View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002152 | unreal | ircd | public | 2004-11-01 20:36 | 2013-05-20 04:34 |
| Reporter | aquanight | Assigned To | |||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | resolved | Resolution | no change required | ||
| Platform | X86 | OS | Windows | OS Version | XP Pro SP2 |
| Summary | 0002152: NOSPOOF for servers? | ||||
| Description | This was recently brought up in the forums here: http://www.phpmemx.net/~unrealir/forums/viewtopic.php?p=6090#6090 Servers are not checked when NOSPOOF is enabled. I can confirm this with Anope logs if you want. The easiest way to deal with this is just send an appropriate PING (with cookie, preferably) prior to sending the server's pass/protoctl/server back. If the PONG is not correctly (exactly) replied before the class::pingfreq hits, ERROR :Closing link (Ping timeout) :P . You could, of course, also go as far as bahamut does, and do PING/PONG exchanges between each stage of the synchronization. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
| child of | 0003111 | closed | 3.2.7 Release |
|
|
Perhaps, but... IMO one should really rely on the password (and preferably use SSL), that's far more secure than IP-based authentication. |
|
|
Yes that's probably true... but IP-based certainly helps to augment the password and/or SSL, and applying NOSPOOF to servers would make it even more true :) . *edit* And it doesn't even have to be IP-based authentication done by Unreal :) . I could make 6667 clientonly and have a serveronly port somewhere obscure like 15372. Then use firewall/iptable/whatever to ensure that my server IPs can't connect to the 6667, and are the only IPs allowed to connect to 15372. Of course, NOSPOOF isn't as important when the OS's TCP stack is secure (eg, not Win32), but still... edited on: 2004-11-02 12:41 |
|
|
Well I guess the issue is, people use passwords like "link" or "password" so if someone knows the IP, and guesses the password, they can connect. |
|
|
It doesn't even have to be a simple password. It could be someone (accidentally?) left his unrealircd.conf or recent backup thereof readable by everyone, and some bad person gets the password-connect... which can be pretty significant depending on the server he managed to get, eg if he got a hold of a server that's hub *;'d, hicould quite some damage with that... and then it sometimes happens that password-connect and password-receive are the same... (Usually, though when that happens you're gonna have bigger problems than just an IP spoof attack or the like :P ) edited on: 2004-11-02 17:34 |
|
|
i don't believe we need to change this, reopen if you disagree. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2004-11-01 20:36 | aquanight | New Issue | |
| 2004-11-02 08:28 | syzop | Note Added: 0008214 | |
| 2004-11-02 12:36 | aquanight | Note Added: 0008222 | |
| 2004-11-02 12:41 | aquanight | Note Edited: 0008222 | |
| 2004-11-02 17:17 |
|
Note Added: 0008224 | |
| 2004-11-02 17:32 | aquanight | Note Added: 0008226 | |
| 2004-11-02 17:33 | aquanight | Note Edited: 0008226 | |
| 2004-11-02 17:33 | aquanight | Note Edited: 0008226 | |
| 2004-11-02 17:34 | aquanight | Note Edited: 0008226 | |
| 2006-11-12 14:37 | syzop | Status | new => confirmed |
| 2006-11-12 14:37 | syzop | Relationship added | child of 0003111 |
| 2007-09-06 10:10 | syzop | Relationship added | child of 0003454 |
| 2008-12-23 16:40 | syzop | Relationship deleted | child of 0003454 |
| 2013-05-20 04:34 |
|
Note Added: 0017615 | |
| 2013-05-20 04:34 |
|
Status | confirmed => resolved |
| 2013-05-20 04:34 |
|
Resolution | open => no change required |
| 2013-05-20 04:34 |
|
Assigned To | => nenolod |
