diff --git a/.gitattributes b/.gitattributes index 7fddf1f..13e8f39 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,10 +2,13 @@ /ChangeLog -text /LICENSE -text /Makefile.in -text +/OPSB.xml -text /README.opsb -text +/README.opsb.html -text /aclocal.m4 -text /configure -text /configure.in -text +/html.css -text /install-sh -text libopm/.cvsignore -text libopm/LICENSE -text diff --git a/OPSB.xml b/OPSB.xml new file mode 100644 index 0000000..ce14c87 --- /dev/null +++ b/OPSB.xml @@ -0,0 +1,735 @@ + + +
+ OPSB Manual + + Welcome to the Open Proxy Scanning Bot (OPSB) Manual. This document + will aid you in setting up and running OPSB on your IRC network. + + OPSB is a Proxy Scanning Service that scans connecting clients for + Open Proxies. These Open Proxies are often used by malicious users and + trojans to connect to your network and attack the network, users, or + channels that you host. It bases its scanning engine on the BOPM proxy + scanning library available at http://www.blitzed.org, but unlike the BOPM + software, it has native support to scan all clients network wide, rather + than via individual servers. This means that you only need one OPSB service + running on your network to protect your entire IRC network. + + Additionally, OPSB makes use of Open Proxy lists. These lists often + contain IP addresses of verified Open Proxies, and OPSB can ban these users + without even scanning. By default, OPSB uses the blitzed open proxy list + (More details available at http://opm.blitzed.org) + + OPSB is flexible in that it has many advanced configuration options + available to IRC administrators, including the ability to easily modify the + protocols and ports to scan of connecting users, as well as exclude certian + users or servers from scanning. This allows you maxium flexibility without + the overhead of running multiple copies of proxy scanning software. In + addition, it has the ability to Queue up scans, so during periods of peak + usage, OPSB will not consume all bandwidth or file descriptors, but still + scan users in a timely manor. + + Proxy Scanning is only one defence against Trojans and Malicious + users, and can not detect all types of open Proxies. We therefore recomend + that the IRC administrators run other software such as SecureServ, and + familiarize themselves with the OperServ functionality found in most + traditional IRC services packages. + + By Default, OPSB scans the following protocols and ports (But this can + be easily customized) + + + + HTTP Proxies on Port 80, 3128, 8000, 8080 + + + + HTTP Post Proxies on Port 80, 3128, 8000, 8080 + + + + Wingate Servers on Port 23 + + + + Insecure Cisco Routers on port 23 + + + + SOCKS4 Servers on 1080 + + + + SOCKS5 Servers on 1080 + + + + These ports are some of the more common ports, but administrators + might find other ports that are often associated with open proxies. In these + cases, the administrator can simple add the new port to be scanning without + restarting OPSB. + + + When picking a host to run OPSB from, make sure you check with your + Shell or ISP provider to ensure that there are no Transparent HTTP proxies + enabled on that network. Transparent proxies are often used to speed up + HTTP downloads for users without requiring the user to update their + browser configuration. If you often get false positive scans on users on + port 80, then most likely your hosting provider has implemented a + Transparent Proxy. See if they can disable this transparent proxy for you, + or alternativly, find a new hosting provider that does not run a + transparent proxy. THERE IS NO WAY FOR OPSB TO DETECT IT IS BEHIND A + TRANSPARENT PROXY. + + + + As of writting, this software is BETA quality. Not all functionality + has been implemented, and additionally, there might be some "BAD" + bugs in OPSB that cause it to AKILL your entire network. Our testing and + Development of OPSB was run on a large network, and so far, has proved + stable, and effective in protecting our network, BUT every users + enviroment is different. While we have taken all precautions and conducted + a extensive QA cycle before the release of OPSB, its a "Use at your + Own Risk" Module. Of Course, if you do have bad experiences with OPSB, + please let us know at http://www.neostats.net/boards/ + + + OPSB is written and maintained by Justin Hammond. It requires the + NeoStats software. More information about OPSB, or NeoStats, can be found at + http://www.neostats.net/ + + OPSB is Copyright, 2003 by Justin Hammond. + + + Prerequisites and Installation. + + OPSB is designed to run on Top of NeoStats. The Following + requirements at the time of writting are required for NeoStats:A + Linux or BSD based Server or Shell.A + supported IRCd. Currently, Hybrid7, Unreal, Ultimate2.x, Ultimate3.x, + NeoIRCd, BahumatSome basic Unix + administration SkillOf Course, a IRC + network to connect it all together. + + Please refer to the NeoStats website for more information on the + requirements + + OPSB itself requires the following:NeoStats + 2.5.8 or Higher correctly installed and RunningThe + time to read this entire document. OPSB has the potential + to Akill/Gline your entire network. Its strongly suggested that you read + this entire document before even attempting to compile OPSB, as I'm + just going to laugh, if you didn't read, and it AKILL's your + entire network. This is Beta Software, there are BUGS. beware. + + + Compiling and Installation + + As long as you have successfully setup NeoStats, and installed it + correctly, Compiling OPSB is very simple and straight forward. First you + must extract the