|
Joined: Dec 2020
Posts: 9
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Dec 2020
Posts: 9 |
Hello,
I am an official chanops/helperop on a network and currently we are facing a surge in abusers/flooders with open proxies. Also, the network has been following dnsbl.org to scan the users while it connects (but most of the time it just lets in flooder/abuser without any issue). I have searched few ips on dnsbl.info but found it was not listed as a defaulter. whereas, ircbl.org does mark the same ip to be blacklisted (hence, i trust ircbl.org over dnsbl.info).
I am looking for a code which would scan for open proxies in an incoming nick joining a specific channel (tcl code or normal irc based code will do). The switch could be auto (on join) or manual (where i would trigger the scan manually). Also i should be able to kick/ban the user once i find them using an open proxy. Here are few websites where i can search for an open proxy.
1. ircbl.org (i find results displayed on this website to be more comprehensive) 2. dnsbl.info 3. dronebl.org ps. It would be great if someone could help me with a proxy scanner with dialogue (it will scan for open proxies on above given websites and if found on these websites, it should be able to kick/ban the user). Also i am not into coding so might need further help/support from the coding community with the issue.
Thanks & Regards, SH
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
So, I finally finished writing my first version of the script for you, so that it would be possible using a connections scan to protect your server from massive penetration of users from proxy addresses. This may not be all you would like to see to protect your server, but it is better than nothing. In my opinion, it is more efficiently better to catch proxies when connecting to the server than when they are already entering on channels, since their addresses can be encrypted or be a virtual host, and you will be flooded with constant messages about Joins with probable spam. Of course, this code is still raw and may not be perfect, so I suggest you test it for several weeks to collect a report on the errors found and suggestions for improving this code. Description to v1.0: 1.Scans all incoming connections to the server and checks users by " IP4" (address must be in the form of numbers). For this, the bot where this script will be installed must have IRCop privileges with snomask ( +cC). 2.You can use the command with the syntax: " !ps <start/stop/reload>". (All nicknames for which this command will be available are recorded in the " %ps_admins" variable). 3.In the " ps_gettype" alias, you can, if you wish, write your signatures for those DNSBL servers that should describe the proxy type in case of detection. 4.You can create your own DNSBL server lists in the " proxyscanner_list" alias with which you should check the IP of all connecting users. (Use the provided list as an example, which includes the server name and a comma-separated list of response numbers to act on if they match). Warning: This requires very fine tuning so that there is no false positive and that innocent netizens are not banned. Therefore, it is recommended to first check through similar websites to which reply number the script was correctly triggered. For example, if the "dnsbl.dronebl.org" server answered "9" when checking through the DNSBL, then this is correct in most cases and you will ban the real proxy. And if in the same place the answer is "3" or "14", then this may be a false positive. My advice for a while testing is to turn off the bans and set the variable to " %ps_btype = off" so that you can just watch what is happening and make accurate debugging using the resulting numbers in the response rechecking where the truth is and where the lie. 5.Through the alias " proxyscanner_set" you can customize the configuration parameters of the script: %ps_servers – Contains a comma-separated list of the "irc.server1.com,irc.server2.com" servers on which the script should work. (You can specify "all" for all servers). %ps_snomask – All "snomask" modes that must be enabled for the bot to work correctly are indicated here. %ps_btype – The type of server ban is indicated here. (Possible options: "ZLINE/KLINE/GLINE" or to disable bans set the value to "off"). %ps_btime – Contains the time for which the ban will be set for the user. %ps_breason – The reason for the ban is indicated here, which will be visible to the banned user. %ps_blogo – Here the logo prefix, which will be present in all messages of the script. %ps_mchan – Here you specify the channel to which you want to write a message in case of ban the detected proxy. %ps_admins – A comma-separated list of aliases for which script control will be available. I am attaching a screenshot of how the script, after the user is banned, reports in the specified channel about the found proxy through in the DNSBL list: Click on the button to reveal the spoiler. This code must be inserted into the scripts editor. To do this, press the key combination " ALT+R" and save this code as new " File/New" script called " AntiProxyScan.mrc":
#####################################################################
# Name: AntiProxyScan v1.0
# Author: Epic (epicnet@mail.ru, http://epicnet.ru)
# Description: Automatically scans all incoming connections to the server for proxy addresses and sets a server ban if found.
