http://wiki.darenet.org/index.php?action=history&feed=atom&title=Development_Team%2Fservices-darenet%2Fsockcheck_example_configDevelopment Team/services-darenet/sockcheck example config - Revision history2026-05-06T06:15:46ZRevision history for this page on the wikiMediaWiki 1.15.1http://wiki.darenet.org/index.php?title=Development_Team/services-darenet/sockcheck_example_config&diff=2978&oldid=prevAdmin: New page: This is an example configuration of services-darenet sockcheck module. <pre> /* sockcheck.conf * * This file describes what proxy scans to run: what ports to connect * to, what to send ...2008-09-28T00:38:13Z<p>New page: This is an example configuration of services-darenet sockcheck module. <pre> /* sockcheck.conf * * This file describes what proxy scans to run: what ports to connect * to, what to send ...</p>
<p><b>New page</b></p><div>This is an example configuration of services-darenet sockcheck module.<br />
<pre><br />
/* sockcheck.conf<br />
*<br />
* This file describes what proxy scans to run: what ports to connect<br />
* to, what to send to them, to look for, and what to do if that is<br />
* found.<br />
*/<br />
<br />
/* Connect on port 1080, sending "\5\1\0" as challenge.<br />
* If we get "\5\0" as a response, it's an unsecured socks5.<br />
*/<br />
<br />
"1080:050100" {<br />
"0500" "reject:Unsecured socks5";<br />
};<br />
<br />
/* Connect on port 1080, sending "\4\1" followed by the port<br />
* and IP of the client, followed by the (NUL-terminated) ident to<br />
* use. If we get a four byte response with '\x5a' as the second<br />
* byte, it's an unsecured socks4 proxy.<br />
*<br />
* It would be generally wise to replace the $p$i with a hard-coded<br />
* one; many insecure proxies refuse to connect to themselves.<br />
*/<br />
<br />
"1080:0401$p$i=p=r=o=x=y00" {<br />
"..5a...." "reject:Unsecured socks4";<br />
};<br />
<br />
"23:" {<br />
// This first test is interesting: multi-stage, and a default action is reject<br />
// this crap at the front is the router trying to negotiate telnet options<br />
<br />
"fffb01fffb03fffd18fffd1f0d0a0d0a=U=s=e=r= =A=c=c=e=s=s= <br />
=V=e=r=i=f=i=c=a=t=i=o=n0d0a0d0a=P=a=s=s=w=o=r=d3a= :=c=i=s=c=o0d0a" {<br />
"0d0a=P=a=s=s=w=o=r=d3a= " "accept";<br />
"other" "reject:[1 hour] Cisco router with default password";<br />
<br />
};<br />
<br />
"=W=i=n=G=a=t=e=>" "reject:Unsecured wingate";<br />
"=T=o=o= =m=a=n=y" "reject:Unsecured wingate";<br />
"=E=n=t=e=r= =h=o=s=t= =n=a=m=e" "reject:Unsecured wingate";<br />
// the 3a is ':'; due to a parser glitch, =: isn't parsed like you might expect<br />
"=E=n=t=e=r= 3a= =<=h=o=s=t=>" "reject:Unsecured wingate";<br />
};<br />
<br />
/* Connect on port 3128 (squid), trying to use a HTTP CONNECT<br />
* proxy. If we get a 200 response, it worked and should be<br />
* booted.<br />
*<br />
* If you do this check on port 80, you might check for "200<br />
* Connection" instead to reduce false positives; many servers<br />
* send 200 OK responses for custom 404 Error pages.<br />
*<br />
* As with the SOCKS4 check, you may want to replace the $c:3128<br />
* (client hostname and port) with a hard-coded one.<br />
*/<br />
<br />
"3128:=C=O=N=N=E=C=T= $c=:=3=1=2=8= =H=T=T=P=/=1=.=00d0a0d0a" {<br />
"=H=T=T=P=/=1=.=0= =2=0=0" "reject:Unsecured proxy";<br />
};<br />
<br />
"27374:" {<br />
"" "reject:Subseven detected";<br />
};<br />
</pre></div>Admin