scan ip from a proxy scanner site

[TimeRider]

Hello all!

Finally, I found this proxy detection site very effective against proxies or even VPN. "proxyscan.io"

So, my idea is to make eggdrop scan proxy IP in IRC through its free API key which offers 1000 queries per day.

If it is possible to make scan option;
1. On connect as eggdrop being IRCop scanning every IPs connecting.
2. On channel join scanning IPs who join the particular channel. (to save the queries as it is limited to 1000 per day)

If the IP is found proxy in the scanning result;
1. gline the user if it is on mode: On connect
2. kick/ban the user from channel if it is on mode: On channel

Also, If it could be enabled on channel as, !proxyscan on and !proxyscan off to turn it off. (Just to save proxy scan queries )

Since, I am no tcl coder, I would like someone (tcl coder) to please help me out.

It would much appreciate it.

Thank you!

[CrazyCat]

Might be possible, I'll have an eye on the api

Edit: the API is not a proxy checker, it just returns random proxy based on some criterias.
You'd better use ip-api.com which can return this kind of info

[TimeRider]

Hello CrazyCat!

Thanks for the reply. Yes, It does return random proxies and mainly VPN. It is actually beneficial for IRC network because VPN have been used to evade ban and generally abuse. VPNs are indeed glorified proxies.

It would be handy for some IRC lovers to run this service from eggdrop to keep out proxy and VPN to keep their IRC channel/network spam and abuse free.

Both IP-API.com and Proxyscan.io look similar so having a tcl script made for any one for now would be nice and appreciable.

[CrazyCat]

No, proxyscan and ip-api are not the same services.

proxyscan returns you a random proxy IP, it can not say you if an IP is proxied or not.
ip-api returns, for a given IP, the proxy information (true/false).

Here is a small tool I did to get ip-api informations:

Code: Select all

bind raw - NOTICE ipcheck
proc ipcheck {frm key text} {
	if {[string match *!*@* $frm] || ![string match -nocase "*client connecting*" $text]} { return }
	regexp {:\ ([^ ]+)\s\(([^@]+)@([^\)])+\)\s\[([^\]]+)} $text - unick ident host ip
	set data [getipdatas $ip]
	if {[dict get $data status] eq "success"} {
		logip $data
	}
}
proc json2dict {JSONtext} {
	string range [string trim [string trimleft [string map {\t {} \n {} \r {} , { } : { } \[ \{ \] \}} $JSONtext] {\uFEFF}]] 1 end-1
}
proc getipdatas { ip } {
	::http::config -useragent "lynx"
	set ipq [http::geturl http://ip-api.com/json/$ip?fields=status,proxy,query&lang=fr]
	set data [json2dict [http::data $ipq]]
	::http::cleanup $ipq
	return $data
}
proc logip { data } {
	set ip [dict get $data query]
	if { [dict get $data proxy] eq "true"} {
		putlog "$ip is a proxy"
	}
}

[TimeRider]

CrazyCat, The correct site is proxycheck.io and they have the API and it works same as ip-api.com, Sorry I got confused over the name.

Also, I forgot to tell you my IRC server is inspIRCD. And How do I gline the IP if the proxy is true?

[CrazyCat]

Ok, I'll look at the API and adapt the script.

BTW, I don't know inspIRCd, I'll peharps need examples of connections notices.

[TimeRider]

Hello again CrazyCat, the connection notice of the inspIRCD would be;

*** CONNECT: Client connecting on port 6697 (class main): nick!ident@host (IP) [gecos]

Thanks!

[Gulio]

the proxycheck.io have free api 1000 request per day
and for connect is not fast during attack mass connect
can connect 100000 proxy to finish ur api
need to buy api and is spensive api also depend for how many request in day u want to check , what traffic user u have in day 3k 5k 10k + proxy attacker to think
and u need exempt ip to add del for that when is match real ip as abuse server like blacklist

better work with ircd blacklist like drone.dnsbl.org, efnet
also u can add more other blacklist in ur ircd adding and comon ports of sock 4 5 to be more strong to match sock 4 5 and vpn

Code: Select all

blacklist dronebl {
        dns {
                name dnsbl.dronebl.org;
                type record;
                reply { 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; 17; 18; 19; 20; 21; 22; 23; 24; 25; 100; 213; 255; };
        };
        action gzline;
        ban-time 30d;
        reason " 4Proxy14/4VPN ";
};
blacklist efnetrbl {
        dns {
                name rbl.efnetrbl.org;
                type record;
                reply { 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; };
        };
        action gzline;
        ban-time 30d;
        reason " 4Proxy14/4VPN ";
};

[TimeRider]

Most of the IRCD have those blacklists in them and even Anope. Also there is HOPM for it. These all blacklists won't work.

