View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006315 | unreal | ircd | public | 2023-07-17 05:41 | 2023-07-23 18:27 |
| Reporter | Assigned To | syzop | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | no change required | ||
| Summary | 0006315: Hide server name support | ||||
| Description | On InspIRCd you can hide the server name from ALL notices and from netsplits. This can be configured to spit out whatever you want, but most people use *.network.com You can also customize /VERSION output to whatever string you want. On connect and on /VERSION Insp by default will only report the major version instead of the specific minor version. This functionality would be nice to be able to enable on UnrealIRCd. People may conflate an older version as being insecure, when it is a distro version being patched by the distro security team. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
On InspIRCd you can hide the server name from ALL notices and from netsplits. This can be configured to spit out whatever you want, but most people use *.network.com On UnrealIRCd you can already hide server names from netsplits with the set::options::flat-map option. The only useful part of hiding a server is that you can't see to which server someone is connected. But, does this improve security at all? You can also customize /VERSION output to whatever string you want. I'd like to see a custo version output but always saying which IRCd is running. Something like: AmazingNet 1.0.0/UnrealIRCd 6.1.1.1 On connect and on /VERSION Insp by default will only report the major version instead of the specific minor version. This functionality would be nice to be able to enable on UnrealIRCd. People may conflate an older version as being insecure, when it is a distro version being patched by the distro security team. Being aware of the minor version, helps trimming down some issues (you don't need to be a network admin to report bugs), which would be impossible if you only know that the network is running UnrealIRCd 6. |
|
|
The VERSION hiding is just security by obscurity, it provides no security at all. If you are trying to hide a vulnerable version, or think you feel safer from scanners: DON'T! One can just launch the exploit regardless of looking up the version first. Also one can figure out which UnrealIRCd version you are using through fingerprinting (slightly different behavior between versions, since.. surprise.. things change between versions). But in the end it provides no security at all. Like I said, it is called "security through obscurity". As for hiding server names. This has been requested as early as 2004. The only thing we offer is flat-map, which prevents a single direct "snapshot", a look of how the complete network map is, and related to that if you enable it, it hides the splits indeed as *.net *.split. Other than hiding hop counts and making it a flat map, it does no effort to hide server names otherwise. Trying to hide server names everywhere in the code is quite intrusive and for nearly no benefit. If I can connect to your server, I know the IP address, so.. what is here to gain? It is all quite silly really I never understood why people wanted it, neither did my fellow coders like codemastr. Same for PeGaSuS. So that's why never implemented this, it is not because inspircd created some feature that we didn't knew about, it is because we rejected the feature long before inspircd actually existed. We have been suggesting for a long time the idea of a hub with an unpublished DNS record, which has long been in our Security article. Nowadays we just suggest good DDoS protection. You can still do that trick though, especially with some strict firewall rules on the hub, it protects the hub quite a bit, maybe I should add that back in the Security article... it kinda got lost during the article rewrite. For leafs / client servers, those are people connect to, you and an attacker already knows the IP, so these cannot be defended that way. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-07-17 05:41 |
|
New Issue | |
| 2023-07-17 12:29 | PeGaSuS | Note Added: 0022966 | |
| 2023-07-23 18:27 | syzop | Assigned To | => syzop |
| 2023-07-23 18:27 | syzop | Status | new => closed |
| 2023-07-23 18:27 | syzop | Resolution | open => no change required |
| 2023-07-23 18:27 | syzop | Note Added: 0022970 |