#####################################################################
alias -l proxyscanner_set {
%ps_servers = all
%ps_snomask = +cC
%ps_btype = ZLINE
%ps_btime = 3d
%ps_breason = Your IP was found in DNSBL and it is suspected that is (VPN/Tor/Proxy). To unlock contact the chat administration.
%ps_blogo = DNSBL: 01,04 BAN
%ps_mchan = #Services
%ps_admins = Epic,Sleepyhead,Admin
}
alias -l proxyscanner_list {
if ($hget(ps-dnsbl,0).item) .hfree -sw ps-dnsbl
.hadd -m ps-dnsbl dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255
.hadd -m ps-dnsbl rbl.efnetrbl.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
.hadd -m ps-dnsbl rbl.efnet.org 1,4,5
.hadd -m ps-dnsbl tor.efnet.org 1
.hadd -m ps-dnsbl cbl.abuseat.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
.hadd -m ps-dnsbl sbl.spamhaus.org 1,5,6,7,8,9,10,12,13,14,15,255
.hadd -m ps-dnsbl abuse-contacts.abusix.org 2,3,4
.hadd -m ps-dnsbl safe.dnsbl.sorbs.net 1,3
.hadd -m ps-dnsbl all.s5h.net 1,3
.hadd -m ps-dnsbl bl-h1.rbl.polspam.pl 1
.hadd -m ps-dnsbl postmaster.rfc-clueless.org 3
}
====================================================
on *:LOAD:{ proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on }
on *:CONNECT: proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on | if ($istok(%ps_servers,$server,44)) || (%ps_servers == all) { /mode $me +s %ps_snomask }
on *:TEXT:!ps*:#:{
if ($1 == !ps && $istok(%ps_admins,$nick,44)) {
if (!$2) { .notice $nick Syntax: !ps <start/stop/reload> | halt }
if ($2 == start) { %ps_work = on | .notice $nick ProxyScanner on } | if ($2 == stop) { %ps_work = off | .notice $nick ProxyScanner off }
if ($2 == reload) { proxyscanner_set | proxyscanner_list | .notice $nick ProxyScanner reload }
}
}
on *:SNOTICE:*Client connecting*:{
if (%ps_work == on) {
if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
}
}
}
====================================================
alias -l proxyscanner_check {
var %ps_reverse $ps_revip($1) | .hadd -mu60 ps-oip %ps_reverse $1 | .hadd -mu60 ps-oid %ps_reverse $2 | .hadd -mu60 ps-onick %ps_reverse $3
var %ps_all $hget(ps-dnsbl,0).item | var %ps_q 1 | while (%ps_q <= %ps_all) {
var %ps_name $hget(ps-dnsbl,%ps_q).item | var %ps_check $+(%ps_reverse,.,%ps_name)
.dns %ps_check | inc %ps_q
}
}
on *:DNS:{
var %ps_i $dns(0) | while (%ps_i > 0) {
var %ps_dnsname $dns(%ps_i) | var %ps_dnsip $dns(%ps_i).ip | var %ps_dnsnum $gettok(%ps_dnsip,4,46) | var %ps_dnsrip $gettok(%ps_dnsname,1-4,46) | var %ps_dnsrname $gettok(%ps_dnsname,5-,46)
if (!$hget(ps-banip,%ps_dnsrip) && $istok($hget(ps-dnsbl,%ps_dnsrname),%ps_dnsnum,44)) {
;------------------------------------
if ($me ison %ps_mchan) /msg %ps_mchan %ps_blogo $+(07,$hget(ps-onick,%ps_dnsrip),) => $+(04,$hget(ps-oid,%ps_dnsrip),@,$hget(ps-oip,%ps_dnsrip),) => $+(06,%ps_dnsrname,) $+($chr(40),07,%ps_dnsnum,,$chr(41)) - $ps_gettype(%ps_dnsname,%ps_dnsnum)
if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
if (%ps_btype == KLINE) .KLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
if (%ps_btype == GLINE) .GLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
;------------------------------------
.hadd -mu30 ps-banip %ps_dnsrip 1 | .break
} | dec %ps_i
}
}
alias -l ps_revip { tokenize 46 $1 | return $+($4,.,$3,.,$2,.,$1) }
alias -l ps_detectip { tokenize 46 $1 | if ($0 == 4 && $1 isnum 0-255 && $2 isnum 0-255 && $3 isnum 0-255 && $4 isnum 0-255) { return 1 } }
alias -l ps_gettype {
if (dronebl isin $1) {
if ($2 == 2) { return Sample }
if ($2 == 3) { return IRC Drone }
if ($2 == 5) { return Bottler }
