View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002673 | unreal | ircd | public | 2005-11-04 01:37 | 2007-04-27 04:50 |
| Reporter | Un1x | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 3.2.3 | ||||
| Summary | 0002673: hide (remote) hub ip in snotes, /stats c, etc... | ||||
| Description | Hi i was wondering if Unreal ever plans on releasing a new module/option so that Netadmin's can give certain oper a flag that will let them see the following type of snotices.. [12:39am] [Atomic-irc] (link) Link Beast.Atomic-IRC.net -> NakedHub.Atomic-IRC.net[@87.*.*.*.0] established [12:39am] [Atomic-irc] (sync) Link Beast.Atomic-IRC.net -> NakedHub.Atomic-IRC.net is now synced [secs: 10 recv: 370.221 sent: 402.924] this is very important due to the fact in these day's alot of users are linking on networks just so they can get hub ips and such if this was taken care of so lets say a oper had to have flag B to see them something similar to that woudl really help to alot of network admin's out there.. | ||||
| 3rd party modules | |||||
|
|
This can only be effective in some limited cases: 1) When the oper is not the owner of a server 2) When we also close the other holes to get the hubip (one of them is, hiding the IP in '/stats c <server>', but there's more) Is that what you mean? Like for early opers in training or something. Or opers that do generally not deal with network routing. |
|
|
no well id like it to that a ircop without a certain flag cannot. see //stats c server.name.net or by doing any other command im unaware of .. and also stopping ircops without certain flags to see. [3:31pm] [Atomic-IRC] (link) ZIPLink Wild.Atomic-IRC.net -> Hub4.Atomic-IRC.net[@66.*.*.*.0] established [3:31pm] [Atomic-irc] (sync) Link Wild.Atomic-IRC.net -> Hub4.Atomic-IRC.net is now synced [secs: 62 recv: 0.382 sent: 15.152] i want to stop opers from seeing those type's of notices.. and any other comand to get hub ips other then the hub there linked to. |
|
|
Syzop: I could be wrong but an ircop that does do routing wouldn't need to know IPs anyway. Unless I'm mistaken the routing commands deal with server names and not IP addresses. |
|
|
(aqua: sure, for /connect it doesn't need to know, I just mean for tracing problems [ping/traceroute/etc], so basically what I meant is if someone is really doing the routing, then he has to know, then again, these people probably already know the IPs anyway ;p). Un1x: right, the "to get hub ips other then the hub there linked to" is what I was after. I partially understand the problem, but I'm not exactly sure if I'll implement that. Would this be useful in enough setups? Like: if you link up a server, wouldn't you need like 2 link blocks to hub, a primary and a backup, perhaps even more if you are paranoid. Wouldn't therefore, it be completely useless to hide the msg for a serveradmin while the same serveradmin can read the link blocks from the conf? Oh and yeah, sure, for non-serveradmin opers I agree it can be useful. Could you describe the particular setup you tend to use where it would be useful (for hiding "far hubs" for serveradmins)... Like.. do you only hook up new links to 1 hub? Or do you also intend to use it once servers are "trusted" and are linked to like 2 hubs? If so, if they know 2 hub ips, is that a significantly better situation than if they would know 4 hub ips? Most networks I've seen have 2 hubs and a client server has link blocks for both. This is logical, because one day, the "hub 1" will fail for whatever reason and the server would need to be linked to "hub 2". In this case, the hiding of "far hubs" for servadmins is not useful, because they are already in the conf. For new servers, I guess it can be useful, because you can stick them to 1 hub at first, to see how they go.. And later on, after a few months, provide them a backup link or something. Those are questions I'm wondering about ;) Just typing a bit, to get a bit more "real world scenario stories" out of you ;). |
|
|
no well see as you see alot of net's these day's have what's called a trial link period. once approved for a link.. well they may have acces to the box and be able to read configs wich willonly give him/her the ips of the hubs it's linked to. but the mattor of fact is they can still get the ips of the hubs there not linked to like the other main hubs etc. wich i would like to stop so only netadmins' or admins' that are doign the routing,.. have access to these snotices for link and sync etc and nto be able to use the //stats c server.name.here comand etc btw most trial links are usualy 1 hub it's linked to or sometimes 2. but id like to if possible make it so no one can get hub ips. even after trial link period is done. like even after trial link period ircd will only be linked to one or 2 hubs. wich theyd get the ips of . but at least make it possible so they dont get the ips of the other hubs via any commands or any snotices etc |
|
|
*pst* shouldn't this be flagged as feature instead of major? |
|
|
to be honest, if a oper is only after the server ips / addresses why should they be opers at all? i mean, mirc allows u to do //echo -a $serverip on every server ur on, so even if u do block off all the ways for them to see it, they simply do that and wayhey ip at there disposal.. sure if they arnt on the hub it doesnt help them, but someone on the hub could easily be fooled into doing //say $serverip .. for a reason like " i wanna connect to the hub for x y z reasons " |
|
|
Some networks you'll find don't let people connect to the hubs, or if they do, have restricted access, and no DNS address. You will also find that no matter how vigilant you are, problems still arise. Ala, the recent freenode security compromise. |
|
|
Only oper those you trust, it is as simple as that... |
|
|
No, it's not "as simple as that". I don't suppose you heard what happened to freenode recently? Bad things happen, systems are fallible -- so we should have systems in place that minimize the damage that can occur. I'm not a fan of security through obscurity, least, not to extremes like disabling /map [just plain idiotic] -- but this does seem a good idea. |
|
|
Oper trust |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2005-11-04 01:37 | Un1x | New Issue | |
| 2005-11-04 19:29 | syzop | Note Added: 0010640 | |
| 2005-11-04 21:57 | Un1x | Note Added: 0010641 | |
| 2005-11-05 01:15 | aquanight | Note Added: 0010642 | |
| 2005-11-05 10:48 | syzop | Note Added: 0010647 | |
| 2005-11-05 17:53 | Un1x | Note Added: 0010655 | |
| 2005-11-07 21:22 | Nazzy | Note Added: 0010662 | |
| 2005-12-10 17:20 | syzop | Severity | major => feature |
| 2005-12-10 17:20 | syzop | Summary | snotices => hide (remote) hub ip in snotes, /stats c, etc... |
| 2005-12-12 16:36 | White_Magic | Note Added: 0010860 | |
| 2005-12-12 21:03 | w00t | Note Added: 0010863 | |
| 2005-12-13 21:42 | Stealth | Note Added: 0010866 | |
| 2005-12-18 23:44 | w00t | Note Added: 0010877 | |
| 2007-04-27 04:50 |
|
Status | new => closed |
| 2007-04-27 04:50 |
|
Note Added: 0013797 | |
| 2007-04-27 04:50 |
|
Resolution | open => fixed |
