HeXHub is an IOCP-based file-sharing hub and web server with anti-flood protection, built-in firewall designed to filter DDoS and to prevent most common forms of DoS currently used against hubs, anti-spam protection, content filtering and more. HeXHub is licensed under the open source license.
You can download HeXHub from nemesis.te-home.net/HeXHub or from source forge.
The contents of this manual was written by Albu Christian (the HeXHub developer), for your convenience i've 'ported' RTFM_en.txt to a format doxygen understands.
Index:
GUI Options
-
Hub Name: specifies the hub name, this will be sent to users, pingers and registration servers. Changes are updated automatically, every change to this edit will generate a $HubName that will be sent to all users.
-
Description: specifies hub description that will be sent to registration servsers and to hublist pingers.
-
Address: hub address (IP or DNS) that will be listed in public hublists. If you don't use port 411 as default you must also specify the default port (address:port). To verify the DNS you have entered click the "Resolve" button and if your address is correct, its IP will be shown.
-
Owner's e-mail: e-mail address of hub owner, this address will be sent to pingers in $HubINFO. This address will also be shown to users that cannot enter the hub because of some restrictions you set.
-
Local address: use this option to restrict the hub to a specific address, leave blank to use all available ones.
-
Ports: here you specify which ports will be opened by hub.
-
URL for icon: here you can specify an URL to an icon that will be sent to pingers and eventually added by hublists on hub's page.
-
Hub program starts with windows: if you check this button, a value will be added in registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for hexhub to ensure that if you restart your computer the hub program will also start. To delete that entry from registry uncheck this button.
-
Hide / Unhide window HotKey: you can define a hotkey that if pressed will show or hide the GUI. If you change this hotkey, use "Apply" button to activate your changes. Default HotKey is Win+H.
-
Hide at startup: if you have the hub program in startup and don't want to see it's window popping up at every system startup, check this button and the window will not be shown. To invoke this window, press the HotKey combination you defined as "Hide / Unhide HotKey".
-
Start server: to start or stop the server check / uncheck this button. Server started / stopped state is saved on program exit.
-
Save all settings: press this button to save all hub settings at any moment. Hub settings are automatically saved anyway when hub program is closed. You can also use "!flush" command to save all settings, for this you will need to log in with an account that has adm5 (Can see deleted accounts) right. By default, hub owners have this right.
All commands listed here have 3 parameter groups:
-
Command parameters group contains command specific options.
-
Flood detection group has flood detection parameters. Some commands may have additional flood detection parameters listed or not in "Command parameters" group. The "Allow only" "from one" parameter is used to check if a user tryes to use specified command to flood the hub. The "Allow only" "from all" parameter is used to check if more than one flooder tryes to use specified command to flood the hub (IP doesn't matter).
-
If flood detected group has 4 action types that can be taken if a user is trying to flood the hub. Uncheck "Notify" button if you don't want notifications for flood attempts using specified command to be sent to opchat.
-
Maximum number of clones this value will be used as default for newly registered users.
-
Seconds of runtime until connection flood check is enabled if hub has many users and restrictive connection flood check settings, when you start the hub and many users join at once, connection flood from multiple IPs may be detected. To prevent this from happening, set this value to minimum time needed for most users to join the hub.
-
Max attempts / minute allowed from same IP to prevent users reconnecting too often, after this maximum is reached the user will be delayed. A notification message of "user reconnects too fast" will be generated. A value of 0 will disable this verification.
-
Seconds to refuse connection on flood attempts if connection flood is detected, the users / users that cause this will not be able to connect to hub for a number of seconds you specify here. This value is also used for reconnect period detection, this will be minimum interval to check for periodic reconnects from bots / fakers.
-
Flood bots connection delta if 2 or more similar commands or messages are sent by different users and the difference (absolute value) between times when users connected is lower than this value, flood "allow" parameters will be divided by 2 for these users on every new attempt. Also if x-bot/OpZone-like bots are detected, they will be muted. Set this value to 0 to disable this check.
-
Extended protocol required use this option to prevent users with older versions of DC++ (older than 0.306) or clients that are obtained from those versions of DC++ (usually Stealth DC++) to join the hub.
-
Key required if you set this option, clients / bots that don't send $Key will not be able to join the hub.
-
Key must be valid this will cause users that send invalid key to hub to not be able to join. If you have a client that doesn't send a valid key you must disable this option or make an account for your IP in a profile that has the fake0 right.
-
Use randomized $Lock this combined with "Key required", "Key must be valid" and a "Validation timeout"(see $ValidateNick) will protect the hub from users that will try to use telnet or a similar program to join. If you set this option, the $Lock data will contain random characters.
-
NoGetINFO enabled, NoHello enabled, UserCommand enabled: this allows you to enable / disable some protocol-specific features.
-
NoGetINFO required, NoHello required, UserCommand required, TTHSearch required, Get[Test]ZBlock required: this allows you to restrict some clients that don't support or don't send in $Supports string one or more of these features.
-
Version is required: this option will restrict clients and bots that don't send $Version.
-
Version must be 1,0091: version is 1.0091 by default in most clients. However, some weird clients send other version number to hub. Use this to restrict them from entering the hub.
-
Validation timeout: use this option to set maximum accepted login time in seconds.
-
Send $LogedIn: enabling this option determines hub to send to all successfully logged in users $LogedIn nickname.
-
Allow nick changes: use this option to enable / disable nickname changes with !nick or !rename command, $ValidateNick sent twice, "Force correct prefix" option or nickname adjustments. If this option is enabled and a user wants to join the hub with the nick of a connected user or with an address in his nick, he will be renamed by hub. The hub also adds a "clone" that will be seen only by the renamed user for compatibility with some clients.