if ($2 == 6) { return Unknown Spambot/Drone }
if ($2 == 7) { return DDOS Drone }
if ($2 == 8) { return SOCKS Proxy }
if ($2 == 9) { return HTTP Proxy }
if ($2 == 10) { return Proxy Chain }
if ($2 == 11) { return Web Page Proxy }
if ($2 == 12) { return Open DNS Resolver }
if ($2 == 13) { return Brute Force Attackers }
if ($2 == 14) { return Open Wingate Proxy }
if ($2 == 15) { return Compromised Router/Gateway }
if ($2 == 16) { return Autorooting worms }
if ($2 == 17) { return Automatically determined botnet IPs (experimental) }
if ($2 == 18) { return DNS/MX type hostname detected on IRC }
}
if (rbl.efnet isin $1) {
if ($2 == 1) { return Open Proxy }
if ($2 == 2) { return Spamtrap666 }
if ($2 == 3) { return Spamtrap50 }
if ($2 == 4) { return TOR }
if ($2 == 5) { return Drones/Flooding }
}
if (tor.efnet isin $1) { return Tor Server }
if ($2 == 255) { return 10Unknown }
else { return Unknown Proxy }
}
The script was tested on InspIRCD v3 + mIRC v7.63. Remember that if something went wrong, or you accidentally erased something, then you can always reinstall this script again. If you find any errors in the code and in its work, or maybe you have new ideas or if you think that this script needs to be improved, then be sure to write to me here about it, and we are together think about what we can do.
|
|
|
|
Joined: Nov 2020
Posts: 16
Pikka bird
|
Pikka bird
Joined: Nov 2020
Posts: 16 |
auto-scan join nick in channel "SCANNER" Nice script good job
|
|
|
|
Joined: Dec 2020
Posts: 9
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Dec 2020
Posts: 9 |
Hello Epic, Thank you so much for the code. I really appreciate the efforts you have taken into building this code and helping me out. I will go ahead and test this code and will get you the much necessary feedback on it. I just have one more question to ask.. Is it possible to add http://ircbl.org into the list of scanning websites? Most of the VPN proxies which the abusers may use can be found on ircbl.org and it would be of great help. Nonetheless, thank you for helping us out, Thanks & Regards, SH
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
As far as I could find information about "http://ircbl.org", it is most likely closed from general remote use and works only by invitation or after registering on their resource. (I could be wrong). But I was unable to find their DNSBL servers that check for bad IP addresses. Only if try to add an additional piece of code to this script that could check the addresses of attackers through this web page. But this will already be a workaround and not entirely reliable, because the resource owners can block access to the site due to frequent requests from the bot to this page.
Fortunately, I think this is not really necessary, because you can create your own large list from free of DNSBL servers to protect your chat. And this will work no less efficiently than that site. The main thing is to keep your list compact, so that the check happens quickly enough (within 1 second) and it is important to minimize the false positives of the script by fine tuning.
The lists themselves can be searched through search engines and thus you can to collect a working and reliable list of DNSBL servers in this script. The main thing is to test them thoroughly, because not everyone can be working or they can give false responses to both normal and bad IP addresses, therefore to detect real proxies, it is necessary to set work only with those numerical answers that give 99.9% correct results.
