From UnrealIRCd documentation wiki
Jump to navigation Jump to search
This page contains changes which are not marked for translation.
Other languages:
English • ‎français • ‎中文(台灣)‎

If you were just looking for a small list of features then have a look at the About UnrealIRCd article instead.

Below we will explain a number of features in-depth. If you are still in the process of getting your UnrealIRCd server up and running then we recommend you to only quickly glance over them. Once your server is up and running you may want to read this section more in depth, or just use it as a reference when you want to find out more about a feature.


Other languages:
English • ‎français • ‎中文(台灣)‎

With UnrealIRCd 4 we moved a lot of functionality into separate modules (150+ of them!). Most channel modes, user modes and all extended bans are in modules now.


  1. Makes it possible to fully customize what exact functionality you want to load
  2. For coders it's easier to see all the source code related to a specific feature
  3. Allows bugs to be fixed without needing to restart the IRCd. Just rehash to reload the module(s).

Loading modules[edit]

For more information on how to load modules, see the Loadmodule directive.

If you just want to load all available modules (and thus all functionality) contained in UnrealIRCd, then put this in your unrealircd.conf:

include "modules.default.conf";

Available modules[edit]

UnrealIRCd has over 150 modules. Which module to load to enable/disable a certain feature is mentioned in the appropriate article:

Additionally, you may want to take a look at modules.default.conf as well.


UnrealIRCd allows users to authenticate to their services account before they are online. This also means you can require authentication so unauthenticated users cannot enter the server. This can be done selectively (eg: only certain IP addresses, only TOR proxy users, etc.) or simply for everyone (if you want a closed chat server).

Read more on authentication here


Other languages:
English • ‎français • ‎中文(台灣)‎

Cloaking is a way to hide the real hostname of users on IRC. For example if your real host is d5142341.cable.wanadoo.nl then without cloaking a join will look like this:

*** User (~none@d5142341.cable.wanadoo.nl) has joined #test

With cloaking enabled users will see:

*** User (~none@rox-2DCA3201.cable.wanadoo.nl) has joined #test

As you can see the host is cloaked (disguised, partially hidden) so other people don't get to see your real hostname nor your IP. This feature is useful to prevent users from flooding/attacking each other, they can't flood the other party without knowing their real host/IP. The host is not just cloaked in JOIN's, it's also hidden in PART, WHOIS, etc.. every command that would otherwise have exposed your real host or IP to another user.

Cloaking is controlled by usermode +x (like: /mode yournick +x). Normally admins force +x to be enabled by default (through set::modes-on-connect).

A cloaked host is generated by a cloaking module. You must load at least one cloaking module, but don't worry about it too much as the default modules.default.conf (that almost everyone uses) will load the default cloaking module shipped with UnrealIRCd. It's also possible to use another cloaking algorithm created by a 3rd party.

The cloaking algorithm requires (secret) cloaking keys to be set, see set::cloak-keys for more information.

Cloak keys MUST be the same on ALL SERVERS in a network. Also cloak keys must be kept secret because it's possible to decode (or rather: brute force) the original host when you know the keys, doing so would make the whole point of cloaking useless.

Note that while cloaking protects the individual from having the IRC server expose the IP/hostname of the user, there are still plenty of other ways for a user to expose his/her IP. For example, if you ask a user to surf to a website under your own control, and the user does this, you could then check the log file of your web server to see the users' IP.

Remote includes[edit]

Remote includes are a great way of sharing your configuration settings between servers, ideal for multi-server IRC networks. You simply put your (shared) configuration files on a secure location, like a trusted web server and IRC servers will load it from there when they startup or /REHASH. Remote includes support https and many other protocols.

Read more on remote includes here


Other languages:
English • ‎français • ‎中文(台灣)‎

Snomasks are server notice masks. It's a special type of user mode that controls which server notices you will receive. Only IRCOps can set snomasks.

