View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005042unrealircdpublic2017-12-28 18:412018-09-05 10:02
ReporterHeXiLeD Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionno change required 
PlatformLinuxOSAny:OS VersionLatest stable
Product Version4.0.17 
Summary0005042: Allow max per certFP like the allow block maxperip (enhancement)
DescriptionI would like to suggest a feature in the line of enhanced security.
This feature complements and works with:
https://unrealircd.com/docs/Allow_block
fail-if-no-clientcert and max-unknown-connections-per-ip

Currently we can set how many clients we allow connecting from the same ip and can specify exceptions for specific ips.

However for clients connecting from tor hidden services, local shells or LANs that have only one exit to the wan these exceptions do not give much control to legit and non legit users.

If one wants to prevent abuses from users using the same exit ip or tor services/localhost, currently there is not much it can be done.

Some methods can be implemented to improve control of these connections such as fail-if-no-clientcert for a netowrk that only accepts clients using certFP and register them with services and allow only X number of certFP's to be reused by the same user.

Example would be setting a number of allowed certFP per user to the desired number of connections from that user for better fine grained control.


Steps To ReproduceConnect from localhost or same lan exit to wan until reach all the allow connections in the allow block without better control about who is who (clones)
Additional InformationThe proposed solution and enhancement would allow better control for real clone client connection from the same IP and deter bots and real users from loading the same certFP endlessly.
Tagsaccess control, certfp, clones, conf, maxperip
3rd party modules

Activities

syzop

2018-09-05 10:02

administrator   ~0020261

I think 0005002 and 0005042 are really 'niche' features that are not big enough to be in UnrealIRCd core (or having me spend time on).
Best would be what I mentioned earlier: have some module change the hostname to the certfp. Perhaps ask Gottem ;)

Issue History

Date Modified Username Field Change
2017-12-28 18:41 HeXiLeD New Issue
2017-12-28 18:41 HeXiLeD Tag Attached: access control
2017-12-28 18:41 HeXiLeD Tag Attached: certfp
2017-12-28 18:41 HeXiLeD Tag Attached: conf
2017-12-28 18:41 HeXiLeD Tag Attached: clones
2017-12-28 18:41 HeXiLeD Tag Attached: maxperip
2018-09-05 10:02 syzop Assigned To => syzop
2018-09-05 10:02 syzop Status new => closed
2018-09-05 10:02 syzop Resolution open => no change required
2018-09-05 10:02 syzop Note Added: 0020261