For example: "dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255" - during my testing with this DNSBL server false positive was were with numeric responses "1,2,3,11,12,14,16", therefore they do absent in a numeric comma-separated list. The numeric response "255" catches unknown and unsigned (without a signature) addresses as proxy found through this server, which can also be a false positive, but I included it this the list just in case.
|
|
|
|
Joined: Dec 2020
Posts: 9
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Dec 2020
Posts: 9 |
Hello Epic,
The code which you posted earlier works well.. I have been using it since yesterday and i havent seen any false positive as yet. I have crossed check it on different websites. Talking about IRCbl.org, even i m trying to find out a way to subscribe them but with no luck so far. Will keep you posted if i get any valuable information on it.
Thank you again for your valuable response on the issue.
Thanks & Regards, SH
|
|
|
|
Joined: Dec 2020
Posts: 10
Pikka bird
|
Pikka bird
Joined: Dec 2020
Posts: 10 |
I have proved to me and it doesn't work to my script. I don't know where the problem is.
I have the last version of mirc and I have make step by step how you have wrote but does not work.
can you make a mirc and just this script and can u make a rar file and can u send me?
to my server i cant make mode to me +cC because servers says unknown modes.
thanks for a help..
Last edited by Bes; 30/12/20 11:43 PM.
|
|
|
|
Joined: Apr 2021
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Apr 2021
Posts: 2 |
HI Sleepyhead, I am the owner, developer and maintainer of the ircbl.org. The public dns server you can use for your RBL requests is rbl.ircbl.org. I have now updated the ircbl.org website with an 'about' page, which has more information about the ircbl RBL and who can use it. There's no restrictions in place, unless you have to do dozens requests/second, then I may need to whitelist your server's ip on my dns server. Visit https://ircbl.org/about for more info. Let me know if you have any questions.
Hidden Undernet and DALnet admin Quakenet irc operator ircbl.org owner
|
|
|
|
Joined: Jul 2020
Posts: 14
Pikka bird
|
Pikka bird
Joined: Jul 2020
Posts: 14 |
hi Hidden regards How can I create requests I can't find a manual, please correct me if I configure it wrong <dnsbl name="ircbl"
type="record"
domain="dnsbl.ircbl.org"
action="GLINE"
reason="[K-banned:[exp/comp] Compromised host on this IP. See http://ircbl.org/lookup?ip=%ip% for more information."
duration="1d"
records="2,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,253,255"
> is correct???? for inspircd ...
Last edited by druino; 13/04/21 03:40 AM.
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
As far as I understood from the instructions on the link https://ircbl.org/about the correct values to check would in your case be will be like this:
<dnsbl name="ircbl"
type="record"
domain="rbl.ircbl.org"
action="GLINE"
reason="[K-banned:[exp/comp] Compromised host on this IP. See http://ircbl.org/lookup?ip=%ip% for more information."
duration="1d"
records="21"
>
This is the same as if you manually check each proxy address using the command. For example, such an IP address " 103.241.227.110" is written in reverse order:
/dns 110.227.241.103.rbl.ircbl.org
If an answer is received in the form " 127.0.0.21", this means that the IP address was found in the database lists of this DNSBL server as a (bad) address that is being used by attackers. For those using my script, which is presented in the post #Post268254 you need to add a line inside the alias " proxyscanner_list":
.hadd -m ps-dnsbl rbl.ircbl.org 21
P.S. This way will require additional on the working capacity rechecking to catch user connections through proxy addresses. You can report your observations here.
|
|
|
|
Joined: Apr 2021
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Apr 2021
Posts: 2 |
Hi druino, The configuration Epic gave you is correct, except for one thing: I highly recommend that you set bans on all records if possible, or at least on the following records at a minimum: <dnsbl name="ircbl"
type="record"
domain="rbl.ircbl.org"
action="GLINE"
reason="[K-banned:[exp/comp] Compromised host on this IP. See http://ircbl.org/lookup?ip=%ip%&network=<your_network_name> for more information."
