View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005007 | unreal | ircd | public | 2017-09-12 21:14 | 2019-12-28 09:43 |
| Reporter | marco500 | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Linux Bitches | OS Version | Ubuntu linux |
| Product Version | 4.0.13 | ||||
| Target Version | 4.2.0 | Fixed in Version | 4.2.0 | ||
| Summary | 0005007: antirandom: exclude webirc option | ||||
| Description | *** [antirandom] denied access to user with score 5: lysAHGpUtybX!lysAHGpUty@localhost:lysAHGpUtybX This is nick is only getting a score of 5 and there are some random looking nicks that are getting less of a score and I realize that it would extremely difficult to catch all of them but I was curious if there could not be a way to improve the algorithm that detects antirandom nicks..seems like there is a better way :). | ||||
| Steps To Reproduce | ... | ||||
| Additional Information | .... | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
It would be also useful if it could have some way to detect if the user is connecting from a valid webirc block and then don't act. In my case that would be helpful as i have the web client set up to send the 'ident' part as the user IP in hex format, it could be something like [email protected], which will trigger the antirandom protection. |
|
|
Antirandom uses a table of 3 letter combinations that are "uncommon" in English. I don't remember from where they come from, but they are not mine. I believe they call them "triples", it may be from spamassassin. So if there's some kind of new table then I can update it, but I'm not going to do my own research on them :D Other than that, sure, adding exemptions for webirc blocks is easy to add. |
|
|
That would be very nice indeed. Maybe an option like 'set::antirandom::exclude-webirc yes|no'. I could perhaps set a fixed ident to the user, but there are a few bots that needs the "hex2ip" ident in order to voice used in case the channel is moderated. |
|
|
Oh, I misunderstood, this is not for a trusted WEBIRC gateway[*] but for a random client that may be using an untrusted gateway? [*] One you have a webirc { } block for |
|
|
No, it's for trusted webirc blocks. But in example, all my KiwiIRC webirc instances are sending the ident as hexip. |
|
|
Oh, okay. Yeah sure I'll add it. That being said - and completely off-topic - I think from a users POV it would be nicer not to include their IP to be shown to everyone :D |
|
|
I must agree, but it was used that way when UnrealIRCd was no blacklist support, so I had an eggdrop converting hexip into a real IP and then checking ports which allowed me to ban users using proxies. But now, maybe I should set a fixed ident. |
|
|
0005027 was about the same thing, which exempt webirc option could help with. I don't understand why people (not just him, not just you, nothing personal) would configure their webirc software/gateway like that. Revealing the IP addresses of users is really a bad idea IMO. Anyway, this bug will be used to track this feature. It will not be in 4.0.16. |
|
|
Dear syzop, Perhaps it was not clear the way I formulated it, but using the hashed IP of users as ident was a default in the webirc which is an insensiblbe default indeed. Thus I changed for that reason on my network. Also it says on the UnrealIRCd docs website for antirandom that the webirc IP is to be specifically entered if one uses webirc/cgi:irc as stated here: https://www.unrealircd.org/docs/Set_block#set::antirandom |
|
|
> Perhaps it was not clear the way I formulated it, but using the hashed IP of users as ident was a default in the webirc which is an insensiblbe default indeed. Thus I changed for that reason on my network. Ah ok, I missed that. Good :D > Also it says on the UnrealIRCd docs website for antirandom that the webirc IP is to be specifically entered if one uses webirc/cgi:irc as stated here: https://www.unrealircd.org/docs/Set_block#set::antirandom I see. That is incorrect indeed, I'll fix the docs and config. EDIT: Ah I understand where this is coming from, this is from before the hostname spoofing I think ;). Anyway I'll just remove the phrase(s), they are confusing. |
|
|