files from the download package. This is as simple as: + + bash$ tar -xzf OPSB-<ver>.tar.gz + + This should then create a directory called OPSB-<version> + where <version> is the Version of OPSB. Then Proceed to Change + into the OPSB directory, and run Configure as follows:bash$./configure [--enable-debug | --with-neostats=<dir>] + + --enable-debug is only usefull for diagnostics purposes when used + in conjuction with debugging tools. There should be no need to use this + option on a day to day basis + + --with-neostats=<dir> should be used if your neostats + directory is not in a standard location (~/NeoStats/). Replace + <dir> with the full path to your NeoStats installation directory + (NOT SOURCE DIRECTORY) + + Configuring OPSB will look something like the following screen: + + [Fish@fish-dt]$ ./configure +checking for gcc... gcc +checking for C compiler default output... a.out +checking whether the C compiler works... yes +checking whether we are cross compiling... no +checking for suffix of executables... +checking for suffix of object files... o +checking whether we are using the GNU C compiler... yes +checking whether gcc accepts -g... yes +checking for gcc option to accept ANSI C... none needed +checking for a BSD-compatible install... /usr/bin/install -c +checking for pcre_compile in -lpcre... yes +checking Location of NeoStats...... /home/fish/NeoStats/ +checking for /home/fish/NeoStats//include/dl.h... yes +checking Version of NeoStats...... Compatible Version +checking Whether to Enable Debuging...... no +configure: creating ./config.status +config.status: creating Makefile + +(*----------------------------------------------------------*) +(| To compile your module, please type 'make' |) +(| If make completes without errors, then you |) +(| Must 'make install', but please be sure that NeoStats |) +(| Is not currently running with a module of the same name |) +(| Running, otherwise Make install will not work |) +(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) +(| If you are running a BSD, make install may produce a |) +(| Error, if that is the case, then please manually copy |) +(| opsb.so to the NeoStats/dl directory |) +(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) +(*----------------------------------------------------------*) +(| For Support please visit: |) +(| IRC: /server irc.irc-chat.org |) +(| #neostats channel |) +(| WWW: http://www.neostats.net/boards/ |) +(*----------------------------------------------------------*) +(|This Module was written by: |) +(| fish (fish@dynam.ac) |) +(*----------------------------------------------------------*) + + + If the configuration did not produce a error, you may then move + onto Compiling OPSB. Compiling is simply just issuing the "make" + command (or "gmake" if you are running BSD): + + [Fish@fish-dt]$ make +(cd libopm; make libopm.a) +make[1]: Entering directory `/home/fish/opsb/libopm' +gcc -c -O2 -Wall -I. -I.. compat.c +gcc -c -O2 -Wall -I. -I.. config.c +gcc -c -O2 -Wall -I. -I.. inet.c +gcc -c -O2 -Wall -I. -I.. libopm.c +gcc -c -O2 -Wall -I. -I.. list.c +gcc -c -O2 -Wall -I. -I.. malloc.c +gcc -c -O2 -Wall -I. -I.. proxy.c +ar cru libopm.a compat.o config.o inet.o libopm.o list.o malloc.o proxy.o +ranlib libopm.a +make[1]: Leaving directory `/home/fish/opsb/libopm' +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb.c +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm proxy.c +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb_help.c +ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libopm.a +[1005|/home/fish/opsb] +[Fish@fish-dt]$ + + Again, check for Error messages. As long as there are not error + messages, "make install" will install OPSB, this README file, + and any auxiluary files needed into your NeoStats directory: + + [Fish@fish-dt]$ make install +(cd libopm; make libopm.a) +make[1]: Entering directory `/home/fish/opsb/libopm' +make[1]: `libopm.a' is up to date. +make[1]: Leaving directory `/home/fish/opsb/libopm' +ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libopm.a +/usr/bin/install -c -m 644 opsb.so /home/fish/NeoStats//dl/ +/usr/bin/install -c -m 644 README.opsb opsb.Settings /home/fish/NeoStats//dl/../doc/ +[1006|/home/fish/opsb] + + If you recieve *ANY* errors at all during the this process, please + post them on our Support boards, at http//www.neostats.net/boards/ + + Once Installation is complete, you can either configure NeoStats + to load OPSB when it starts, or load OPSB via IRC. + + To Configure NeoStats to automatically load OPSB when it boots, + add the following line to your "neostats.cfg" file in the + NeoStats directory: + + LOAD_MODULE OPSB + + To load OPSB via IRC, you must make sure you have the appropriate + permissions and issue the following command: + + /msg neostats load OPSB + + Thats it. OPSB is now loaded and ready for use (in fact, it will + already be running now, but read on for futher information. + + + + + Basic Configuration + + OPSB is completly configured online via IRC. When you first start up + OPSB, it attempts some "Sane" defaults for you to get started + with, but you should always review these settings as soon as you install. + Additionally, while its in this "Default" state, it will warn you + every so often via a global message as well as messages to the services + channel that it is still "unconfigured". Some of the settings that + you may want to review right away are: + + + + Exclusion Lists - You should setup a Exclude list for your IRC + Services server (NickServ etc) + + + + Target IP address and Ports that OPSB tries to get the proxies + to connect to. + + + + Default