-
Reconnect time: deppending on number of users, bandwidth, etc. you can specify here the median time in seconds needed by any user to reconnect to hub. If the user disconnects and this option is set, his nickname will be kept on nicklist until this time limit expires. This is an optimization to prevent unnecessary $Quit / $Hello / $MyINFO to be sent on reconnects. If user is fully logged in during this time, other users connected to hub won't see Joins / Parts from this user.
-
Max concurrent logins: maximum number of users that can wait for / get nicklist. If too many users join at once, setting a limit here will prevent too many nicklists to be sent in a small period of time.
-
Hub password: enable this to make a private hub. Characters "@" can be replaced by any other character. To prevent leaking, you may want to give to all users a different password with these characters replaced.
-
Do not allow unregistered users: if hub has a password, users must have an account to be able to join. If hub does not have a password, this option is ignored.
-
On [...] passwords ban for [...][...]: to prevent password guessing, use this option to add temp ban for a number of wrong passwords. Users that have pwd3 (can see passwords) and info1 (can use opchat) rights will see these attempts in opchat including the passwords that are tryed.
-
If wrong password is entered ask for password again: if a user enters an invalid password, the hub can send $GetPass again. Not all clients support this feature. If this option is enabled some clients might automatically send that incorrect password again.
-
Require strong passwords: if this option is enabled, the hub will no longer allow weak passwords for all accounts and the password will no longer be saved as plain text in users.dat. Also a minimum access level can be specified to prevent normal users being asked for strong passwords.
-
Users must get nicklist to be able to speak: usually hub flooder programs don't get nicklist to be able to reconnect fast and send messages in mainchat or as private to some users. Enabling this option will mute those bots.
-
OpList before nicklist: if this option is enabled, operators that will join will be added in oplist first and never seen as normal users by those who have many cache blocks to be transmitted.
-
Calculate in advance for registered users: some clients send 2 $MyINFOs if tag information is changed because of registration. To prevent sending $MyINFO twice, the hub can estimate Hubs information from tag that would be after sending nicklist. However, the client will get back the $MyINFO it sends.
-
Cache MyINFOs: to prevent spamming with useless MyINFOs, the hub will wait for a needed broadcast event (like $Quit, a new login or cache full) until sending newly changed MyINFOs. When a broadcast event occures, the hub will send from a user only the last MyINFO that he sent (if needed). Default cache size is 10 MyINFOs.
-
Ignore for Hubs changes: some older clients send a MyINFO for every new connection to a hub. Enable this option to prevent users that join many hubs at once to spam the hub with useless MyINFOs.
-
Ignore for share size changes less than [...]: when adding files to filelist, some clients may send many MyINFOs too fast. Enabling this option will prevent the hub to send useless MyINFO updates.
No information is available on this subject.
-
Show BotINFO contents in OpChat: some hublist pingers send in $BotINFO usefull information about the hublist server. Enable this option to see what pingers send.
-
Pingers cannot connect to users: enable this option to prevent bots to try to connect to users or users to try to connect to bots.
-
Pingers cannot search: enable this option to prevent search bots making useless traffic. Usually search bots are detected by hub as pingers.
-
Pingers cannot speak: this will restrict some chat bots from sending messages in mainchat or to some users. Some Trivia bots are also detected by hub as pingers.
-
Send $OpList to pingers: to prevent hublist admins banning hubs for their oplist, recommended value is OFF.
-
User restrictions apply to pingers: use this option to restrict pingers from entering the hub if they have a bad myinfo / the hub is full / etc.
-
Allow void $BotINFO's: disable this option to restrict fake clients that try to identify themselves as pingers to bypass fake share check
-
Kick misconfigured clients: some users may send fake MyINFOs to hub, specifying active mode but using commands for passive mode or passive mode in tag and sending active mode commands. Enabling this option will kick those users on first attempt.
-
Notify on incorrect IPs: by default, the hub ignores the IP sent in ConnectToMe or Search commands and replaces it with the IP detected from accepted connection. Enabling this option will send a notification message to those users to tell them how to configure the client correctly.
No information is available on this subject.
No information is available on this subject.
-
Send to a maximum of [...] users: to reduce traffic made by searches (some clients seach automatically at a given interval), you can restrict the number of users that will receive the search request.
-
Minimum search string length: search string with less characters than the value you specify here will be ignored.
-
Maximum search string length: search strings for words or expressions with more characters than the value you specify here will be ignored.
-
Disable auto-searches made by multi-source clients: some clients search for alternative locations for files that are in queue at regular intervals or when a download is finished. Enable this option to ignore those searches.
-
Auto-search every [...] minutes for bad words: if this option is enabled and bad words scanner is enabled then the hub will send search requests to users for "forbidden files". Those who will in send search results forbidden filenames will be kicked.
-
Do not forward passive searches to passive users: if this option is disabled the hub may send passive search requests / passive search results to all users. The hub may combine more searches in one packet in cache so if the hub is set to use cache this is an optimization (for more searches only one packet will be sent).
-
Ignore results from passive users: enable this to prevent passive search results being sent to passive users.
-
Enable bad words scanner: if this option is enabled, all users that will search for forbidden files or send search results with forbidden files will be kicked or a notification message will be sent in opchat.
-
Bad words: here you can define lists with bad words and actions that can be taken. Enter every definition on a new line. A valid definition is bad_word=action. Supported actions are Notify (send notification message in opchat) and Kick (kick the user).
No information is available on this subject.
No information is available on this subject.
-
Automatically bans for [...]: a kick automatically adds a temp ban. Use this option to specify its value.
-
Kick automatically redirects user: if a user is kicked and this option is enabled then the user will be redirected, otherwise the hub just disconnects him.
-
Permanently ban if kicked [...] times: if this option is enabled, and the user is kicked the number of times specified here, the hub no longer adds a temp ban but a permanent ban.
-
Filter "is kicking because" messages in main chat: use this option to restrict users from sending fake kick messages.