Side note on the improvement: I've just re-enabled antirandom module yesterday and while setting it up, I've found that CIDR masks aren't accepted. This module should support is, as a way to exempt some ISP and other services providers, such as IRccloud that have their own /64 and /48 IPv6 address blocks Best regards. |
|
|
commit 0a9306ca5bb7720938e8ee9fc10c7eda56744502 Author: Bram Matthys <[email protected]> Date: Sun Dec 17 10:06:39 2017 +0100 CIDR support in set::antirandom::except-hosts Or, to be more precise: converted code to use match_user() framework. This also means the preferred style is now: except-hosts { mask 192.168.*; mask 127.*; mask 1.2.3.0/24; }; But the old style (without 'mask') still works. |
|
|
Sorry for putting some pressure on this, but we really need a way for WEBIRC blocks bypass this restriction. I've added the WEBIRC blocks for KiwiIRC but users can't connect using the kiwiirc.com web client, because this happens: *** [antirandom] denied access to user with score 5: [email protected]:[https://kiwiirc.com] Development release Looking forward to see this solved soon. Cheers |
|
|
Side note: Worth to mention that my antirandom setup has the threshold set to 4 |
|
|
Ok, understood. I'll see what I can do. This is a rather general bugreport by the way. It started with some scoring talk. With regards to that: I looked for other sets of "triples" (which would update the scoring algorithm so to say) and couldn't find one. I'm now going to use this bug report for the exclude webirc option only. Once that it's done, I intend to close it. |
|
|
bugreport renamed and set as target for UnrealIRCd 4.0.19. |
|
|
https://github.com/unrealircd/unrealircd/commit/d3dba63f564a87b6e2e35425cc4130b00e10a20e commit d3dba63f564a87b6e2e35425cc4130b00e10a20e (HEAD -> unreal40, origin/unreal40, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sun Sep 2 12:34:03 2018 +0200 AntiRandom: The module will now (by default) exempt WEBIRC gateways from antirandom checking because they frequently cause false positives. This new behavior can be disabled via: set { antirandom { except-webirc no; }; }; Suggested by The_Myth in https://bugs.unrealircd.org/view.php?id=5007 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-09-12 21:14 | marco500 | New Issue | |
| 2017-09-16 18:21 | syzop | Summary | I was wondering if improvments can be made with antirandom? => improve antirandom? |
| 2017-09-16 20:08 | syzop | Priority | high => normal |
| 2017-10-09 22:49 | PeGaSuS | Note Added: 0019912 | |
| 2017-10-11 10:17 | syzop | Note Added: 0019918 | |
| 2017-10-11 11:08 | PeGaSuS | Note Added: 0019920 | |
| 2017-10-11 13:02 | syzop | Note Added: 0019921 | |
| 2017-10-11 13:06 | PeGaSuS | Note Added: 0019922 | |
| 2017-10-11 13:08 | syzop | Note Added: 0019923 | |
| 2017-10-11 13:35 | PeGaSuS | Note Added: 0019924 | |
| 2017-11-10 17:14 | syzop | Relationship added | has duplicate 0005027 |
| 2017-11-10 17:19 | syzop | Note Added: 0019957 | |
| 2017-11-10 17:20 | syzop | Status | new => acknowledged |
| 2017-11-15 10:05 | Koragg | Note Added: 0019967 | |
| 2017-11-15 11:44 | syzop | Note Added: 0019968 | |
| 2017-11-15 11:48 | syzop | Note Edited: 0019968 | |
| 2017-11-25 14:36 | PeGaSuS | Note Added: 0019976 | |
| 2017-12-17 10:08 | syzop | Note Added: 0019989 | |
| 2017-12-17 16:13 | syzop | Note Edited: 0019989 | |
| 2018-07-08 01:09 | PeGaSuS | Note Added: 0020186 | |
| 2018-07-08 01:18 | PeGaSuS | Note Added: 0020187 | |
| 2018-07-14 16:19 | syzop | Note Added: 0020192 | |
| 2018-07-14 16:19 | syzop | Target Version | => 4.2.0 |
| 2018-07-14 16:19 | syzop | Summary | improve antirandom? => antirandom: exclude webirc option |
| 2018-07-14 16:19 | syzop | Note Added: 0020193 | |
| 2018-07-14 16:21 | syzop | Note Edited: 0020193 | |
| 2018-07-14 16:35 | syzop | Sticky Issue | No => Yes |
| 2018-09-02 12:35 | syzop | Assigned To | => syzop |
| 2018-09-02 12:35 | syzop | Status | acknowledged => resolved |
| 2018-09-02 12:35 | syzop | Resolution | open => fixed |
| 2018-09-02 12:35 | syzop | Fixed in Version | => 4.2.0 |
| 2018-09-02 12:35 | syzop | Note Added: 0020251 | |
| 2019-12-28 09:43 | syzop | Sticky Issue | Yes => No |