We are targeting proxies which are not detectable by these and also VPNs.

[Gulio]

The first code crazycat make is good

but u need a code for exemp ip add del first
after for add del asn blacklist file asn.txt
to check on connect asn vpn from asn.txt list provider
and code when proxy is yes to gzline remote if u have linked serv hub
i u have only 1 server local need zline action ip

and also if u use Mibbit website and Mibbit is down the ip of user is on gecos realname so need to make dns ip gecos to check on join or on connect to make snline the ip

[CrazyCat]

This is a short script I did:

Code: Select all

package require http
package require json

namespace eval pchecker {

	# proxycheck.io api key
	variable pckey "xxxxxx-xxxxxx-xxxxxx-xxxxxxxx"
	
	# min score to ban
	variable score 10
	
	# gzline message
	variable gmsg "Sorry, VPN are not allowed"
	
	# List of IP not checked
	# they are regexp style
	variable whitelist {"192\.168\.0\.1" "10\.0\.0\.*"}
	
	# List of blacklisted IP
	# regexp too :)
	variable blacklist {}
	
	bind raw - NOTICE ::pchecker::ipcheck
	
	proc ipcheck {frm key text} {
		if {[string match *!*@* $frm] || ![string match -nocase "*client connecting*" $text]} { return }
		regexp {:\ ([^ ]+)\s\(([^@]+)@([^\)])+\)\s\[([^\]]+)} $text - unick ident host ip
		if {[lsearch -regexp $::pchecker::whitelist $ip] ne -1} { return }
		if {[lsearch -regexp $::pchecker::blacklist $ip] ne -1} {
			putquick "GLINE *@$ip +7d :$::pchecker::gmsg"
			return
		}
		::pchecker::isvpn $ip
	}
	
	proc json2dict {JSONtext} {
		string range [string trim [string trimleft [string map {\t {} \n {} \r {} , { } : { } \[ \{ \] \}} $JSONtext] {\uFEFF}]] 1 end-1
	}
	
	proc isvpn {ip} {
		::http::config -useragent "lynx"
		set pcheck [::http::geturl http://proxycheck.io/v2/${ip}?key=$::pchecker::pckey&vpn=1&risk=1]
		set data [json2dict [::http::data $pcheck]]
		if {[dict get $data status] == "ok"} {
			set proxy [dict get [dict get $data $ip] proxy]
			set risk [dict get [dict get $data $ip] risk]
			if {[expr $risk - $::pchecker::score] >= 0 } {
				lappend $::pchecker::blacklist [string map {\. \\\.} $ip]
				putquick "GLINE *@$ip +7d :$::pchecker::gmsg"
			}
		}
		::http::cleanup $pcheck
	}
	
}

It could be enhanced by adding a blacklist file to not loose already banned IP when restarting the eggdrop

[TimeRider]

Thanks CrazyCat for working on it.

But on eggdrop's party line, I get this error;

Tcl error [ipcheck]: invalid command name "ipcheck"

Am I missing something?

Also, Is it possible to set query limit to 1000 queries?

Thank you!

[CrazyCat]

My bad, I forget the namespace in ne bind, I corrected my source.

It's possible to set a query limit, with a reset based on the hour, but its work might depend on proxycheck timezone and how they count.

Do you really have 1000 unique VPN connecting your network a day ?

[TimeRider]

Hello again CrazyCat, it still has some error that I get in my eggdrop's partyline;

Tcl error [::pchecker::ipcheck]: can't read "ip": no such variable

Do you really have 1000 unique VPN connecting your network a day ?

May be not 1000 unique VPN connections but yeah, 1000 connections per day (with/without proxies connecting). Since the other eggdrop's proxy scanner tcl I used had 500 to 1000 queries limit regardless of if they scan VPN/Proxy connection or not. Since, Eggdrop as IRCop scans every connection.

[CrazyCat]

Well, I guess the error come from the regexp, it works with unrealircd notices but I can't verify it with inspIRCd.

Next time you get the error, do .set errorInfo in party-line to get more datas about the error.