-
Move "you are being kicked" message in mainchat: if a user is kicked, some clients also send him a private message to him "You are being kicked because: ...". If this option is enabled, that message will no longer be sent as a $To: command, but as a mainchat message "Private message from ...".
-
Enable "stealth" kick messages: if this option is enabled and one user that doesn't have right to kick others or not enough access level tryes to kick somebody, a notification message will be sent in mainchat to everyone else. However, that user will see that his attempt succeeded.
-
Allow redirect only to hubs from hublist: if this option is enabled, redirect address is checked against addresses declared in hublist. If no match is found, redirect command will be ignored. Cannot be combined with "Add redirect hub to hublist".
-
Redirect address must exist: enabling this option will prevent operators to redirect to a reason string. If there is an error resolving the redirect address, the command will be ignored.
-
Notify in opchat about redirects: if this option is enabled, a notification message will be sent in opchat about all redirect attempts (successfull or failed).
-
Add redirect hub to hublist: if somebody redirects a user, the hub will be added to hublist if it was not there already. Cannot be combined with "Allow redirect only to hubs from hublist".
-
Allow "stealth" redirect messages: if this option is enabled and one user that doesn't have right to redirect others or not enough access level tryes to redirect somebody, a notification message will be sent in mainchat to everyone else. However, that user or operator will see that his attempt succeeded.
-
Default redirect address: here you can specify what redirect address will be used by default. If you chose "random hub from hublist", you must declare at least one hub in hublist, you can change redirect address by changing contents of hublist (2.1).
-
Notify about attempts of talking with Hub-Security: enable this option to send in opchat mistyped commands / away messages or chat messages sent in PM to Hub-Security and its responses.
-
Max. number of reconn/say before mute: to prevent spam bots that reconnect / send chat messages / reconnect specify here the accepted value of consecutive reconnect/say events before muting user.
-
Min. message length to scan for PM spam: specify here the minimum lenght of a spam message that can be sent in PM to users. If a user or a bot will send a message with less length, it won't be checked for spam.
-
Max. number of different users to send: if a user wants to spam a hub by sending a PM to all connected users, after he sends to this maximum of users, he will be kicked.
-
Max. number of seconds between spam messages: if a user wants to spam a hub by sending a PM to all connected users, he will probably try to send messages fast to all of them. If delay between two consecutive private messages is greater than the value you specify here, his messages will not be detected as PM spam.
-
Max. number of cached opchat messages: flood events are cached to prevent opchat flooding operators. If too many messages are cached, new events will be ignored until cached messages are shown to all operators.
-
Limit text to [...]: this option allows you to restrict messages sent in mainchat to the specified number of characters.
-
Maximum number of text lines [...]: this option allows you to restrict messages sent in mainchat so they won't exceed specified number of lines.
-
Do not allow users to repeat last message: use this to restrict users from repeating last message in mainchat. Users who will try to repeat last message will see on first attempt a private message "Repetitio mater studiorum est". If users try for a second time to repeat, more messages like this will be sent to him. For the third attempt the user is muted.
-
Do not allow users to repeat themselves: use this to restrict users from repeating their last message in mainchat. Users who will try to repeat themselves will see on first attempt a private message "Repetitio mater studiorum est". If users try for a second time to repeat, more messages like this will be sent to him. For the third attempt the user is muted.
-
Repeat checks are for messages greater than [...]: use this option to set a limit on repetition checks to avoid checking small messages.
-
Compress lines: use this option to restrict users from pasting a big number of empty lines ("mainchat cleaner" messages).
-
Convert CAPS: if this option is enabled and a user has caps lock key stuck, his messages will be converted to lowercase.
-
Disable RTF: enabling this option improves security, RTF exploits will be seen as text by all clients.
-
Flood detection: Do not combine messages: if this option is disabled, hub will combine messages like "<nick> msg1|<nick> msg2|<nick> msg3|" to a single message "<nick> msg1 msg2 msg3|"
-
Maximum $MyNick rate allowed: if for a reason some users try to connect to hub like they connect with another user, use this option to specify maximum tolerable connections of this kind. If more connections will be detected, the hub will start filtering these invalid connections and a filter will be made from the IPs. If connection filtering is started, it will be active for at least one minute.
-
Search for source using a hublist server: if the hub detects DDoS, it will try to locate the source attacker using specified hublist server(s) that support this feature (currently there are 2 hublist servers that offer this service, hublist.org and dchublist.com).
-
Minimum nicks to check: minimum nicks that will be checked for a common hub.
-
Force correct syntax: if this option is disabled the hub will kick bots that don't follow stric DC protocol syntax. Otherwise the hub will re-build all commands.
-
Dump unknown/unrecognized data: enabling this option will show in opchat non-DC clients that connect to one of the hub ports that is usually assigned to another service
-
Notify about HTTP requests: enabling this option will show in opchat all users that will try to connect to hub with a web browser
-
Notify about Hub registration attempts: enabling this option will show in opchat notifications about misconfigured hubs / hublist servers that use one of the hub ports to send registration requests
-
Notify about Socks5 requests: enabling this option will show in opchat users that would add in connection settings hub address as socks5 address and what hub they try to connect to using that as proxy
-
Enable Socks5 emulation: users who add hub address and one of its ports as Socks5 address in their clients will actually connect to this hub no matter what hub they try to connect to using this hub as proxy
-
Welcome message file: here you can specify a text file that will be shown to all users who connect to hub (except banned users). You can use variabiles in welcome text file. To chose a file that is not in Welcome directory, select "<< Other (browse) >>".
-
Refresh: re-scan Welcome directory for file changes.
-
Send on reconnect: if this option is disabled, welcome message and MOTD are not sent to user if he reconnects.
-
Send !help hint: enable / disable showing "Type !help to see the commands you have" message to users who connect to hub.
