HOPM and your IRCd - demu.red

Intro

I am making this post because it seems like HOPM is poorly advertised as a successor to BOPM on the internet. As it took me more time to find HOPM than it could have, I feel talking about it here may contribute to its search ranking (there are plenty of crawlers on my tiny site already). The inspiration for this post is a recent botnet attack on my server, which seems to have now petered out. Searching for a solution that didn't completely block tor access took longer than it could have.

IRC

IRCd

I use UnrealIRCd. I like it, and it happens to be the flavor I first administered... back when that network still existed. Anyway, I like it, and I think it works well.

IRC Services

I realize it's taking me a while to get to the main topic, HOPM, but I might as well finish describing the setup at this point. Anope is crap... And they happen to have some childish developers... When researching other IRC Services, Atheme was highly recommended in many places. Unfortunately its development ceased. But I did find two current forks, Shalture being the one I chose. Among the many things it does better, it has CertFP support. NOTE 11DEC2016: Atheme is alive again, and Shalture's changes incorporated.

CertFP

CertFP is a nifty feature where, after teaching NickServ your SSL finger print, it automatically identifies you on connection. No commands needed. You do have to be connecting via SSL of course.

Botnet

Ok, now to the point. A few weeks ago, some russian looking botnet decided to attack my VPS, and got on my IRCd. Wasn't really doing much aside from having random seeming names, and making random channels... aside from spamming my console window with all the connections/exits. But who wants to keeps someone else's botnet on their server?

BOPM

In my research to combat the botnet without completely blocking tor access, I again found a discontinued piece of software that everyone recommended... BOPM. Unfortunately, not only has BOPM gone four years without and update, its documentation site has dropped of the face of the internet. While I did take a shot at running BOPM, it did not want to compile for me...

HOPM

Well, after another few days of research, I dug up HOPM, an ongoing project that picks up the reins.

What is HOPM

HOPM (Hybrid Open Proxy Monitor) is an open-proxy monitoring bot designed to monitor an individual server (all servers on the network have to run their own bot if the IRCD does not support `farconnect` user mode) with a local operator {} block and monitor connections. When a client connects to a server, HOPM will scan the connection for insecure proxies. Insecure proxies are determined by attempting to connect the proxy back to another host (usually the IRC server in question).

HOPM is written ground-up in C language and it is an improved fork of BOPM (blitzed open proxy monitor), which is a concept derived from wgmon. It improves on wgmon with HTTP support, faster scanning (it can scan clients simultaneously), better layout (scalability) and DNSBL support.

Use

It works very well, and configuration is pretty simple. I'm going to skip the basic settings, as they are self explanatory. Do note that there are a few clearly marked options that apply to specific IRCds. I will briefly talk about enabling the black lists, as this is the meat of HOPM, and it took me a moment to grok it correctly. Looking at the sample conf under the 'opm' section, you will see that there are four black lists to choose from, and settings for reporting bots if you choose. I chose to use DroneBL and EFnet RBL, as DroneBL didn't catch everything on its own, and EFnet has survived for 25 years.

Conf
### OPM ### {{{
/*
 * OPM Block defines blacklists and information required to report new proxies
 * to a dns blacklist. DNS-based blacklists store IP addresses in a DNS zone
 * file. There are several blacklist that list IP addresses known to be open
 * proxies or other forms of IRC abuse. By checking against these blacklists,
 * HOPMs are able to ban known sources of abuse without completely scanning them.
 */
opm {
        /*
         * Blacklist zones to check IPs against. If you would rather not
         * trust a remotely managed blacklist, you could set up your own, or
         * leave these commented out in which case every user will be
         * scanned. The use of at least one open proxy DNSBL is recommended
         * however.
         *
         * Please check the policies of each blacklist you use to check you
         * are comfortable with using them to block access to your server
         * (and that you are allowed to use them).
         */

        /* dnsbl.dronebl.org - http://dronebl.org */
        blacklist {
                /* The DNS name of the blacklist */
                name = "dnsbl.dronebl.org";

                /*
                 * There are only two values that are valid for this
                 * "A record bitmask" and "A record reply"
                 * These options affect how the values specified to reply
                 * below will be interpreted, a bitmask is where the reply
                 * values are 2^n and more than one is added up, a reply is
                 * simply where the last octet of the IP address is that number.
                 * If you are not sure then the values set for dnsbl.dronebl.org
                 * will work without any changes.
                 */
#               type = "A record reply";

                /*
                 * Kline types not listed in the reply list below.
                 *
                 * For DNSBLs that are not IRC specific and you just wish to kline
                 * certain types this can be enabled/disabled.
                 */
#               ban_unknown = no;

                /*
                 * The actual values returned by the dnsbl.dronebl.org blacklist as
                 * documented at http://dronebl.org/docs/howtouse
                 */
                reply {
                        2 = "Sample";
                        3 = "IRC Drone";
                        5 = "Bottler";
                        6 = "Unknown spambot or drone";
                        7 = "DDOS Drone";
                        8 = "SOCKS Proxy";
                        9 = "HTTP Proxy";
                        10 = "ProxyChain";
                        13 = "Brute force attackers";
                        14 = "Open Wingate Proxy";
                        15 = "Compromised router / gateway";
                        17 = "Automatically determined botnet IPs (experimental)";
                        255 = "Unknown";
                };

                /*
                 * The kline message sent for this specific blacklist, remember to put
                 * the removal method in this.
                 */
                kline = "KLINE *@%h 3d You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
        };

        /* rbl.efnetrbl.org - http://rbl.efnetrbl.org/ */
        blacklist {
                name = "rbl.efnetrbl.org";
                type = "A record reply";
                ban_unknown = no;

                reply {
                        1 = "Open proxy";
                        2 = "spamtrap666";
                        3 = "spamtrap50";
                        4 = "TOR";
                        5 = "Drones / Flooding";
                };

                kline = "KLINE *@%h 3d Blacklisted proxy found. For more information, visit http://rbl.efnetrbl.org/?i=%i";
        };

};
### End OPM ### }}}

So, it's not super complicated, uncommenting the parts you want to use and all. It did take me a few minutes to realize the GLines were in the wrong format for UnrealIRCd though, and needed to be changed in three places (once for scan, and once for each enabled blacklist).

Instead of the default kline = "KLINE 180 *@%h :Open proxy found on your host.";, unreal wants kline = "KLINE *@%h 3d Open proxy found on your host."; (host then time, and no ':').

Conclusion

Once you set HOPM up with your ban lists, it works very nicely. Sure, your oper's get connect, kline, and exit spam; but now you have that warm, satisfied feeling from ban hammering. In my limited use, it also does not appear to block legitimate tor users.

UnrealIRCd
childish developers
Atheme
Shalture
BOPM
HOPM
sample conf
DroneBL
EFnet RBL
tor

- demure