Ban Time when OPSB finds a open Proxy. + + + + These are outlined below: + + + Exclusion Lists + + Exclusion lists allow you to specify certian Hostmasks or Servers + that should be excluded from monitoring by OPSB. This exclusion list + would allow a administrator to say, allow users on that are matched + against a open proxy, when the administrator has verified that the + trojan does not in fact exist on the users host. + + + Exclusions should be setup for your Services Server, so that + OPSB does not try to scan ChanServ, or NickServ, or any of the bots + relating to Nickname protection. + + + Adding a Entry + + To add a entry to the Exclusion list, use the following format: + + /msg OPSB exclude add <1/0> <type> <reason> + + Where: + + <host> = The HostName/Server or Channel name. WildCards ? + and * are permitted. + + <type> = The type of exclusion. 0 is for HostNames, 1 is + for Servers + + <reason> = a short description of the exclusion, for + operator reference only. + + The output is as follows: + + >OPSB< exclude add services.irc-chat.net 1 Blah is my reason +-OPSB- Added services.irc-chat.net (Server) exception to list + + Listing an Entry + + To list the Exclusions simple type: + + /msg OPSB exclude list + + And all the current exclusions are listed. Additionaly, a Position + number is provided for use with the delete command. The output is as + follows: + + >OPSB< exclude list +-OPSB- Exception List: +-OPSB- 1) *.blah.com (Server) Added by Fish for Blah is my reason +-OPSB- 2) is.blah.com (HostName) Added by Fish for can by high +-OPSB- End of List. + + Deleting an Entry + + To delete a entry, you should first lookup the Position of the + entry that you wish to delete. The format of the command is as follows: + + /msg OPSB exclude del <num> + + Where: + + <num> is the position of the entry you wish to delete in + the list + + The output of the command is as follows: + + >OPSB< exclude del 1 +-OPSB- Deleted services.irc-chat.net server out of exception list + + + + TARGET IP and TARGET PORT + + By default, OPSB sets up each proxy scan to attempt to connect + back to the IP address and port of the server that NeoStats connects to. + This may not always be what you wish, as it can help a attacker map our + how your network is structured. Ideally, you should pick the IP address + of a IRC server you host that is stable and on a fast connection, and + enter its IP address and port numbers into OPSB. + + Changing the TargetIP + + To add a entry to the Helper list, use the following format: + + /msg OPSB set targetip <newipaddress> + + Where: + + <newipaddress> = The ip address to attempt to get proxies + to connect to + + The output is as follows: + + -> *opsb* set targetip 203.208.228.144 +=opsb= Target IP set to 203.208.228.144 + + Changing the Target Port + + To list the helpers simple type: + + /msg OPSB set targetport <newport> + + Where: + + <newport> = the new port to attempt to get proxies to + connect to + + The output is as follows: + + -> *opsb* set targetport 6667 +=opsb= Target PORT set to 6667 + + + + BanTime + + OPSB by default bans the IP/Hostname of a Open Proxy for 1 day + (86400 seconds). Some networks may wish to increase or decrease this + time value. + + Changing the Ban Time + + To change the bantime, type: + + -> *opsb* set bantime 86400 +=opsb= Ban time changed to 86400 + + + + + Detailed Configuration + + OPSB attempts to be as configurable as possible in order to cater + for each individual networks requirements. This in turn though makes the + configuration very complex. There are many many settings with OPSB that + affect how it operates, how it responds and even, how affects the + performance of NeoStats Overall. Out of the box, OPSB provides sensible + defaults for these settings, but you may wish to read this section for + details on exactly what each option does, and its affect on how OPSB + operates. + + The following list summaries the available Options you can set in + OPSB + + + + CACHETIME + + + + DISABLESCAN + + + + DOBAN + + + + OPMDOMAIN + + + + MAXBYTES + + + + TIMEOUT + + + + OPENSTRING + + + + SPLITTIME + + + + SCANMSG + + + + To change any of these settings, you use the Set Interface in OPSB. + Eg: + + /msg OPSB set <option> <params> + + To view the current settings, issue the following command: + + /msg OPSB set list + + The following Sections describes the different options, their + params, and the effect on OPSB in detail. + + + CACHETIME Setting + + In order to improve performance, OPSB caches the results of scans + it has performed so if a user disconnects and reconnects, they are not + scanned again, and thus this saves bandwidth and improves the + performance of OPSB. By default, OPSB saves previous scans for 1 hour. + Smaller IRC networks may wish to increase this value, while larger IRC + networks that are concerned about performance or memory usage of OPSB + may with to leave this setting as it is. Setting the cache time to 0 + disables the use of caching, and forces OPSB to scan every user + connecting every time. + + To Change the setting, issue the following Command: + + /msg OPSB set CACHETIME <seconds> + + + + DISABLESCAN Setting + + Sometimes a IRC administrator may wish to only make use of the + Open Proxy list lookup, and not actually perform a scan on users. + DISABLESCAN forces OPSB to only perform a lookup of the IP address in + the configured OPMDOMAIN. + + If you wish to turn off Proxy checks, issue the following command + + /msg OPSB set DISABLESCAN <ON/OFF> + + + + DOBAN Setting + + Often, when setting up OPSB for the first time, or making changes + to