-
Send !language hint: enable / disable showing "To see hub messages in ..., write !language ..." message to users who connect to hub.
-
Hub topic: here you can restrict topic size and set the hub topic. Changes are updated automatically. Use "Locked" option to prevent users from changing the topic. If "Check for IP / addresses" is enabled, and a user who doesn't have spam1 right tryes to set a topic with an address, his right to set topic will be removed.
-
MOTD: here you can restrict MOTD size and set the MOTD text file location. To prevent users from changing MOTD you can enable the "Locked" option. If "Check for IP / addresses" is enabled, and a user who doesn't have spam1 right tryes to set a MOTD with an address, his right to set MOTD will be removed. If "MOTD is reset at 00:00" is enabled then MOTD will be deleted dayly. To enable / disable showing MOTD to users who join use "Show MOTD on join" option.
-
User information shown to all users: to prevent MyINFO spamming the hub with irrelevant information, you can disable showing tags, descriptions or e-mail addresses in nicklist.
-
Show in !whois: here you can enable / disable showing some information in whois information. Enabling "Show DNS" or "Search Internet Registry" options might slow down the hub.
-
Maximum results: maximum results shown in !seen and !who information.
-
Default language: specifies default language for users that didn't chose any.
-
Enable cyrillic character set: if this option is enabled, the hub will no longer convert russian messages written with cyrillic letters to normal text.
-
Apply all: reloads MOTD and welcome files.
Some hubs may require users to join with a specific prefix other than country or an existing ISP. To do this, you have to declare an ISP with that prefix and IP range 0.0.0.0-255.255.255.255. (example: [TEST]=*) and enable "Prefix required for ISP" option.
-
Restrict to the following countries: to restict to the countries you want, you need to select those countries from dropdown list and insert them into the listbox (>>). To remove an intem from listbox press the button "<<".
-
ISP: here you can declare the ISPs you want. Anything can be declared as ISP, each definition will be in one line. A valid definition is a line containing [prefix]=IP or [prefix]=IPrange. Multi-prefix definitions ([pref1][pref2][pref3]=IP/range) are also valid, any reference to one of the prefixes includes that definition too. Some hubs may need to restrict to one or more of the declared ISPs. To restrict to only a few of the declared ones, you need to add the "forbidden" ones to "Bad ISPs" list separated by spaces.
-
Prefix required for country: this restriction will check user's prefix against geoIP list. If user has no prefix or has prefix for wrong country, he will be disconnected or redirected (except when "Force correct prefix" is enabled).
-
Prefix required for ISP: this restriction will check the prefix against those declared as ISPs. If user has no prefix or has only prefix for country he will be disconnected (except when "Force correct prefix" is enabled).
-
Do not allow irrelevant prefixes: this restriction deppends on "Prefix required for country" and "Prefix required for ISP" options. If none of them is selected, no prefix will be accepted. If user has more prefixes than the required ones, those will not be accepted.
-
Force correct prefix: if "Allow nick changes" option is enabled (see 1.1.1.5), and the user that connects does not respect prefix restrictions / requirements, the hub will rename him and allow him to join.
-
Hublist servers: here you can declare hublist registration servers. Enter each address on one line. If no port is specified, the hub will use the default one (2501). To enable registrating to hublists, you have to specify a period value for registrations (default is to register every 6 hours to one registration server). To register at any moment to the next registration server you can press the "Register now" button.
-
User search: use this option to change hublist configuration used by the !seen command.
-
Network hubs: the hubs you add in this list will be shown by !hublist command and may be used by hub as redirect addresses (see 1.1.1.19 - Default redirect address). Use Add / Delete buttons to modify the list.
-
Ping hubs: use this option to enable checking periodically the availability of hubs from hublist. If a hub is offline, users will not be redirected to it. If this option is disabled, users will be redirected to all hubs.
-
Get login restrictions (full ping): use this option to get minimum share size restriction for hubs from hublist. Users will be redirected according to share size restrictions.
-
TCPMaxConnections: this is a registry patch for Windows 98 only. By default Windows 98 do not accept more than 70 connections (maximum of 70 users). After changing this value click "Set" and restart your computer.
-
SynAttackProtect: this is a registry patch, by default its value is set to 0 (disable). Recommended value to protect from SYN flood attacks is 2. Click "Set" to apply this patch and restart your computer.
-
Send buffer size: use this option set the maximum data the hub sends to a user in one transfer cycle. If "Auto" option is selected and send buffer size is greater than 1536, the hub will adjust this size if it get WSAENOBUFS (Out of buffer space) error.
-
Auto-restart computer after [...] hours: enabling this option will cause the hub program to restart the computer after specified number of hours of runtime.
-
SO_SNDBUF: here you can specify the buffer size for sends that system will use (0 = the system will use the buffer sent by hub program).
-
Send Keep-Alive packets: if this option is enabled, periodic keep-alive packets will be sent on all connections opened by hub.
-
TCP_NODELAY: the TCP_NODELAY option is specific to TCP/IP service providers. Enabling the TCP_NODELAY option disables the TCP Nagle Algorithm.
-
IOCP worker threads: if this option is enabled, the hub will use I/O Completion Ports for sending and receiving data. Otherwise the hub will create a thread for every user. Minimum accepted value is 4. If "Sends through IOCP" option is not selected, the hub will use a sending thread that will send data and worker threads are responsible for received data only.
-
Enable QoS: this option and QoS settings are only for Windows XP SP1 or higher, rsvp service must be started. You can set bandwidth usage parameters from advanced options.
-
Max. send buffers: use this option to limit the number of buffers allocated for send operations. If a thread needs a sending buffer and maximum number is reached, it will wait until one of the buffers is no longer in use. Use 0 to disable this limitation.
