View Issue Details

IDProjectCategoryView StatusLast Update
0005002unrealircdpublic2018-09-05 10:02
ReporterHeXiLeDAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionno change required 
PlatformLinuxOSAny:OS VersionLatest stable
Product Version4.0.13 
Target VersionFixed in Version 
Summary0005002: /gline on SSL certfp
DescriptionIn regards to the following feature which is greatly appreciated and useful to control bot attacks and much more.

An additional enhancement should be made to give more control to the admins when several clones are connected.

The best example of such clone situation is the use of tor hidden service to run the ircd, which will cause all clients to have *@127.0.0.1.

Another example would be users doing ssh to remote box and connect to to localhost ircd.

Other examples include places with several machines but that have only one exit gateway wan ip address.

Using the best case described above and in other to allow tor users to connect and prevent almost all abuses from it's usage, the use of a client certificate is excellent but still leaves some gaps such as how to discipline that one specific abuser without causing issues to the rest *@127.0.0.1

For example in a case of a bot attack which although is already severely mitigated by the fail-if-no-clientcert, one could still load all the bots with the same certificate.

The proposed enhancement is to allow channel operators and admins to apply bans, kicks, shuns, glines, zlines, klines and so on, based on client fingerprint.

Such functionality will allow everyone to have the same ip, but still allow traditional (old) disciplinary actions to work based on the client cryptography certificate fingerprint
Steps To ReproduceATM N/A
Additional Informationhttps://www.unrealircd.org/docs/Set_block#set::ssl::options::fail-if-no-clientcert

set::ssl::options::fail-if-no-clientcert
Syntax: set::ssl::options::fail-if-no-clientcert

Forces clients that do not have a certificate to be denied.
Tagsaccess control, certfp, conf, security
3rd party modules

Activities

syzop

2017-09-08 20:10

administrator   ~0019844

Certificates are easy to generate, though. It takes only a second or two. I have my doubts about how useful it will be for banning.

For that reason in the https://www.unrealircd.org/docs/Extended_bans documentation regarding ~S:certfp.. it only shows +e and +I as examples since +b ~S:xxxx would have limited use (but you CAN set it).

Since I have my doubts how useful this will be for the general public I was just thinking of an alternative for you. Everyone is coming from localhost so the host field is useless right now, correct? Perhaps a new module could be made that sets the host to the SSL client certificate fingerprint. That may even look neater.

syzop

2018-09-05 10:02

administrator   ~0020262

I think 0005002 and 0005042 are really 'niche' features that are not big enough to be in UnrealIRCd core (or having me spend time on).
Best would be what I mentioned earlier: have some module change the hostname to the certfp. Perhaps ask Gottem ;)

Issue History

Date Modified Username Field Change
2017-09-08 16:34 HeXiLeD New Issue
2017-09-08 16:34 HeXiLeD Tag Attached: certfp
2017-09-08 16:34 HeXiLeD Tag Attached: conf
2017-09-08 16:34 HeXiLeD Tag Attached: access control
2017-09-08 16:34 HeXiLeD Tag Attached: security
2017-09-08 20:10 syzop Note Added: 0019844
2017-09-09 17:19 syzop View Status private => public
2017-09-16 18:24 syzop Summary ssl::options::fail-if-no-clientcert complementary feature => /gline on SSL certfp
2018-09-05 10:02 syzop Assigned To => syzop
2018-09-05 10:02 syzop Status new => closed
2018-09-05 10:02 syzop Resolution open => no change required
2018-09-05 10:02 syzop Note Added: 0020262