf min/def/max 128/256/4096
*/
#recvbuf_sz = 2048;
#sendbuf_sz = 256;
/*
* Username to indicate in SOCKSv4 and SOCKSv5 negotiation. If you
* are running an identd, set this to the username you run the
* program as.
*
* Default: "acopm"
*/
#username = "acopm";
/*
* The following lists are supported:
* port, socks4, socks5, http, https
*
* Each list is of port numbers to scan for proxies of that type.
* For example:
* socks4 = ( 1080, 8080 );
* socks5 = ( 1080, 8080 );
* http = ( 80, 3128, 8080, 8088 );
*
* The "port" proxy type is special: consider the machine abusable if
* the port is open, regardless of what's running behind it (we don't
* check or send any data/request). USE WITH CAUTION!
*/
#socks4 = ( 1080, 8080 );
#socks5 = ( 1080, 8080 );
#http = ( 80, 3128, 8080, 8088 );
/*
* Program to execute if a host is an open proxy. Optional.
*
* You can use this to, for example, report a host to DroneBL by
* giving the path to the DroneBL submission script included with
* the sourcecode of this program and installed into the bin/ sub-
* directory.
*
* Standard input (stdin) will be /dev/null. Standard output
* (stdout) and standard error (stderr) will be /dev/null too
* unless a log file is given below. There will be no other file
* descriptors. The main program will log a warning if a child
* process terminates with a non-zero exit code or dies due to a
* signal, but without the child's output, investigating why this
* occurred is difficult.
*
* The program will be started with the following environment
* variables (only):
*
* HOME <unchanged>
* PATH <unchanged>
* SHELL <unchanged>
* USER <unchanged>
*
* ADDRESS The IP address the proxy was detected on
* PORT The port the proxy was detected on
* TYPE "HTTP", "HTTPS", "SOCKS4", or "SOCKS5"
*
* CONFIG1 The configuration variable(s) below (if given)
* CONFIG2 The configuration variable(s) below (if given)
* CONFIG3 The configuration variable(s) below (if given)
* CONFIG4 The configuration variable(s) below (if given)
* CONFIG5 The configuration variable(s) below (if given)
*/
#proxy_hit_exe = "/path/to/bin/acopm-dronebl-submit.py";
/*
* File to direct output of the proxy hit program above.
* Both stdout and stderr will go here. Optional.
*/
#proxy_hit_log = "/var/log/acopm-proxy.log";
/*
* Special environment variables to pass to the program above.
*
* The provided DroneBL submission script obtains its DroneBL RPC KEY
* and "From:" HTTP header (optional) from the first 2 of these
* variables. Max 256 characters each. A total of 5 variables are
* supported.
*
* Change these if you will be using your own program. Optional.
*/
#proxy_hit_var1 = "..."; /* <-- RPC KEY */
#proxy_hit_var2 = "FooNet IRC Network <admin@foo.net>"; // Optional
#proxy_hit_var3 = "";
#proxy_hit_var4 = "";
#proxy_hit_var5 = "";
# };
/*
* This list controls which IP addresses are exempt from scanning.
*
* This list is optional, but it is recommended to leave this as it is,
* unless you really want to scan (some of) these ranges.
*/
exempt: (
"0.0.0.0/8", // RFC 1700 (Only used as a source address)
"10.0.0.0/8", // RFC 1918 (Private Network)
"100.64.0.0/10", // RFC 6598 (Carrier-Grade NAT)
"127.0.0.0/8", // RFC 990 (Localhost)
"169.254.0.0/16", // RFC 3927 (IPv4 Link-Local Addresses)
"172.16.0.0/12", // RFC 1918 (Private Network)
"192.0.0.0/24", // RFC 5736 (IANA Special Purpose Registry)
"192.0.2.0/24", // RFC 5737 (Reserved For Documentation)
"192.168.0.0/16", // RFC 1918 (Private Network)
"198.18.0.0/15", // RFC 2544 (Reserved For Benchmarking)
"198.51.100.0/24", // RFC 5737 (Reserved For Documentation)
"203.0.113.0/24", // RFC 5737 (Reserved For Documentation)
"224.0.0.0/4", // RFC 1112 (Reserved For Multicast)
"240.0.0.0/4", // RFC 6890 (Reserved For Future Use)
"::1", // Localhost
"100::/64", // RFC 6666 (Traffic Discard Prefix)
"2001:db8::/32", // Reserved For Documentation
"fc00::/7", // Unique Local Addresses
"fe80::/10", // Link-Local Addresses
"ff00::/8" // Multicast Addresses
);