OPSB Manual _________________________________________________________________ 1. Prerequisites and Installation. 1.1. Compiling and Installation 2. Basic Configuration 2.1. Exclusion Lists 2.2. TARGET IP and TARGET PORT 2.3. BanTime 3. Detailed Configuration 3.1. CACHETIME Setting 3.2. SCAN Setting 3.3. AKILL Setting 3.4. OPMDOMAIN Setting 3.5. MAXBYTES Setting 3.6. TIMEOUT 3.7. OPENSTRING 3.8. SPLITTIME 3.9. SCANMSG Setting 3.10. PORTS Setting 3.10.1. Listing Ports/Protocols 3.10.2. Adding Ports 3.10.3. Deleting Ports 4. Operational Commands 4.1. LOOKUP Command 4.2. INFO Command 4.3. CHECK Command 4.4. STATUS Command Welcome to the Open Proxy Scanning Bot (OPSB) Manual. This document will aid you in setting up and running OPSB on your IRC network. OPSB is a Proxy Scanning Service that scans connecting clients for Open Proxies. These Open Proxies are often used by malicious users and trojans to connect to your network and attack the network, users, or channels that you host. It bases its scanning engine on the BOPM proxy scanning library available at http://www.blitzed.org, but unlike the BOPM software, it has native support to scan all clients network wide, rather than via individual servers. This means that you only need one OPSB service running on your network to protect your entire IRC network. Additionally, OPSB makes use of Open Proxy lists. These lists often contain IP addresses of verified Open Proxies, and OPSB can ban these users without even scanning. By default, OPSB uses the blitzed open proxy list (More details available at http://opm.blitzed.org) OPSB is flexible in that it has many advanced configuration options available to IRC administrators, including the ability to easily modify the protocols and ports to scan of connecting users, as well as exclude certian users or servers from scanning. This allows you maxium flexibility without the overhead of running multiple copies of proxy scanning software. In addition, it has the ability to Queue up scans, so during periods of peak usage, OPSB will not consume all bandwidth or file descriptors, but still scan users in a timely manor. Proxy Scanning is only one defence against Trojans and Malicious users, and can not detect all types of open Proxies. We therefore recomend that the IRC administrators run other software such as SecureServ, and familiarize themselves with the OperServ functionality found in most traditional IRC services packages. By Default, OPSB scans the following protocols and ports (But this can be easily customized) * HTTP Proxies on Port 80, 3128, 8000, 8080 * HTTP Post Proxies on Port 80, 3128, 8000, 8080 * Wingate Servers on Port 23 * Insecure Cisco Routers on port 23 * SOCKS4 Servers on 1080 * SOCKS5 Servers on 1080 These ports are some of the more common ports, but administrators might find other ports that are often associated with open proxies. In these cases, the administrator can simple add the new port to be scanning without restarting OPSB. Warning When picking a host to run OPSB from, make sure you check with your Shell or ISP provider to ensure that there are no Transparent HTTP proxies enabled on that network. Transparent proxies are often used to speed up HTTP downloads for users without requiring the user to update their browser configuration. If you often get false positive scans on users on port 80, then most likely your hosting provider has implemented a Transparent Proxy. See if they can disable this transparent proxy for you, or alternativly, find a new hosting provider that does not run a transparent proxy. THERE IS NO WAY FOR OPSB TO DETECT IT IS BEHIND A TRANSPARENT PROXY. OPSB is written and maintained by Justin Hammond. It requires the NeoStats software. More information about OPSB, or NeoStats, can be found at http://www.neostats.net/ OPSB is Copyright, 2004 by Justin Hammond. 1. Prerequisites and Installation. OPSB is designed to run on Top of NeoStats. The Following requirements at the time of writting are required for NeoStats: * A Linux or BSD based Server or Shell. * A supported IRCd. Currently, Hybrid7, Unreal, Ultimate2.x, Ultimate3.x, NeoIRCd, Bahumat * Some basic Unix administration Skill * Of Course, a IRC network to connect it all together. Please refer to the NeoStats website for more information on the requirements OPSB itself requires the following: * NeoStats 2.5.8 or Higher correctly installed and Running * The time to read this entire document. Warning OPSB has the potential to Akill/Gline your entire network. Its strongly suggested that you read this entire document before even attempting to compile OPSB, as I'm just going to laugh, if you didn't read, and it AKILL's your entire network. This is Beta Software, there are BUGS. beware. 