-
Send timeout: specify the maximum number of seconds the hub can wait for data to be sent. If timeout is reached, the user is disconnected.
-
Connection timeout: this option is valid only if IOCP is disabled. If a full connection is not established during the time you specify here, the connection is aborted.
-
TIME_WAIT interval: timeout value for unsent data when closing connections.
-
Max send retries: specify maximum number of accepted failed sending attempts. If this maximum is reached the user is disconnected.
-
Max cache level: this option is available only for broadcast blocks from cache. Blocks in cache are sent one block after another to all users. Some blocks may be sent to some users faster than to others. If first block from cache is sent to all users, that buffer will be removed, and buffer 2 becomes new buffer 1. If a user will reach maximum cache level, he will wait for his current level to be decreased.
-
Cache level timeout: if a user has reached maximum cache level, he will wait cache_timeout seconds until moving to next block. A block that was not fully sent to any user is writeable. If a buffer was fully sent to at least one user, it is marked as read-only and for new writes a new buffer will be allocated. Setting level timeout to a lower value might increase RAM useage but transfers will be faster.
-
Send / bc cycles: if this option is disabled and IOCP sends are enabled, sends are fully handled by worker threads. Otherwise a sending thread will schedule sends. A value of 0 for broadcasts will determine a broadcast cycle after finishing a cycle for private buffers.
-
Distribution factor: use this option to normalize bandwidth. A sending cycle will be divided to distribution factor and will include a number of total_number_of_users divided by distribution_factor. For example, in a hub with 200 users, a distribution factor of 8, broadcast cycles every 200 ms, for a message that will be sent to all users, every 200/8=25 milliseconds the message will be sent to next 25 users, message will be fully sent to all users after 200 milliseconds since send cycle started.
-
Redirect server: if hub will be closing some ports or just redirect to another hub, open the ports you expect users to connect to and those who will connect to hub using those ports will be redirected to the address you specify.
-
Auto-refresh: if this option is enabled, nicklist from GUI will be automatically refreshed. 3 login states will be shown - 0K (waiting for $Key), 1V ($ValidateNick sent) and 2L (fully logged in).
-
Refresh now: if auto-refresh is disabled, use this to refresh nicklist from GUI at any moment.
-
User limit: use this option to set user limit. This won't affect those who have connect6 right (can always join the hub).
-
Send MyINFO: after selecting a nick from nicklist, detailed information about it will be shown. If you make changes to that information, click "Send MyINFO" to apply them. Changes to Hub-Security and OpChat can be made from here.
-
Op / Deop: use this to change somebody's state in oplist. You can also change state for Hub-Security and Opchat bots.
-
Disconnect: use this to drop selected user.
Profiles page allows you to manage user accounts and banlist. Root items are profile names, accounts / users that belong to same profile you will find as its child nodes. Selecting a profile name or an account allows you to edit its properties. To register a new user select his profile and click "New user". By default, an accont for Owner profile is created for the IP 127.0.0.1.
-
Profile properties -> Name:here you can change the name of an existing profile or of the profile you want to create.
-
Profile properties -> Rights: available rights / rights mask for selected profile in hexadecimal. Click Advanced to see them.
-
Profile properties -> Access level:here you can change the access level range for selected profile. If somebody tryes to change the access level of an account created for this profile to a value outside this range, access level is adjusted to the min / max. value of this range (excepting profiles that have adm0 "nearest profile match" right, when the account will be moved to a profile which has in its range this new access level value).
-
Profile properties -> Access level -> Increase by [...] every [...] hours online: to motivate users to stay connected to hub, they can get access level points for a specific period of time they stay connected to hub. If their access level becomes greater than the maximum allowed for their profile and adm0 "nearest profile match" right is set, they are moved to the matching profile.
-
Profile properties -> Raw sent to user: here you can write some raw commands that will be sent to user. The profile must have spam3 "Send raw commands and user menus on join" right. If you enter more commands, you should separate them with "|".
-
Profile properties -> Raw sent to everyone else: if the profile has spam3 right, when a registered user will join the hub, the commands you will enter here will be sent to all other users from the hub except the user who joined. You can use this option to add on-join welcome messages.
-
Profile properties -> Availability: here you can set the default number of days until an account for this profile expires.
-
Profile properties -> Availability applies only to unused accounts: if this option is set, account expires only if the user doesn't join the hub in the specified period of time.
-
Profile properties -> Minimum share required: This option allows restricting profiles by share size. Registrations of users who remove enough files from their share are automatically deleted and if that profile has a reserved prefix the user is dropped. Also, if a user has the adm0 right cannot be advanced to a profile that requires higher share than he has. In order to be matched a profile by share size, all intermediary profiles need to complete the access level range from maximum access of current profile to minimum access of the profile that has the highest access level and share requirements respected by user, all intermediary profiles must be restricted by share size and must have adm0 right. From more profiles with same access level range and share restriction will be chosen the profile that doesn't have "#" in its name (usually "#N" profiles are created when rights of original profile are changed).
-
Profile properties -> Reserved prefix: this option affects automatic registration and nick changes. A user cannot be renamed to a new nick that has a reserved tag, a user that is registered with a reserved tag cannot remove it when changing nickname.
example:
Default access range: 2000-3000 min. share: 1073741824 adm0
Reg#1 access range: 2010-3999 min. share: 5368709120 adm0
Reg access range: 2010-3999 min. share: 5368709120 adm0
Vip access range: 4000-4999 min. share: 10737418240 adm0
KVip access range: 5000-9999 min. share: 0 adm0
In this case if a user joins as Default with a share of 38459235367 bytes, he has enough share to be Reg and Reg#1,
the choice between Reg and Reg#1 would be Reg. From Default to Reg the range is completed and both have share
requirements and adm0 right. Next access range that can complete a higher range has the Vip profile,
also restricted by share with adm0 and the user has enough share for it. Next would be KVip, it has adm0 but it's not
restricted by share so profile matching stops at Vip with minimum access level for Vip.