the ports that are to be scanning, you may wish to test OPSB without + it actually performing a AKILL. Turning DOBAN off disables the placement + of a AKILL on open Proxy hosts. + + To Change the setting, issue the following Command: + + /msg OPSB set DOBAN <ON/OFF> + + + + OPMDOMAIN Setting + + This setting changes with domain OPSB should consult for a + positive match on a particular IP address. By Default, OPSB checks + opm.blizted.org. Another list may be substituted instead of the default + on. At this time, we have not tested any other open proxy list, although + most lists should work with no problems. Please report success/failure + to our boards + + To Change this Setting, issue the following Command: + + /msg OPSB set OPMDOMAIN <newdomain> + + + + MAXBYTES Setting + + Maxbytes controls how much data to read from a open connection + before determining that the host in question does not contain a Open + Proxy. As we check ports that are common with legitimate applications + such as webservers, we don't need to download the entire webpage to + determine that it is not a open proxy. By default, we only read 500 + bytes which should be sufficient for most networks. + + To Change this Setting, issue the following Command: + + /msg OPSB set MAXBYTES <bytelimit> + + + + TIMEOUT + + It is very common for users to now use personal firewall software + on their PC. This often leads to probes the the users ip address that + never actually get rejected or are successfull, but just hang trying to + connect. the Timeout value controls how long to wait before assuming + that the host is not operating a proxy. By default, we wait 30 seconds + + To Change this setting, issue the following command: + + /msg OPSB set TIMEOUT <seconds> + + + + OPENSTRING + + This setting controls what strings to look for that indicate a + Open Proxy. By default, we look for the standard string "*** Looking + up your hostname..." which is one of the first messages sent to + connecting IRC clients. There should be no need to change this setting. + Internally, OPSB also scans for common Trottle or akill messages. + + To Change this setting, issue the following command: + + /msg OPSB set OPENSTRING <newstring> + + + + SPLITTIME + + OPSB is very sensitive to timedrifts on the IRC network. In order + to not scan users that might be part of a Netjoin (When two IRC servers + reconnect after a Netsplit) we only scan users who's signon time is + less than this setting. If your IRC network times are not in sync, you + might experience issues where users connecting to one "lagged" + out server are not scanning. In this case, you should fix the time on + the affected server. A last resort is to increase this time value. By + default, we only scan users that connected in the last 300 seconds + + To Change this setting, issue the following command: + + /msg OPSB set SPLITTIME <seconds> + + + + SCANMSG Setting + + This setting changes the default message that is sent to users + when they sign on the IRC network. You can customise this message to + point to a webpage giving more details, or customize to your local + language. + + To Change the setting, issue the following Command: + + /msg OPSB set SCANMSG <msg> + + + + + Operational Commands + + OPSB has a number of commands that you can issue it in order to + perform checks or operations on your IRC network. These commands aid + Administrators in keeping their network secure, and keeping OPSB upto + date. + + The following list summerizes these commands: + + + + LOOKUP + + + + INFO + + + + CHECK + + + + STATUS + + + + REMOVE + + + + The following Sections Describe these commands in detail + + + LOOKUP Command + + The lookup comand can perform DNS lookups for you. You can specify + what information you wish to retrive. This command is open to all users + by default. + + The format of the command is as follows: + + /msg OPSB lookup <ip|hostname> <flag> + + Where: + + <ip|hostname> is the item you wish to lookup. + + <flag> is optional, and specified what type of data you + wish to lookup. Available options include: + + txt - Lookup Text Records rp - Lookup the Responsible Person for + this record ns - Lookup the Name Servers for this record soa - Lookup + the SOA for this Record + + If no flag is given, we attempt to lookup the A record. + + The output of the command is as follows: + + -> *opsb* lookup irc.irc-chat.net +=opsb= irc.irc-chat.net resolves to 202.181.4.129 +=opsb= irc.irc-chat.net resolves to 203.208.228.144 +=opsb= irc.irc-chat.net resolves to 216.218.235.254 +=opsb= irc.irc-chat.net resolves to 66.227.101.55 + + + + INFO Command + + This command provides users with information about what functions + OPSB performs. Its intended to just provide directions to users for more + information + + The format of the command is as follows: + + /msg OPSB info + + + + CHECK Command + + This command forces OPSB to perform a full scan on the specified + nickname, ip adress or hostname. + + The format of the command is as follows: + + /msg OPSB check <nick|host> + + The output is as follows: + + =opsb= Checking fish for open Proxies +<opsb> Starting proxy scan on Fish (XXXX.singnet.com.sg) by Request of Fish +=opsb= Negitiation failed for protocol HTTP(80) +=opsb= Negitiation failed for protocol HTTP(8000) +=opsb= Negitiation failed for protocol HTTP(3128) +=opsb= Negitiation failed for protocol SOCKS4(1080) +=opsb= Negitiation failed for protocol SOCKS5(1080) +=opsb= Negitiation failed for protocol WINGATE(23) +=opsb= Negitiation failed for protocol ROUTER(23) +=opsb= Negitiation failed for protocol HTTPPOST(80) +=opsb= Negitiation failed for protocol HTTPPOST(8000) +=opsb= Negitiation failed for protocol HTTPPOST(3128) +=opsb= Closed Proxy on Protocol HTTP (8080) +=opsb= Closed Proxy on Protocol HTTPPOST (8080) +=opsb= scan finished on Fish +=opsb= XXXX.singnet.com.sg does not appear in DNS black list + + + + STATUS Command + + This command gives the Administrator statistics on the how OPSB is + performing, how many checks it has conducted, and other information + relating to the performance of OPSB. + + The format of the command is as follows: + + -> *opsb* status +=opsb= Proxy Results: +=opsb= Hosts Scanned: 5831 Hosts found Open: 1 Exceptions 0 +=opsb= Cache Entries: 128 +=opsb= Cache Hits: 5523 +=opsb= Blacklist Hits: 4 +=opsb= Currently Scanning 0 Proxies (0 in queue): + + +