1.1. Compiling and Installation As long as you have successfully setup NeoStats, and installed it correctly, Compiling OPSB is very simple and straight forward. First you must extract the files from the download package. This is as simple as: bash$ tar -xzf OPSB-.tar.gz This should then create a directory called OPSB- where is the Version of OPSB. Then Proceed to Change into the OPSB directory, and run Configure as follows: bash$./configure [--enable-debug | --with-neostats=] --enable-debug is only usefull for diagnostics purposes when used in conjuction with debugging tools. There should be no need to use this option on a day to day basis --with-neostats= should be used if your neostats directory is not in a standard location (~/NeoStats/). Replace with the full path to your NeoStats installation directory (NOT SOURCE DIRECTORY) Configuring OPSB will look something like the following screen: [Fish@fish-dt]$ ./configure checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for pcre_compile in -lpcre... yes checking Location of NeoStats...... /home/fish/NeoStats/ checking for /home/fish/NeoStats//include/dl.h... yes checking Version of NeoStats...... Compatible Version checking Whether to Enable Debuging...... no configure: creating ./config.status config.status: creating Makefile (*----------------------------------------------------------*) (| To compile your module, please type 'make' |) (| If make completes without errors, then you |) (| Must 'make install', but please be sure that NeoStats |) (| Is not currently running with a module of the same name |) (| Running, otherwise Make install will not work |) (| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) (| If you are running a BSD, make install may produce a |) (| Error, if that is the case, then please manually copy |) (| opsb.so to the NeoStats/dl directory |) (| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) (*----------------------------------------------------------*) (| For Support please visit: |) (| IRC: /server irc.irc-chat.org |) (| #neostats channel |) (| WWW: http://www.neostats.net/boards/ |) (*----------------------------------------------------------*) (|This Module was written by: |) (| fish (fish@dynam.ac) |) (*----------------------------------------------------------*) If the configuration did not produce a error, you may then move onto Compiling OPSB. Compiling is simply just issuing the "make" command (or "gmake" if you are running BSD): [Fish@fish-dt]$ make (cd libopm; make libopm.a) make[1]: Entering directory `/home/fish/opsb/libopm' gcc -c -O2 -Wall -I. -I.. compat.c gcc -c -O2 -Wall -I. -I.. config.c gcc -c -O2 -Wall -I. -I.. inet.c gcc -c -O2 -Wall -I. -I.. libopm.c gcc -c -O2 -Wall -I. -I.. list.c gcc -c -O2 -Wall -I. -I.. malloc.c gcc -c -O2 -Wall -I. -I.. proxy.c ar cru libopm.a compat.o config.o inet.o libopm.o list.o malloc.o proxy.o ranlib libopm.a make[1]: Leaving directory `/home/fish/opsb/libopm' gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb.c gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm proxy.c gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb_help.c ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libop m.a [1005|/home/fish/opsb] [Fish@fish-dt]$ Again, check for Error messages. As long as there are not error messages, "make install" will install OPSB, this README file, and any auxiluary files needed into your NeoStats directory: [Fish@fish-dt]$ make install (cd libopm; make libopm.a) make[1]: Entering directory `/home/fish/opsb/libopm' make[1]: `libopm.a' is up to date. make[1]: Leaving directory `/home/fish/opsb/libopm' ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libop m.a /usr/bin/install -c -m 644 opsb.so /home/fish/NeoStats//dl/ /usr/bin/install -c -m 644 README.opsb opsb.S ettings /home/fish/NeoStats//dl/../doc/ [1006|/home/fish/opsb] If you recieve *ANY* errors at all during the this process, please post them on our Support boards, at http//www.neostats.net/boards/ Once Installation is complete, you can either configure NeoStats to load OPSB when it starts, or load OPSB via IRC. To Configure NeoStats to automatically load OPSB when it boots, add the following line to your "neostats.cfg" file in the NeoStats directory: LOAD_MODULE OPSB To load OPSB via IRC, you must make sure you have the appropriate permissions and issue the following command: /msg neostats load OPSB Thats it. OPSB is now loaded and ready for use (in fact, it will already be running now, but read on for futher information. 