If possible, the user is automatically registered or his registration is changed.
-
User properties -> Name: allows you to change the nickname used by registration. Leave blank for accounts created for an IP or ISP.
-
User properties -> Password: allows you to change the password that protects the account. Leave blank for accounts that do not require a password.
-
User properties -> IP range / ISP: allows you to create a registration for an IP, IP range or an ISP. For ISP-based accounts, enter the prefix that users from that ISP would use. Registrations that have nickname and IP range or ISP are also valid.
-
User propertied -> Access level: allows you to change access level. The access you will set here will be adjuted to fit profile access range.
-
User properties -> Reason / comment: usually the reason why the user is banned (if profile is Banned).
-
User properties -> Current profile: to move the account to a different profile, chose another profile from the dropdown list and click "Update".
-
User properties -> Resets to: here you can specify what profile the user had before moving to this profile. The commands !reset and !unban will move the account to its previous profile.
-
User properties -> Created by: read only information
-
User properties -> Changed by: read only information
-
User properties -> Maximum number of clones: this is valid for IP-based accounts, usually maximum number of connections from same IP (or IP range).
-
User properties -> Time left: here you can set remaining time until account/ban expires.
In this page you can set some requirements a user needs to join this hub (excepting sharing requirements with the option "users can join but can't download" enabled).
-
Auto-refresh: enables / disables showing messages sent in mainchat. If this option is enabled, you can send messages to mainchat with Hub-Security nickname from GUI (write the message then press Enter key).
-
Robot nickname, Opchat nickname: here you can change nickname of Hub-Security and Opchat bots. To apply changes click "Set".
-
Register/Unregister firewall driver: this option allows you to install or uninstall the firewall as a system driver in Windows registry. Before updating the driver to a newer version you need to unregister the old version first. You need to be logged in as Administrator to be able to change driver's registration.
-
Load/Unload: use this option to enable or disable using the firewall in your hub. If the firewall is not already registered as a system driver, the hub will try to register it when you try to load it. Check "Status:" for errors. If the firewall is loaded, disabling WinPCap is recommended (the hub will ignore WinPCap reports anyway).
-
Max. SYN/sec. on Hub's ports: if this option is enabled the hub will try to register all hub's ports with specified rate in the firewall (including those used by the redirect server). By doing so, the firewall will monitor all these ports to restrict maximum number of allowed TCP/SYN packets.
-
Max. SYN/sec. on other ports: use this option to restrict maximum number of SYN packets allowed to be sent to all other ports that are not being used by any hub or did not register its ports in firewall. Use this option to restrict all SYN packets that are not sent to any hubs (the firewall checks port numbers only to detect SYN flood from a specific user).
-
Don't send TCP/RST: use this option to restrict sending a TCP/RST packet to those who try to connect to a port that is closed (those users will get "Connection timeout" instead of "Connection refused").
-
Detect port scans: if this option is enabled, hub will try to detect port scans and report them in opchat.
-
Detect SYN flood: if this option is enabled, hub will try to detect SYN flood attacks and report them in opchat. You can specify maximum SYN packets / second from one IP that is not considered a SYN flood.
-
Detect UDP flood: if this option is enabled, hub will try to detect UDP flood attacks and report them in opchat. You can specify maximum UDP packets / second from one IP that is not considered a SYN flood.
-
Detect ICMP flood: if this option is enabled, hub will try to detect ICMP flood attacks and report them in opchat. You can specify maximum ICMP packets / second from one IP that is not considered a SYN flood.
-
Block ICMP traffic: use this option to filter all incoming ICMP packets
-
Disable !stats IP: use this option to disable access !stats IP command
-
Automatically set _ban0_ if flood is detected: this option will work only if the firewall is loaded and will ban all IPs that were detected as portscanning, SYN flooding, UDP flooding or ICMP flooding the hub. This option needs the firewall to be loaded.
-
Notify in opchat about detected flood types: using this option will determine the hub to send a notification message each time flood or portscan is detected. Exception: if the firewall is loaded and the sender IP is banned[0], all incoming traffic from that IP is filtered. This option needs the firewall to be loaded or WinPCap to be enabled.
-
Rescan: if you installed new plugins, use this option to refresh the list with installed plugins. Plugins that are not in the list will not be used.
-
Remove: disables selected plugin and removes it from list.
-
Re-init: saves all settings related to selected plugin, unloads it from memory then re-initializes it (if plugin was disabled, this option will enable it again).
-
Unload: unloads a plugin from memory and disables it.
-
Configure: calls plugin's configuration dialog (plugin must be loaded).
-
Settings: use this option to set some restrictions on selected plugin's useage.
-
Move UP/Move down: changes selected plugin's position in list. First plugin has the highest priority.
On this page can be configured lists with forbidden words for searches, search results, mainchat messages, user descriptions, command parameters and private messages. Each line from list has a definition. Valid definitions are <word|expression>=action.
Expression can have the following escape sequences:
-
\\\\: backslash.
-
\\xNN: character specified by its hexadecimal code NN.
-
\\w: word separator or start/end of message.
-
\\i: 4 numbers (0-255) separated by dots, combination that is detected as being an IP.
Valid actions:
-
notify: can be used alone or can precede another action, if forbidden word or expression is found, a notification message is sent in opchat.
-
kick [reason]: kicks user and adds a temp ban, if reason is not specified the hub will add a default reason in ban registration.
-
ekick [reason]: same as kick, and an "is kicking ... because:" message will be sent in mainchat from hub-security bot.
-
back: sends back the message / command, this works only with mainchat messages and written commands.
-
replace [string]: replaces word or expression with specified string, you can use an empty string to remove the expression.
-
replaceall [string]: replaces entire message with string.