\ No newline at end of file diff --git a/README.opsb b/README.opsb index ae6a69d..1239803 100644 --- a/README.opsb +++ b/README.opsb @@ -1,149 +1,617 @@ -Open Proxy Scanning Bot Version 1.0 Release Canidate 1 - fish@dynam.ac -+++++++++++++++++++++++++++++++++++++++++ -Thanks for Downloading opsb. opsb is a bot for the NeoStats IRC services -package (www.neostats.net) that allows you to check and ban users -connecting to your network using In-Secure proxy servers. +OPSB Manual + _________________________________________________________________ -Insecure proxy servers are often used to -launch attacks against IRC networks, or users, and are difficult to detect -by regular irc means. + 1. Prerequisites and Installation. -Opsb actually scans each user as they connect to the network, and attempts -to determine if the user is coming from a open proxy. + 1.1. Compiling and Installation -Currently the open proxies that we scan for are: -HTTP proxies on ports 80, 8080, 3128 -Socks4 and Socks5 proxies on ports 1080 -wingate or cisco routers on ports 23 + 2. Basic Configuration -opsb also checks the Blitzed DNS blacklist for proxies that have already -been reported as open. More information on the blitzed DNS blacklist can -be found at http://www.blitzed.org/opm/. This means that you can ban users -that come from known proxies. + 2.1. Exclusion Lists + 2.2. TARGET IP and TARGET PORT + 2.3. BanTime -opsb is ideal for larger networks where you want one server to -do all the scanning instead of -individual servers running their own proxy scanner. + 3. Detailed Configuration -============================================================================== -Requirements -============================================================================== -1) NeoStats 2.5.0 RC1 or Higher installed -2) A shell to run from -3) CN lines to a server on your network -4) Knowledge of unices + 3.1. CACHETIME Setting + 3.2. DISABLESCAN Setting + 3.3. DOBAN Setting + 3.4. OPMDOMAIN Setting + 3.5. MAXBYTES Setting + 3.6. TIMEOUT + 3.7. OPENSTRING + 3.8. SPLITTIME + 3.9. SCANMSG Setting -============================================================================== -Installation -============================================================================== -Installation is faily straight forward. + 4. Operational Commands -1) Make sure you have a working copy of NeoStats installed. - You can obtain Neostats from www.neostats.net - Please make sure that you have it configured correctly and installed - and it links to your network correctly. + 4.1. LOOKUP Command + 4.2. INFO Command + 4.3. CHECK Command + 4.4. STATUS Command - *NOTE* - You must have done "make install" in the neostats directory. This - will install NeoStats, by default to ~/NeoStats/ - *BSD USERS* - neostats has a bug with make install. Please refer to the forums - on the neostats site for more information + Welcome to the Open Proxy Scanning Bot (OPSB) Manual. This document + will aid you in setting up and running OPSB on your IRC network. -2) Configure opsb. - to configure opsb, run ./configure <--with-neostats=> - from the directory where you untared opsb (typically ~/opsb-1.0-beta1/) - You must specify the --with-neostats option if the configure - script can not find the NeoStats directory + OPSB is a Proxy Scanning Service that scans connecting clients for + Open Proxies. These Open Proxies are often used by malicious users and + trojans to connect to your network and attack the network, users, or + channels that you host. It bases its scanning engine on the BOPM proxy + scanning library available at http://www.blitzed.org, but unlike the + BOPM software, it has native support to scan all clients network wide, + rather than via individual servers. This means that you only need one + OPSB service running on your network to protect your entire IRC + network. -3) Make - Run "make" (or gmake if you use bsd) in the opsb directory. This - should compile opsb for you. + Additionally, OPSB makes use of Open Proxy lists. These lists often + contain IP addresses of verified Open Proxies, and OPSB can ban these + users without even scanning. By default, OPSB uses the blitzed open + proxy list (More details available at http://opm.blitzed.org) -4) Make install - run "make install" or "gmake install" if you use bsd to install - opsb into the NeoStats Directory. + OPSB is flexible in that it has many advanced configuration options + available to IRC administrators, including the ability to easily + modify the protocols and ports to scan of connecting users, as well as + exclude certian users or servers from scanning. This allows you maxium + flexibility without the overhead of running multiple copies of proxy + scanning software. In addition, it has the ability to Queue up scans, + so during periods of peak usage, OPSB will not consume all bandwidth + or file