1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
|
/*
* [OPTIONAL] Non-Core Modules
*
* The following blocks are used to load all non-core modules, including 3rd-party modules.
* Modules can be prevented from loading by commenting out the line, other modules can be added by
* adding a module block. These modules will be loaded prior to Services connecting to your network.
*/
/*
* help
*
* Provides commands generic/help
*
* Is a generic help command that can be used with any client.
*/
module { name = "help" }
/*
* m_dnsbl
*
* Allows configurable DNS blacklists to check connecting users against. If a user
* is found on the blacklist they will be immediately banned. This is a crucial module
* to prevent bot attacks.
*/
module { name = "m_dnsbl" }
m_dnsbl
{
/*
* If set, Services will check clients against the DNSBLs when services connect to its uplink.
* This is not recommended, and on large networks will open a very large amount of DNS queries.
* Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
*/
check_on_connect = no
/*
* If set, Services will check clients when coming back from a netsplit. This can cause a large number
* of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
* might care.
*/
check_on_netburst = no
/*
* If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
*/
add_to_akill = yes
}
blacklist
{
/* Name of the blacklist */
name = "rbl.efnetrbl.org"
/* How long to set the ban for */
time = 4h
/* Reason for akill.
* %n is the nick of the user
* %u is the ident/username of the user
* %g is the realname of the user
* %h is the hostname of the user
* %i is the IP of the user
* %r is the reason (configured below). Will be nothing if not configured.
* %N is the network name set in networkinfo:networkname
*/
reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info"
/* Replies to ban and their reason. If this is totally ommited all replies get banned */
1 = "Open Proxy"
/* Don't ban for result 2 or 3 */
#2 = "spamtrap666"
#3 = "spamtrap50"
4 = "TOR"
5 = "Drones / Flooding"
}
blacklist
{
name = "dnsbl.dronebl.org"
time = 4h
reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=%N"
}
/*
* m_helpchan
*
* Gives users who are op in the specified help channel usermode +h (helpop).
*/
#module { name = "m_helpchan" }
m_helpchan
{
helpchannel = "#help"
}
/*
* m_httpd
*
* Allows services to serve web pages. By itself, this module does nothing useful.
*
* Note that using this will allow users to get the IP of your services.
* To prevent this we recommend using a reverse proxy or a tunnel.
*/
#module { name = "m_httpd" }
httpd
{
/* Name of this service */
name = "httpd/main"
/* IP to listen on */
ip = "0.0.0.0"
/* Port to listen on */
port = 8080
/* Time before connections to this server are timed out */
timeout = 30
/* If you are using a reverse proxy that sends one of the
* extforward_headers set below, set this to its IP.
* This allows services to obtain the real IP of users by
* reading the forwarded-for HTTP header.
*/
#extforward_ip = "192.168.0.255"
/* The header to look for. These probably work as is. */
extforward_header = "X-Forwarded-For Forwarded-For"
}
/*
* m_ldap
*
* This module allows other modules to use LDAP. By itself, this module does nothing useful.
*/
#module { name = "m_ldap" }
ldap
{
server = "ldap://127.0.0.1"
port = 389
/*
* Admin credentials used for performing searches and adding users.
*/
admin_binddn = "cn=Manager,dc=anope,dc=org"
admin_password = "secret"
}
/*
* m_ldap_authentication
*
* This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
* LDAP to authenticate users. Requires m_ldap.
*/
#module { name = "m_ldap_authentication" }
m_ldap_authentication
{
/*
* The distinguished name used for searching for users's accounts.
*/
basedn = "ou=users,dc=anope,dc=org"
/*
* The search filter used to look up users's accounts.
* %account is replaced with the user's account
* %object_class is replaced with the object_class configured below.
*/
search_filter = "(&(uid=%account)(objectClass=%object_class))"
/*
* The object class used by LDAP to store user account information.
* Used for adding new users to LDAP if disable_ns_register is false
*/
object_class = "anopeUser"
/*
* The attribute value used for account names.
*/
username_attribute = "uid"
/*
* The attribute value used for email addresses.
* This directive is optional.
*/
email_attribute = "email"
/*
* The attribute value used for passwords.
* Used when registering new accounts in LDAP.
*/
password_attribute = "userPassword"
/*
* Enable to have this module disable /nickserv register.
*/
disable_ns_register = false
/*
* The reason to give the users who try to /ns register if
* disable_ns_register is enabled.
*/
#disable_reason = "To register on this network visit http://some.misconfigured.site/register"
}
/*
* m_ldap_oper
*
* This module dynamically ties users to Anope opertypes when they identify
* via LDAP group membership. Requires m_ldap.
*
* Note that this doesn't give the user privileges on the IRCd, only in Services.
*/
#module { name = "m_ldap_oper" }
m_ldap_oper
{
/*
* An optional binddn to use when searching for groups.
* %a is replaced with the account name of the user.
*/
#binddn = "cn=Manager,dc=anope,dc=org"
/*
* An optional password to bind with.
*/
#password = "secret"
/*
* The base DN where the groups are.
*/
basedn = "ou=groups,dc=anope,dc=org"
/*
* The filter to use when searching for users.
* %a is replaced with the account name of the user.
*/
filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"
/*
* The attribute of the group that is the name of the opertype.
* The cn attribute should match a known opertype in the config.