Actions may contain _ban_[time] to specify a ban for more information see Operator commands section.
On this page can be configured the commands hub sends to users and/or operators. Menu structure can be seen as a treeview.
-
Display name: specifies a string that will be shown as an option or popup in user menu.
-
Command: Hub command, Raw command, Chat message etc.
-
To: destination nick for private messages. You can use %[bot] to specify hub-security bot.
-
Command type: here you can chose between Separator, Raw command, Mainchat message and Private message.
-
Show in: here you can specify in which menu the command will be shown. If you don't select any menu, the command will not be sent to user. Popup menus should not be sent by themselves, send their associated options instead.
-
Rights needed: if the command is valid only if one or more rights is present, enable this option and specify which those rights are.
-
Access range: if the command is valid only for a specific profile, enable this option and specify its access range.
-
New item: adds a new item.
-
New sub-item: converts current item to a popup and creates a sub-item.
-
Update: updates changes.
-
Delete: deletes an item or a popup with all its sub-items.
On this page you can define your web shares. To be able to share something, you need to declare at least one host.
-
Enable/Disable: this is a checkbox on upper left corner, use this to enable or disable web support.
-
Default HTTP port:usually this port is 80. You also need to open this port (see Hub\\Ports). On default HTTP port sending $Lock can be disabled or delayed.
-
Don't send $Lock to this port: if this option is enabled, hub users will not be able to use their DC clients to connect to hub's HTTP port. If this option is disabled, sending $Lock will be delayed.
-
Hosts: here you can see the list with all defined hosts, click on an item to change its settings.
-
Hostname (DNS): here you can specify a DNS that is set to hub's IP and can be entered by users in their web browser to see hub's website. If you can add a host named "*", it will be the default host called if someone tryes to open an address with a host that is not in your list.
-
Client IP or range: you can restrict some hosts to an IP or IP range, others who will try to open this host's name will get the default host (if defined). To restrict a host for more ranges you need to Add it once for each range.
-
Web -> Web redirect: if you enable this option, the host will be a web redirect.
-
Web -> Send this index to all requests: if this option is enabled, the hub will send specified index file to all GET / POST / HEAD requests except hexhub's default pages for insecure settings, banned user, etc.
-
Web -> Share this directory: if this option is enabled you can share a local directory. The hub does not make directory listings, so you must have an index.html file in your shared directory. This directory will be your website's root path.
-
404 file: here you can specify which file should be sent if the user enters a link to a file that cannot be found. If no 404 file is specified, the user will receive a web redirect to website's root path.
-
Enable comments: if you enable this option, the users who have chat0 right will be able to post comments on your pages that have support for them.
-
Forbid: here you can specify a list with forbidden words entered in comments. Supported actions are: kick, notify, replace and replaceall.
-
Only registered users can comment: if this option is enabled, the users must have accounts on hub and must login with those accounts to be able to post comments.
-
Do not allow HTTP proxies: use this option to disable all HTTP proxies unless they send real IP - if this option is enabled, transparent proxies are allowed unless they are detected as sending a fake "real IP".
-
Limit uploads per user: this option allows upload limit per user connection.
-
Notify in opchat about requests to this Hostname: - if this option is enabled the hub will send notification messages with nick history, IP and headers to opchat for every HTTP request sent to selected hostname.
-
Save all requests to log: if this option is enabled, the hub will save all requests to log files. Log files are saved in a subdirectory of hexhub's install directory called Logs. Each host that has logging enabled will have its own subdirectory and log files are named by system's date.
-
Dump full headers: if logging is enabled you can use this option to enable saving full HTTP headers that are sent by clients.
-
Plugins cannot intecept this host: use this option to restrict plugin functions to be called on events generated for this hostname. This does not affect %[plugin] enumerations.
-
Add / Update / Delete: use these to add, update changes or delete a host.
Raw commands, welcome message file and MOTD
These are the accepted variables that can be used in raw commands, welcome message file and MOTD:
-
%[nick]: current user's nickname
-
%[hubbot]: nickname of Hub-Security bot
-
%[bot]: nickname of Hub-Security bot
-
%[ip]: current user's IP
-
%[isp]: current user's ISP
-
%[country]: current user's country (from geoIP)
-
%[users]: total number of logged in users
-
%[profile]: current user's profile
-
%[hname]: hub name
-
%[addr]: hub address
-
%[hdesc]: hub description
-
%[topic]: hub topic
-
%[reason]: ban reason or comment
-
%[uptime]: time since last startup
For example:
Hi %[nick] welcome to my hub, your IP is %[ip]
Hub commands (triggers and commandline parameters)
-
!help: information about hub commands
-
!about: information about this program
-
!language <lng>: change the language preferences - available options: ro en pl it
-
!hex <msg>: convert ASCII - Hex
-
!asc <msg>: convert Hex - ASCII
-
!hublist: network hubs, redirect statistics
-
!hublist add <address> <name+description>:add a new hub in the hub list (a user can add a single hub) there is no limit for number of hubs that can be added
-
!hublist delete: delete your hub address (no extra parameter needed)
-
!hublist delete <index>: delete hub that is in hublist at <index> position (right needed: hublist1)
-
!motd: display the MOTD (message of the day)
-
!motd <msg>: change the Message Of The Day
-
!motd .: delete MOTD
-
!topic <msg>: change the topic
-
!stats: view hub statistics, right needed: info2
-
!stats cache: cache useage, right needed: info2
-
!stats ip: IP protocol information, rights needed: info2 and adm6, access level needed to see last IPs: 49999
-
!whois <nick>: information about the conected user
-
!who <IP/IP range>: user list
-
!seen <nick/IP/IP range>: history information about a user
-
+hexhub: comment about HeXHub (comments are written by Starwind and Ne0)
Example:
<Bluebear> !seen Hublink
<Bluebear> [command] !seen Hublink
*** Showing information on user Hublink:
x.x.x.x, connected: 2008-05-24 06:24:36 still online
*** The following users were found at www.qsdchublist.com
DCHublink vanersborg.nobodys-network.se:411
Hublink sky-net.te-home.net:411
DCHublink MegaStar.no-ip.info:411
DCHublink typiskt.no-ip.info:411
[-TE-]-Hublink wwbhangra.te-home.net:411
DCHublink troligen.no-ip.info:411
Hublink Roma.Rome-Empire.Org:666
Hublink megahex.te-home.net:411
[-TE-]-Hublink nemesis.te-home.net:411
The !say and !write commands can't be used with the nickname of an already connected user (except the robot).
