View Issue Details

IDProjectCategoryView StatusLast Update
0005027unrealircdpublic2017-11-10 17:16
ReporterKoraggAssigned Tosyzop 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Product Version4.0.15 
Target VersionFixed in Version 
Summary0005027: m_antirandom except-hosts does not except hosts from randomness checks
DescriptionThe m_antirandom module's except hosts does not prevent hosts from being caught and disallowed connecting to the server/network. This can become an issue with webirc, in particular with the latest (as of the point of this post not fully completed) version of the KiwiIRC client, kiwiirc.com/nextclient. Even though it uses the same IP addresses as kiwiirc.com/client and ALL of those IP addresses were in set::antirandom except-hosts, they still were incapable of connecting. The issue has been temporarily circumvented by making all KiwiIRC users have a fixed Ident yet except-hosts of m_antirandom should be operating effectivly.
Steps To ReproduceAdd in a webirc block (tested with KiwiIRC) with setting up a webirc client to authenticate with the password and have it connect to the network when its nick!user@host:gecos would most likely achieve a score that would cause m_antirandom to disallow it access to the network.
Additional InformationThe configuration of m_antirandom is added as an attachment to further view the details and see if these might be specific to the utilized webirc client and to speed up resolving the issue. The webirc block is omitted as it is not relevent and contains the password, and the set { } block lacks the last } as it continues after the antirandom setting and the config is loaded without issues.

TagsNo tags attached.
3rd party modules

Relationships

duplicate of 0005007 resolvedsyzop antirandom: exclude webirc option 

Activities

Koragg

2017-11-06 01:06

reporter  

m_antirandom_config.txt (430 bytes)

syzop

2017-11-08 11:32

administrator   ~0019951

If you use webirc then you shouldn't add the IP of the webirc gateway but of the end-user. After all, the hostname and IP are spoofed.

There is another request at 0005007 to have an option to exempt all webirc users from antirandom. That user and possibly you (?) have the IP address encoded in the ident. In my opinion this is really bad practice: you are already using webirc spoofing so there's no reason to reveal the IP to other users, they can already ban by (cloaked) host/ip.

Koragg

2017-11-08 23:31

reporter   ~0019954

Dear syzop,

Adding in every single end user who would use a webirc client is not just impractical but impossible to a degree when the network might grow and attract many new people.
The kiwiirc.com/nextclient is still set up so that it uses the hasehd IP of the user as their Ident by default, i changed this to a fixed Ident as temporary fix.
As the above mentioned is a prefixed standard, we had to change it by hand which should not have been necessary. Perhaps the interpretation of the documentation is then unclear, and not just to me then maybe.
Thank you for clarifying things and could the except-hosts also take the webirc gateway? If security is a concern, the password is (usually) well stored away within the config, yet I am not sure if it can be technically implemented.

Regards,
Koragg

syzop

2017-11-09 17:49

administrator   ~0019955

But, on the topic of security, why do you (and they) expose the IP in the ident when you use WEBIRC?
I can only think of downsides: you expose the IP of a user, making him/her vulnerable to various kinds of attacks by fellow users.

The only legit reason for doing this would be if you _do not_ use WEBIRC and everyone is coming from the same ip.

Don't you agree?

syzop

2017-11-10 17:16

administrator   ~0019956

Will use 0005007 to track the set::antirandom::exempt-webirc suggestion :)

Issue History

Date Modified Username Field Change
2017-11-06 01:06 Koragg New Issue
2017-11-06 01:06 Koragg File Added: m_antirandom_config.txt
2017-11-08 11:32 syzop Note Added: 0019951
2017-11-08 23:31 Koragg Note Added: 0019954
2017-11-09 17:49 syzop Note Added: 0019955
2017-11-10 17:14 syzop Relationship added duplicate of 0005007
2017-11-10 17:16 syzop Assigned To => syzop
2017-11-10 17:16 syzop Status new => closed
2017-11-10 17:16 syzop Resolution open => duplicate
2017-11-10 17:16 syzop Note Added: 0019956