BOPM - Tricks 'n tips on how to configure the BOPM. - Keep an eye out on the FD limit. A BOPM nowadays needs to scan on quite some ports. Let's say you scan on 100 ports, then 1 connecting client will take up 100 file descriptors. If you keep the default BOPM setting of 512, then that means that you can only take 5 concurrent clients, else the scan will be queued. One might say that you don't get 5 connects at once, but remember that it can hold fd's open during a scan which is getting a timeout. Which can take up to 30 sec when using a default config. Therefor, keep the fd's high enough. Especially when there's a dronerun from open proxies, you do want to catch them all. Recommended are values above 8k. - Check not only the FD limit of the BOPM, but also on your system Having the fd limit in the conf set high is good, but keep in mind that you also need to set your systems ulimits accordingly. If the ulimits are below the fd limit in the conf, then the scans it wants to perform when all the system fd's are full, are simply discarded, thus potential risk of proxies getting through. - Scan sources port limitation on FreeBSD FreeBSD (and maybe other BSD/UNIX flavours) have built in standard limit for using up sockets the connections for scanning use. Standard the lower limit is set to 1024 and the upper limit to 5000. As well as the fd's, one does want to make sure there's plenty of resources for this. Recommended is setting net.inet.ip.portrange.last to 1024+fdlimit+buffer. The buffer is of course for other programs running on the box like the connection for the BOPM itself to the IRC server. Also, this can't be too high so don't be cheap on it. - Keep up to date with latest port lists It won't come as a surprise that the default port list of the sample BOPM config is quite inadequate and fairly skinny. New trojans and worms are out in the field on a daily basis and new ports are opened on infected machines. There are some people who actively maintain lists of popular open proxy ports. Do keep up to date with those! The lists are actually compiled from found proxy hosts, so there's a certainty that the ports listed do get abused on a large scale. - Put the ports in the right order of popularity It is recommended to put the ports you scan on in the order of popularity, because there are some servers out there that have some portscan prevention system running. This means that if you connect on, say 10, ports, the server will block your ip for some time. If the proxy is actually on a port which you scan later on, then the ip of your scanning server could already be blocked and the proxy will not be found. The sooner you scan the most popular ports, the higher the chance of finding it and not get blocked. - Use a manual set target string The default way to go is to use the ircd welcome banner as a target string. The target string, for who doesn't know the principle of the BOPM scan, is the string it will listen for when trying to get the connection proxied. For instance, if I have a target string "foo bar baz", a target host 190.191.192.193 and a target port 6667, then upon a connection, the BOPM will connect to the ports defined and try to get the connection relayed to 190.191.192.193:6667 and when the string "foo bar baz" is encountered, it will know the connection is relayed. However, the problem with the default string being the ircd welcome banner is that when some person has an ircd of its own listening on a port you scan on, the BOPM will see that string and think it's an open proxy which is not the case. Making the target string something non-default will limit the possibility of false positives. Remember, the target host/port do not need to be the host/port of the irc server, but can be anything. It's easy to set it up manually. Just use inetd. Put this in inetd.conf: ircd stream tcp nowait nobody /bin/echo echo Proxy Check The "Proxy Check" can be changed to your personal target string. And the 'ircd' is of course the port referral from /etc/services. - Use target port 6667 This target port is the default, and for once it's a good default. There are some trojans in the wild which are programmed in such a way that they will only relay connections to port 6667. Any other port will not be relayed to. So to statistically keep the highest detection rate, one would want to keep this set to 6667. - Use an extra BOPM for DNSBL lookups only When a dronerun is hitting your server, the BOPM will not always keep up. It will queue the connections, but it can take a while before all of them are scanned, and in some cases it can even cause the BOPM to ping timeout. Running an extra BOPM with DNSBL only will at least keep the listed proxies out, even in droneruns, because it takes very little time to do a dns lookup so it won't get behind on that. ## Last modified Mon Mar 7 20:18:20 CET 2005 ##