descriptors, but still scan users in a timely manor. -5) (optionally) Configure Neostats to load opsb on startup - This is done by adding the line "LOAD_MODULE opsb" - to the neostats.cfg file -****************************************************************************** -NOTE: -if you had used OPSB previously, then the previous database is incompatible -with this version. You *MUST* delete data/opsb.db out of the NeoStats -directory -****************************************************************************** + Proxy Scanning is only one defence against Trojans and Malicious + users, and can not detect all types of open Proxies. We therefore + recomend that the IRC administrators run other software such as + SecureServ, and familiarize themselves with the OperServ functionality + found in most traditional IRC services packages. -6) Load and Configure opsb. - Start up NeoStats, or load the module via IRC. - All configuration of opsb is done via IRC, there is no config file - as such. - Read Below for more Information. -7) You done! + By Default, OPSB scans the following protocols and ports (But this can + be easily customized) + * HTTP Proxies on Port 80, 3128, 8000, 8080 + * HTTP Post Proxies on Port 80, 3128, 8000, 8080 + * Wingate Servers on Port 23 + * Insecure Cisco Routers on port 23 + * SOCKS4 Servers on 1080 + * SOCKS5 Servers on 1080 -============================================================================== -Configuration -============================================================================== -All of opsb configurable options are set via IRC. The defaults will -probably not be correct for your network, hence, opsb will broadcast a -message warning you of this till you configure it. + These ports are some of the more common ports, but administrators + might find other ports that are often associated with open proxies. In + these cases, the administrator can simple add the new port to be + scanning without restarting OPSB. -What you should change from defaults: +Warning -/msg opsb set targetip - this sets the IP address that opsb tries to - make proxies connect to. By default it is set to the server that NeoStats - is linked to. This might not always be a good idea, so you should set the - IP address to a server on your network. + When picking a host to run OPSB from, make sure you check with your + Shell or ISP provider to ensure that there are no Transparent HTTP + proxies enabled on that network. Transparent proxies are often used to + speed up HTTP downloads for users without requiring the user to update + their browser configuration. If you often get false positive scans on + users on port 80, then most likely your hosting provider has + implemented a Transparent Proxy. See if they can disable this + transparent proxy for you, or alternativly, find a new hosting + provider that does not run a transparent proxy. THERE IS NO WAY FOR + OPSB TO DETECT IT IS BEHIND A TRANSPARENT PROXY. -/msg opsb set targetport - This is the port number that opsb tries to - make proxies connect to. You should set this to a Common IRC port such - as 6667. Defaults to the port that NeoStats connects to. +Warning -/msg opsb set bantime - By Default, opsb will akill a host that is a open proxy for 1 day. - You may wish to change this option + As of writting, this software is BETA quality. Not all functionality + has been implemented, and additionally, there might be some "BAD" bugs + in OPSB that cause it to AKILL your entire network. Our testing and + Development of OPSB was run on a large network, and so far, has proved + stable, and effective in protecting our network, BUT every users + enviroment is different. While we have taken all precautions and + conducted a extensive QA cycle before the release of OPSB, its a "Use + at your Own Risk" Module. Of Course, if you do have bad experiences + with OPSB, please let us know at http://www.neostats.net/boards/ -/msg opsb set cachetime - opsb will cache the results of the scans that were not successfull - (ie, IP addresses that are *NOT* open proxies) so that if a - user re-connects within the cache time, they will not be scanned again. it - is default to 1 hour. + OPSB is written and maintained by Justin Hammond. It requires the + NeoStats software. More information about OPSB, or NeoStats, can be + found at http://www.neostats.net/ -/msg opsb exclude add 1 - opsb scans every user that joins the network, including users that - come from your services host. (such as ChanServ or - Reserved Nicks). You *SHOULD* add a exclusion, so that users from your - services server are not scanned. servershostname is the name of your - services as seen on IRC. (eg, in /map or /links) - The "1" specifies a IRC server, a 0 specifies a true internet hostname. - The reason field allows you to add a comment to the exclusion for reference. + OPSB is Copyright, 2003 by Justin Hammond. -There are many other options that you configure, though you should consult -the help interface to what they do (/msg opsb help set and /msg opsb -help exclude). In 99% of the cases, it is not necessary to -change these settings, unless you are absolutly sure of what you are -doing, or one of the NeoStats helpers advises you to. +1. Prerequisites and Installation. -============================================================================== -More Information and Support -============================================================================== -You can get more help with opsb by visiting -http://www.neostats.net/forums/ -If your question is *NOT* answered there, then you can visit us at -irc://irc.irc-chat.org/#neostats. We