View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005027 | unreal | ircd | public | 2017-11-06 01:06 | 2017-11-10 17:16 |
| Reporter | Koragg | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | duplicate | ||
| Product Version | 4.0.15 | ||||
| Summary | 0005027: m_antirandom except-hosts does not except hosts from randomness checks | ||||
| Description | The m_antirandom module's except hosts does not prevent hosts from being caught and disallowed connecting to the server/network. This can become an issue with webirc, in particular with the latest (as of the point of this post not fully completed) version of the KiwiIRC client, kiwiirc.com/nextclient. Even though it uses the same IP addresses as kiwiirc.com/client and ALL of those IP addresses were in set::antirandom except-hosts, they still were incapable of connecting. The issue has been temporarily circumvented by making all KiwiIRC users have a fixed Ident yet except-hosts of m_antirandom should be operating effectivly. | ||||
| Steps To Reproduce | Add in a webirc block (tested with KiwiIRC) with setting up a webirc client to authenticate with the password and have it connect to the network when its nick!user@host:gecos would most likely achieve a score that would cause m_antirandom to disallow it access to the network. | ||||
| Additional Information | The configuration of m_antirandom is added as an attachment to further view the details and see if these might be specific to the utilized webirc client and to speed up resolving the issue. The webirc block is omitted as it is not relevent and contains the password, and the set { } block lacks the last } as it continues after the antirandom setting and the config is loaded without issues. | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| 3rd party modules | |||||
|
|
If you use webirc then you shouldn't add the IP of the webirc gateway but of the end-user. After all, the hostname and IP are spoofed. There is another request at 0005007 to have an option to exempt all webirc users from antirandom. That user and possibly you (?) have the IP address encoded in the ident. In my opinion this is really bad practice: you are already using webirc spoofing so there's no reason to reveal the IP to other users, they can already ban by (cloaked) host/ip. |
|
|
Dear syzop, Adding in every single end user who would use a webirc client is not just impractical but impossible to a degree when the network might grow and attract many new people. The kiwiirc.com/nextclient is still set up so that it uses the hasehd IP of the user as their Ident by default, i changed this to a fixed Ident as temporary fix. As the above mentioned is a prefixed standard, we had to change it by hand which should not have been necessary. Perhaps the interpretation of the documentation is then unclear, and not just to me then maybe. Thank you for clarifying things and could the except-hosts also take the webirc gateway? If security is a concern, the password is (usually) well stored away within the config, yet I am not sure if it can be technically implemented. Regards, Koragg |
|
|
But, on the topic of security, why do you (and they) expose the IP in the ident when you use WEBIRC? I can only think of downsides: you expose the IP of a user, making him/her vulnerable to various kinds of attacks by fellow users. The only legit reason for doing this would be if you _do not_ use WEBIRC and everyone is coming from the same ip. Don't you agree? |
|
|
Will use 0005007 to track the set::antirandom::exempt-webirc suggestion :) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-11-06 01:06 | Koragg | New Issue | |
| 2017-11-06 01:06 | Koragg | File Added: m_antirandom_config.txt | |
| 2017-11-08 11:32 | syzop | Note Added: 0019951 | |
| 2017-11-08 23:31 | Koragg | Note Added: 0019954 | |
| 2017-11-09 17:49 | syzop | Note Added: 0019955 | |
| 2017-11-10 17:14 | syzop | Relationship added | duplicate of 0005007 |
| 2017-11-10 17:16 | syzop | Assigned To | => syzop |
| 2017-11-10 17:16 | syzop | Status | new => closed |
| 2017-11-10 17:16 | syzop | Resolution | open => duplicate |
| 2017-11-10 17:16 | syzop | Note Added: 0019956 |