duration="1d"
records="2,6,10,11,13,14,16,17,18,19,20,21,22,23,24,30,,31,32,42"
> My configuration for a bopm bot would look like this: OPM {
blacklist {
name = "rbl.ircbl.org";
type = "A record reply";
reply {
2 = "Open proxy (2)";
6 = "Mail or NS server (6)";
10 = "D regex pattern (10)";
11 = "Drone / compromised (11)";
13 = "Join/part flood (13)";
14 = "Drone / compromised 2 (14)";
16 = "Spam bot (16)";
17 = "Drone (17)";
18 = "Drone 2 (18)";
19 = "Web abuse (19)";
20 = "Drone/flood bot (20)";
21 = "Compromised host (21)";
22 = "Open Proxy (22)";
23 = "Open Proxy (23)";
24 = "Mass advertising (24)";
30 = "Drone (30)";
31 = "Drone 2 (31)";
32 = "Open proxy (32)";
42 = "Open proxy (42)";
};
ban_unknown = yes;
kline = "KLINE 180 *@%i :Compromised host on this IP. See https://ircbl.org/lookup?ip=%i&network=<your_network_name> for more information.";
};
}; Depending on the ircd version you use, you may have adjustments to make on the kline command for the bopm config above. On Undernet ircu, it would look like: kline = "GLINE +*@%i 180 :Compromised host on this IP. See https://ircbl.org/lookup?ip=%i&network=<your_network_name> for more information."; If you have other questions, let me know.
Hidden Undernet and DALnet admin Quakenet irc operator ircbl.org owner
|
|
|
|
Joined: Dec 2020
Posts: 9
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Dec 2020
Posts: 9 |
Hey Hidden & Epic,
Firstly, i apologize for not responding to your messages. It is very tough during covid times and my country (india) is worst hit in recent times. Hope you all are doing well and please take care.
I will forward this post to my colleagues and ask them to make all the necessary changes as you have guided me. Hope to get back to you in some time.
Thanks & Regards,
Sleepyhead
|
|
|
|
Joined: Jul 2020
Posts: 14
Pikka bird
|
Pikka bird
Joined: Jul 2020
Posts: 14 |
thanks for your help friends Hidden & Epic
very kind both for your help thank you
|
|
|
|
Joined: Mar 2010
Posts: 17
Pikka bird
|
Pikka bird
Joined: Mar 2010
Posts: 17 |
Hi, I just tried this and it doesn't appear to work on my own IRC Server which is UnrealIRCd and I have been getting bots posting on it since yesterday, and trying to manual ban all these IP addresses isn't doing me any good since two to three more come in while I'm in the progress of banning one.
|
|
|
|
Joined: Jan 2021
Posts: 17
Pikka bird
|
Pikka bird
Joined: Jan 2021
Posts: 17 |
i have tested this code on unrealircd and dosn't work , maby is the snomask +cC , i change that to +sS and still dosn;t work and dosn't show some error ... can u help to find where is the prob that's not work ?
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
Good evening ErikMouse and New_One. I read yours both messages. Can you please tell your bot using this script has the rights " IRCop" in the network in which it works? Your bot should get certain appropriate from server notification modes (Snomasks) in order to see all lines on new user connections to your server. According to the manual for UnrealIRCd https://www.unrealircd.org/docs/Snomasks – Probably these 2 modes will be correct for set on your bot: " /MODE BotNick +s +cF". I am using a different IRCd – InspIRCd https://docs.inspircd.org/3/snomasks – so I cannot know for sure how will this is work on your. Check, please. Can you please tell me what notifications lines from server (SNOTICE) do you see when new users connect? - Copy a few lines for me entirely. Should be something like: " CONNECT: Client connecting on port 6667: Nickname!ident@36.66.36.252 (36.66.36.252) [Realname] ..." - The line should show the pure IP address, not the host. My script works on the basis of receiving data from these lines, which your bot must see. In addition, your bot must have the rights to set bans: " GLINE/KLINE/ZLINE".