will *NOT* answer questions that have -already been answered in this file, or on the forums, so make sure you -read both carefully. -opsb is written and maintained by fish + OPSB is designed to run on Top of NeoStats. The Following requirements + at the time of writting are required for NeoStats: + * A Linux or BSD based Server or Shell. + * A supported IRCd. Currently, Hybrid7, Unreal, Ultimate2.x, + Ultimate3.x, NeoIRCd, Bahumat + * Some basic Unix administration Skill + * Of Course, a IRC network to connect it all together. -============================================================================== -Credits -============================================================================== -Credit for some of this code must go to the BOPM team, and in particular -Erik Fears. -Also, thanks to all our Beta Testers and People that hasle us to release -code quicker :) + Please refer to the NeoStats website for more information on the + requirements + OPSB itself requires the following: + * NeoStats 2.5.8 or Higher correctly installed and Running + * The time to read this entire document. +Warning + OPSB has the potential to Akill/Gline your entire network. Its + strongly suggested that you read this entire document before even + attempting to compile OPSB, as I'm just going to laugh, if you + didn't read, and it AKILL's your entire network. This is Beta + Software, there are BUGS. beware. + +1.1. Compiling and Installation + + As long as you have successfully setup NeoStats, and installed it + correctly, Compiling OPSB is very simple and straight forward. First + you must extract the files from the download package. This is as + simple as: +bash$ tar -xzf OPSB-.tar.gz + + This should then create a directory called OPSB- where + is the Version of OPSB. Then Proceed to Change into the OPSB + directory, and run Configure as follows: +bash$./configure [--enable-debug | --with-neostats=] + + --enable-debug is only usefull for diagnostics purposes when used in + conjuction with debugging tools. There should be no need to use this + option on a day to day basis + + --with-neostats= should be used if your neostats directory is not + in a standard location (~/NeoStats/). Replace with the full path + to your NeoStats installation directory (NOT SOURCE DIRECTORY) + + Configuring OPSB will look something like the following screen: +[Fish@fish-dt]$ ./configure +checking for gcc... gcc +checking for C compiler default output... a.out +checking whether the C compiler works... yes +checking whether we are cross compiling... no +checking for suffix of executables... +checking for suffix of object files... o +checking whether we are using the GNU C compiler... yes +checking whether gcc accepts -g... yes +checking for gcc option to accept ANSI C... none needed +checking for a BSD-compatible install... /usr/bin/install -c +checking for pcre_compile in -lpcre... yes +checking Location of NeoStats...... /home/fish/NeoStats/ +checking for /home/fish/NeoStats//include/dl.h... yes +checking Version of NeoStats...... Compatible Version +checking Whether to Enable Debuging...... no +configure: creating ./config.status +config.status: creating Makefile + +(*----------------------------------------------------------*) +(| To compile your module, please type 'make' |) +(| If make completes without errors, then you |) +(| Must 'make install', but please be sure that NeoStats |) +(| Is not currently running with a module of the same name |) +(| Running, otherwise Make install will not work |) +(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) +(| If you are running a BSD, make install may produce a |) +(| Error, if that is the case, then please manually copy |) +(| opsb.so to the NeoStats/dl directory |) +(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |) +(*----------------------------------------------------------*) +(| For Support please visit: |) +(| IRC: /server irc.irc-chat.org |) +(| #neostats channel |) +(| WWW: http://www.neostats.net/boards/ |) +(*----------------------------------------------------------*) +(|This Module was written by: |) +(| fish (fish@dynam.ac) |) +(*----------------------------------------------------------*) + + If the configuration did not produce a error, you may then move onto + Compiling OPSB. Compiling is simply just issuing the "make" command + (or "gmake" if you are running BSD): +[Fish@fish-dt]$ make +(cd libopm; make libopm.a) +make[1]: Entering directory `/home/fish/opsb/libopm' +gcc -c -O2 -Wall -I. -I.. compat.c +gcc -c -O2 -Wall -I. -I.. config.c +gcc -c -O2 -Wall -I. -I.. inet.c +gcc -c -O2 -Wall -I. -I.. libopm.c +gcc -c -O2 -Wall -I. -I.. list.c +gcc -c -O2 -Wall -I. -I.. malloc.c +gcc -c -O2 -Wall -I. -I.. proxy.c +ar cru libopm.a compat.o config.o inet.o libopm.o list.o malloc.o proxy.o +ranlib libopm.a +make[1]: Leaving directory `/home/fish/opsb/libopm' +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb.c +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm proxy.c +gcc -c -O2 -Wall -I/home/fish/NeoStats//include/ -I. -Ilibopm opsb_help.c +ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libop +m.a +[1005|/home/fish/opsb] +[Fish@fish-dt]$ + + Again, check for Error messages. As long as there are not error + messages, "make install" will install OPSB, this README file, and any + auxiluary files needed into your NeoStats directory: +[Fish@fish-dt]$ make install +(cd libopm; make libopm.a) +make[1]: Entering directory `/home/fish/opsb/libopm' +make[1]: `libopm.a' is up to date. +make[1]: Leaving directory `/home/fish/opsb/libopm' +ld -shared -o opsb.so opsb.o proxy.o opsb_help.o libopm/libop +m.a +/usr/bin/install -c + -m 644 opsb.so + /home/fish/NeoStats//dl/ +/usr/bin/install -c + -m 644 README.opsb opsb.S +ettings /home/fish/NeoStats//dl/../doc/ +[1006|/home/fish/opsb] + + If you recieve *ANY* errors at all during the this process, please + post them on our Support boards, at http//www.neostats.net/boards/ + + Once Installation is complete, you can either configure NeoStats to + load OPSB when it starts, or load OPSB via IRC. + + To Configure NeoStats to automatically load OPSB when it boots, add + the following line to your "neostats.cfg" file in the NeoStats + directory: + + LOAD_MODULE OPSB + + To load OPSB via IRC, you must make sure you have the appropriate + permissions and issue the following command: + + /msg neostats load OPSB + + Thats it. OPSB is now loaded and ready for use (in fact, it will + already be running now, but read on for futher information. + +2. Basic Configuration + + OPSB is completly configured online via IRC. When you first start up + OPSB, it attempts some "Sane" defaults for you to get started with, + but you should always review these settings as soon as you install. + Additionally, while its in this "Default" state, it will warn you + every so often via a global message as well as messages to the + services channel that it is still "unconfigured". Some of the settings + that you may want to review right away are: + * Exclusion Lists - You should setup a Exclude list for your IRC + Services server (NickServ etc) + * Target IP address and Ports that OPSB tries to get the proxies to + connect to. + * Default Ban Time when OPSB finds a open Proxy. + + These are outlined below: + +2.1. Exclusion Lists + + Exclusion lists allow you to specify certian Hostmasks or Servers that + should be excluded from monitoring by OPSB. This exclusion list would + allow a administrator to say, allow users on that are matched against + a open proxy, when the administrator has verified that the trojan does + not in fact exist on the users host. + +Caution + + Exclusions should be setup for your Services Server, so that OPSB does + not try to scan ChanServ, or NickServ, or any of the bots relating to + Nickname protection. + + Adding a Entry + + To add a entry to the Exclusion list, use the following format: +/msg OPSB exclude add <1/0> + + Where: + + = The HostName/Server or Channel name. WildCards ? and * are + permitted. + + = The type of exclusion. 0 is for HostNames, 1 is for Servers + + = a short description of the exclusion, for operator + reference only. + + The output is as follows: +>OPSB< exclude add services.irc-chat.net 1 Blah is my reason +-OPSB- Added services.irc-chat.net (Server) exception to list + + Listing an Entry + + To list the Exclusions simple type: +/msg OPSB exclude list + + And all the current exclusions are listed. Additionaly, a Position + number is provided for use with the delete command. The output is as + follows: +>OPSB< exclude list +-OPSB- Exception List: +-OPSB- 1) *.blah.com (Server) Added by Fish for Blah is my reason +-OPSB- 2) is.blah.com (HostName) Added by Fish for can by high +-OPSB- End of List. + + Deleting an Entry + + To delete a entry, you should first lookup the Position of the entry + that you wish to delete. The format of the command is as follows: +/msg OPSB exclude del + + Where: + + is the position of the entry you wish to delete in the list + + The output of the command is as follows: +>OPSB< exclude del 1 +-OPSB- Deleted services.irc-chat.net server out of exception list + +2.2. TARGET IP and TARGET PORT + + By default, OPSB sets up each proxy scan to attempt to connect back to + the IP address and port of the server that NeoStats connects to. This + may not always be what you wish, as it can help a attacker map our how + your network is structured. Ideally, you should pick the IP address of + a IRC server you host that is stable and on a fast connection, and + enter its IP address and port numbers into OPSB. + + Changing the TargetIP + + To add a entry to the Helper list, use the following format: +/msg OPSB set targetip + + Where: + + = The ip address to attempt to get proxies to connect + to + + The output is as follows: + -> *opsb* set targetip 203.208.228.144 +=opsb= Target IP set to 203.208.228.144 + + Changing the Target Port + + To list the helpers simple type: +/msg OPSB set targetport + + Where: + + = the new port to attempt to get proxies to connect to + + The output is as follows: + -> *opsb* set targetport 6667 +=opsb= Target PORT set to 6667 + +2.3. BanTime + + OPSB by default bans the IP/Hostname of a Open Proxy for 1 day (86400 + seconds). Some networks may wish to increase or decrease this time + value. + + Changing the Ban Time + + To change the bantime, type: + -> *opsb* set bantime 86400 +=opsb= Ban time changed to 86400 + +3. Detailed Configuration + + OPSB attempts to be as configurable as possible in order to cater for + each individual networks requirements. This in turn though makes the + configuration very complex. There are many many settings with OPSB + that affect how it operates, how it responds and even, how affects the + performance of NeoStats Overall. Out of the box, OPSB provides + sensible defaults for these settings, but you may wish to read this + section for details on exactly what each option does, and its affect + on how OPSB operates. + + The following list summaries the available Options you can set in OPSB + * CACHETIME + * DISABLESCAN + * DOBAN + * OPMDOMAIN + * MAXBYTES + * TIMEOUT + * OPENSTRING + * SPLITTIME + * SCANMSG + + To change any of these settings, you use the Set Interface in OPSB. + Eg: +/msg OPSB set