-
!say <nick> <msg>: post a message with another nick
-
!write <msg>: post a message without a nick
-
!mc <msg>: message from the robot
-
!me <msg>: message
-
!report <nick> <reason>: sends a report to all operators
-
!mode <nick> 0: mod 0 = normal
-
!mode <nick> 1: mod 1 = lunarize (YHub c Yoshi)
-
!mode <nick> *1: mod 1 = "extended" lunarize
-
!mode <nick> 2: mod 2 = hex
-
!mode <nick> 3: mod 3 = kennylize (YHub c Yoshi)
-
!mode <nick> 4: mod 4 = mute
-
!mode <nick> x: mod x = swear generator v1.00 (romanian: Lord_Zero, polish: Flesz, italian: DjSpider, Ma+rØXT)
-
!mode <nick> *x: mod x = swear generator, append
-
!mode <nick> y: mod y = Religious Texts (thanx to: elohimmet, godless)
-
!mode <nick> *y: mod y = Religious Texts, append
-
!mode <nick> z: mod z = Publicly Announces (copyright c by elohimmet :)
-
!mode <nick> s: mod s = Satanic texts (copyright c by Daosadi :)
-
!nick <nick>: change nick
-
!rename <nick> <newnick>: change nickname of a connected user
Example:
<Bluebear> !rename nick1 nick2
<Bluebear> [command] !rename nick1 nick2
*** Bluebear is renaming nick1 to nick2
The !say and !write commands can't be used with the nickname of an already connected user (except the robot).
-
!deop: become a regular user
-
!op: become operator
-
!hideshare: hide or unhide share from users, rights needed: fake0
-
!drop <nick|IP>: disconnects a user
-
!kick <nick> <reason>: disconnects and adds a temporary ban
-
!ban <target> <reason>: bans <target> from the hub (target can be: nick, prefix, IP, IP range, ISP)
-
!banlist: lists all bans
-
!unban <target>: unbans the target if found between banned users manual unban also resets kick counter for a specific IP
You can add _ban[level]_[count][unit] keyword in !kick and !ban reason to specify a temporary ban or a permanent ban. Default is ban level 2. A nick prefix end with "*".
-
Ban level 0: _ban0_: IP / range / ISP ban. Filtered
-
Ban level 1: _ban1_: IP / range / ISP ban. User can connect to hub to see the reason. If a nick is given the user will be banned by his IP
-
Ban level 2: _ban2_: nick / IP / range / ISP ban. Default is only nickban but retricting with IP/range is supported
-
Count: a decimal number
-
Unit: time unit - can be: m (minutes), h (hours), d (days), M (months), Y (years)
Example:
<Bluebear> !kick test _ban1_3d
For commands that have an output limited by maximum results you can append the starting index to command name (eg.: !reg10 vip). <Target> can be nick / IP / IP range / ISP / registration ID.
-
!password <newpass>: changes the password needed to login to hub or sends a request for registration to all operators
-
!rights: lists the rights you can set / reset
-
!rights <target>: lists the common rights you and <target> have
-
!rights <target> [+/-]right1 [[+/-]right2] ...: use "-" to reset a right, "+" to set a right.
-
!access: view your access level
-
!access <target>: view the access level the target has
-
!access <target> <value>: changes access level. You can set access only to a value that is lower than yours.
-
!reg: lists all defined user profiles
-
!reg <profile>: lists all users in specified profile with a lower access level than yours
-
!reg <profile> <nick>: add / change / delete a registration
-
!reg <profile> <nick> <IP/range/ISP> <password>: changes a registration entry. To leave a value unchanged use "*". To remove a value use "-".
-
!reset <target>: resets target to its previous profile
-
!flush: saves hub settings to harddisk. Rights needed: adm5
-
!set: view / change hub settings, for more information write: !set
Command line parameters are given at start up. e.g. c:\> hexhub.exe /NOSEH
-
/NOSEH: disables HeXHub's exception handler.
Updating the GeoIP database
To update the GoeIP database you must do the following steps.
-
Download GeoIPCountryCSV.zip from http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
-
Extract GeoIPCountryWhois.CSV from GeoIPCountryCSV.zip in the IPTest directory
-
If you want to edit the IP ranges from GeoIPCountryWhois.CSV be sure all ranges remain sorted.
-
Execute csv2dat.exe and it will do the following:
- generates GeoIP.dat
- displays a messagebox with number of different IP ranges detected
-
Stop HeXHub and close the program
-
Overwrite GeoIP.dat located in HeXHub's directory with the new ones from IPTest
-
If you have HeXHub 3.22 or later, no changes are needed to hexhub's sourcecode.
If you have HeXHub older than 3.22 you need to do the following:
- update maximum number of countries and ranges in settings.h and tzari.h
- compile HeXHub using masm32
- overwrite HeXHub.exe with the new one
-
Delete ips.dat from HeXHub's directory
-
Restart HeXHub
-
All country-related settings may be changed so you need to update them (!set isp)
Generated on Thu Aug 21 09:21:43 2008 for HeXHub/HexScript by
1.5.4
Site hosted by