|
|
|
|
Joined: Jan 2021
Posts: 17
Pikka bird
|
Pikka bird
Joined: Jan 2021
Posts: 17 |
Hello Epic , thanks for you'r help i make a copy from client connection and snomask modes from bot [19:44] -irc.mychat.com- *** Client connecting: Guest-User (Mibbit@000.000.000.000) [000.000.000.000] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [class: clients] [reputation: 9] bot has access Root with superadmin on and snomask using modes +iowrsxztDTB +FNekcfvGqSsob
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
This will only need to be done by who use the UnrealIRCd and others IRCd, where is analogous line of the server notices. I made some changes to the code based on the string you receive from the server. Hopefully you are actually see the real IP address of each connecting user in the format IPv4, and not " 000.000.000.000". In addition, I found one error in line: " if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {" It should be like this: " if ($istok(%ps_servers,$nick,44)) || (%ps_servers == all) {" Find this piece of code in script:
on *:SNOTICE:*Client connecting*:{
if (%ps_work == on) {
if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
}
}
}
And try replacing it with this piece of code:
on *:SNOTICE:*Client connecting*:{
if (%ps_work == on) {
if ($istok(%ps_servers,$nick,44)) || (%ps_servers == all) {
var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok($gettok($1-,2,58),1,32) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok(%ps_mask,1,64)
if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
}
}
}
Also, if you will be using ZLINE in " %ps_btype = ZLINE", then find this line:
if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
And replace with this line:
if (%ps_btype == ZLINE) .ZLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
Try to run the script the command: " !ps start" - provided that your nickname is in the list of script admins " %ps_admins = YourNick". Remember that the script will only to react to found IP addresses in the DNSBL databases from the list in alias " proxyscanner_list". But there will be no to react to pure connecting IP addresses. P.S. I am already thinking to start updating the script to the new version. There are plans to create a full-fledged dialog box for controlling the script so that you no longer need to get into the script code, in order to avoid breakage. I will probably have to rewrite most of the code to improve its quality, taking into account the exploitation in different IRCd.
|
|
|
|
Joined: Jan 2021
Posts: 17
Pikka bird
|
Pikka bird
Joined: Jan 2021
Posts: 17 |
yes i see the real ip in format ipv4 *** Client connecting: guest (6d767dfd@mob-109-118-125-253.net.vodafone.it) [109.118.125.253] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [class: clients] [reputation: 1] *** Client connecting: guest32 (4f6af442@78.109.244.66) [78.109.244.66] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [class: clients] [reputation: 399] im made the change that you said , and im waiting to see the difrenc and i will post if it work or not , thanks alot for your help
|
|
|
|
Joined: Jan 2012
Posts: 323
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Jan 2012
Posts: 323 |
To test the script Anti Proxy Scan you can independently try to connect to your network through a second client program using an open proxy address. In most cases, if configured correctly, the script should to react to such addresses. I noticed that in one of the lines you have the host displayed: " *** Client connecting: guest (6d767dfd@mob-109-118-125-253.net.vodafone.it) [109.118.125.253]". For verification, the script takes the IP address from this part of the line because of the landmark to the @ symbol in the mask. If you refer to the IRCd setup help documentation, you may find a configuration item that needs to be changed so that you always get a pure IP address instead of a host at this location. I can, of course, make it easier, and rewrite part of the code so that it takes the IP address from the line where it is displayed in square brackets. I just want you to understand the possible reason why the script might not work. This is due to the fact that he may not receive a clean IP address for verification, which should consist of 4 numbers separated by a dot. If you are uncomfortable with changing something in the IRCd configuration, then you can try replacing your code snippet with this one:
on *:SNOTICE:*Client connecting*:{
if (%ps_work == on) {
if ($istok(%ps_servers,$nick,44)) || (%ps_servers == all) {
var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok($gettok($1-,2,58),1,32) | var %ps_id $gettok(%ps_mask,1,64) | var %ps_ip $gettok($gettok($1-,2,91),1,93)
if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
}
}
}
In this case the script will be take the IP address from this part of the line, where it is in square brackets: " *** Client connecting: guest (6d767dfd@mob-109-118-125-253.net.vodafone.it) [109.118.125.253]". These changes should only help those using UnrealIRCd.
|
|
|
|
|