*/
opertype_attribute = "cn"
}
/*
* m_mysql
*
* This module allows other modules to use MySQL.
*/
#module { name = "m_mysql" }
mysql
{
/* The name of this service */
name = "mysql/main"
database = "anope"
server = "127.0.0.1"
username = "anope"
password = "mypassword"
port = 3306
}
/*
* m_proxyscan
*
* This module allows you to scan connecting clients for open proxies.
* Note that using this will allow users to get the IP of your services.
*
* Currently the two supported proxy types are HTTP and SOCKS5.
*
* The proxy scanner works by attempting to connect to clients when they
* connect to the network, and if they have a proxy running instruct it to connect
* back to services. If services are able to connect through the proxy to itself
* then it knows it is an insecure proxy, and will ban it.
*/
#module { name = "m_proxyscan" }
m_proxyscan
{
/*
* The target IP services tells the proxy to connect back to. This must be a publicly
* avaiable IP that remote proxies can connect to.
*/
#target_ip = "127.0.0.1"
/*
* The port services tells the proxy to connect to.
*/
target_port = 7226
/*
* The listen IP services listen on for incoming connections from suspected proxies.
* This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
*/
#listen_ip = "127.0.0.1"
/*
* The port services should listen on for incoming connections from suspected proxies.
* This most likely will be the same as target_port.
*/
listen_port = 7226
/*
* An optional notice sent to clients upon connect.
*/
#connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately"
/*
* Who the notice should be sent from.
*/
#connect_source = "OperServ"
/*
* If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
*/
add_to_akill = yes
/*
* How long before connections should be timed out.
*/
timeout = 5
}
/*
* A proxyscan block (must have m_proxyscan loaded).
* You may have multiple proxyscan blocks.
*/
proxyscan
{
/* The type of proxy to check for. A comma separated list is allowed */
type = "HTTP"
/* The ports to check */
port = "80,8080"
/* How long to set the ban for */
time = 4h
/*
* The reason to ban the user for.
* %h is replaced with the type of proxy found.
* %i is replaced with the IP of proxy found.
* %p is replaced with the port.
*/
reason = "You have an open proxy running on your host (%t:%i:%p)"
}
/*
* m_sqlite
*
* This module allows other modules to use SQLite.
*/
#module { name = "m_sqlite" }
sqlite
{
/* The name of this service */
name = "sqlite/main"
/* The database name, it will be created if it does not exist. */
database = "anope.db"
}
/*
* m_regex_pcre
*
* Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library.
*/
module { name = "m_regex_pcre" }
/*
* m_regex_posix
*
* Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
* This is likely the only regex module you will not need extra libraries for.
*/
#module { name = "m_regex_posix" }
/*
* m_regex_tre
*
* Provides the regex engine regex/tre, which uses the TRE regex library.
*/
#module { name = "m_regex_tre" }
/*
* m_rewrite
*
* Allows rewriting commands sent to clients.
*/
#module { name = "m_rewrite" }
rewrite
{
/* The client to apply this rewrite to. */
client = "ChanServ"
/* Source message to match. A $ can be used to match anything. */
source_message = "CLEAR $ USERS"
/*
* Message to rewrite the source message to. A $ followed by a number, eg $0, gets
* replaced by the number-th word from the source_message, starting from 0.
*/
target_message = "CLEARUSERS $1"
}
/*
* m_ssl
*
* This module uses SSL to connect to the uplink server(s)
*/
module { name = "m_ssl" }
ssl
{
/*
* An optional certificate and key for m_ssl to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* openssl genrsa -out anope.key 2048
* openssl req -new -x509 -key anope.key -out anope.crt -days 1095
*/
cert = "data/anope.crt"
key = "data/anope.key"
}
/*
* m_statusupdate
*
* This module automatically updates users status on channels when the
* channel's access list is modified.
*/
module { name = "m_statusupdate" }
/*
* m_xmlrpc
*
* Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
* By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries.
*/
#module { name = "m_xmlrpc" }
m_xmlrpc
{
/* IP to listen on */
bindip = "127.0.0.1"
/* Port to listen on */
port = 26673
/* Enable for IPv6 */
ipv6 = no
/* If enabled, requires m_ssl to be loaded */
ssl = no
/* IPs allowed to connect (separate with spaces), this should be secured. We also recommend you firewall this
* with an outside program to increase security.
*/
allowed = "127.0.0.0/24"
}
/*
* m_xmlrpc_main
*
* Adds the main XMLRPC core functions.
* Requires m_xmlrpc.
*/
#module { name = "m_xmlrpc_main" }
/*
* ns_maxemail
*
* Limits how many times the same email address may be used in Anope
* to register accounts.
*/
module { name = "ns_maxemail" }
ns_maxemail
{
/*
* The limit to how many registered nicks can use the same e-mail address. If set to 0 or left
* commented, there will be no limit enforced when registering new accounts or using
* /msg NickServ SET EMAIL.
*/
#maxemails = 1
}
/*
* webcpanel
*
* This module creates a web configuration panel that allows users and operators to perform any task
* as they could over IRC. If you are using the default configuration you should be able to access
* this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
*
* This module requires m_httpd.
*/
#module { name = "webcpanel" }
webcpanel
{
/* Web server to use */
server = "httpd/main";
/* Template to use */
template = "default";
/* Page title */
title = "Anope IRC Services";
}
|