2. Basic Configuration OPSB is completly configured online via IRC. When you first start up OPSB, it attempts some "Sane" defaults for you to get started with, but you should always review these settings as soon as you install. Additionally, while its in this "Default" state, it will warn you every so often via a global message as well as messages to the services channel that it is still "unconfigured". Some of the settings that you may want to review right away are: * Exclusion Lists - You should setup a Exclude list for your IRC Services server (NickServ etc) * Target IP address and Ports that OPSB tries to get the proxies to connect to. * Default Ban Time when OPSB finds a open Proxy. These are outlined below: 2.1. Exclusion Lists Exclusion lists allow you to specify certian Hostmasks or Servers that should be excluded from monitoring by OPSB. This exclusion list would allow a administrator to say, allow users on that are matched against a open proxy, when the administrator has verified that the trojan does not in fact exist on the users host. Caution Exclusions should be setup for your Services Server, so that OPSB does not try to scan ChanServ, or NickServ, or any of the bots relating to Nickname protection. Adding a Entry To add a entry to the Exclusion list, use the following format: /msg OPSB exclude add <1/0> Where: = The HostName/Server or Channel name. WildCards ? and * are permitted. = The type of exclusion. 0 is for HostNames, 1 is for Servers = a short description of the exclusion, for operator reference only. The output is as follows: >OPSB< exclude add services.irc-chat.net 1 Blah is my reason -OPSB- Added services.irc-chat.net (Server) exception to list Listing an Entry To list the Exclusions simple type: /msg OPSB exclude list And all the current exclusions are listed. Additionaly, a Position number is provided for use with the delete command. The output is as follows: >OPSB< exclude list -OPSB- Exception List: -OPSB- 1) *.blah.com (Server) Added by Fish for Blah is my reason -OPSB- 2) is.blah.com (HostName) Added by Fish for can by high -OPSB- End of List. Deleting an Entry To delete a entry, you should first lookup the Position of the entry that you wish to delete. The format of the command is as follows: /msg OPSB exclude del Where: is the position of the entry you wish to delete in the list The output of the command is as follows: >OPSB< exclude del 1 -OPSB- Deleted services.irc-chat.net server out of exception list 2.2. TARGET IP and TARGET PORT By default, OPSB sets up each proxy scan to attempt to connect back to the IP address and port of the server that NeoStats connects to. This may not always be what you wish, as it can help a attacker map our how your network is structured. Ideally, you should pick the IP address of a IRC server you host that is stable and on a fast connection, and enter its IP address and port numbers into OPSB. Changing the TargetIP To add a entry to the Helper list, use the following format: /msg OPSB set targetip Where: = The ip address to attempt to get proxies to connect to The output is as follows: -> *opsb* set targetip 203.208.228.144 =opsb= Target IP set to 203.208.228.144 Changing the Target Port To list the helpers simple type: /msg OPSB set targetport Where: = the new port to attempt to get proxies to connect to The output is as follows: -> *opsb* set targetport 6667 =opsb= Target PORT set to 6667 2.3. BanTime OPSB by default bans the IP/Hostname of a Open Proxy for 1 day (86400 seconds). Some networks may wish to increase or decrease this time value. Changing the Ban Time To change the akilltime, type: -> *opsb* set akilltime 86400 =opsb= Ban time changed to 86400 3. Detailed Configuration OPSB attempts to be as configurable as possible in order to cater for each individual networks requirements. This in turn though makes the configuration very complex. There are many many settings with OPSB that affect how it operates, how it responds and even, how affects the performance of NeoStats Overall. Out of the box, OPSB provides sensible defaults for these settings, but you may wish to read this section for details on exactly what each option does, and its affect on how OPSB operates. The following list summaries the available Options you can set in OPSB * CACHETIME * SCAN * AKILL * OPMDOMAIN * MAXBYTES * TIMEOUT * OPENSTRING * SPLITTIME * SCANMSG * PORTS To change any of these settings, you use the Set Interface in OPSB. Eg: /msg OPSB set