It can be set by: /MODE yournick +s SNOMASK, for example: /MODE yournick +s +cF. To remove certain snomasks, use something like: /MODE yournick +s -c, or to remove all snomasks use /MODE yournick -s.

The current available snomasks are:

Snomask Module Description
b blacklist Messages from the DNS blacklist module
c built-in Local connects
D snomasks/dccreject Rejected DCC's due to Deny dcc blocks
F built-in Far connects (from other servers, except from U-lines like Services)
f built-in flood notices
k built-in kill notices
e built-in 'eyes' notices - a bit verbose (?)
j built-in Junk notices (noisy, possibly harmless things, mostly for debugging)
v built-in VHOST usage
G built-in GLINE and SHUN usage
n built-in Local nick changes
N built-in Remote nick change notices
q built-in Deny nick (QLINE) rejection notices
s built-in Receives server notices (includes the most important messages)
S built-in Spamfilter hits
o built-in Oper-up notices (/OPER usage)

You can control which snomasks IRCOps receive by default via set::snomask-on-oper, or in specific oper blocks via oper::snomask.


Other languages:
English • ‎français • ‎中文(台灣)‎

With aliases you can configure server-side alias commands. You can for example let /NS IDENTIFY blah be forwarded to NickServ. UnrealIRCd will then convert that command to be like /MSG NickServ IDENTIFY blah. You can even make more complex aliases: for example have the /REGISTER command forward the message to ChanServ if the first parameter begins with a # and forwarded it to NickServ if it doesn't.

Aliases are configured in the Alias block.

Note that UnrealIRCd comes with a decent set of default aliases for anope, atheme and other IRC Services. See the Commonly included files section.


Other languages:
English • ‎français • ‎中文(台灣)‎

UnrealIRCd has a built-in help system which can be used on IRC. It is intended as a quick-reference for commands and user and channel modes. It's configured through the Help block.

For example when you type /HELPOP CHMODES on IRC you will get an overview of all channel modes UnrealIRCd has. To see the index of all help commands run /HELPOP without parameters.

IRCOp access control[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

In UnrealIRCd you can very precisely specify which rights you want to grant or deny to an IRCOp. You do this via a combination of the Operclass block and the Oper block.

IRCOp commands[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

UnrealIRCd comes with a lot of commands for IRCOp's to combat security threats, abusive users and manage things. They are listed under User & Oper commands in this wiki or you can see a list on IRC via the Helpop system by executing /HELPOP OPERCMDS.


Other languages:
English • ‎français • ‎中文(台灣)‎

SSL stands for Secure Socket Layer. Later this has been renamed to TLS (Transport Layer Security) but most people still call it SSL.

Why use SSL[edit]

When you use SSL for a connection then all the traffic between the two endpoints is encrypted. Nobody can see/sniff/snoop the data (theoretically, anyway). This is important as IRC traffic often includes things like passwords and other sensitive information.

You probably see https:// sites on the internet all the time. HTTPS is simply HTTP with SSL and it's used for banking, e-commerce sites and nowadays a lot of regular sites as well. The same technology (SSL) can be used for IRC.

How to use SSL[edit]

To use SSL on IRC you need two things:

  • An SSL port needs to be opened up on the server. The example configuration file opens up port 6697 for this (in the Listen block with listen::options::ssl)
  • You need an SSL-capable client

SSL-capable clients are widespread nowadays. mIRC, XChat, irssi all support SSL.

The UnrealIRCd team recommends to use SSL/TLS as much as possible. At the very least, use it to secure server to server traffic and for IRCOp client connections.

For real security you should validate certificates when you connect to servers and not blindly accept any SSL ceritificate. If you don't check them then you are still vulnerable to MitM attacks. That is, however, too off-topic to discuss here. See Wikipedia: Man-in-the-middle-attack for more background information. Clients like mIRC and XChat will show a popup prompt when a new (unknown) SSL certificate is detected.


Other languages:
English • ‎français • ‎中文(台灣)‎

UnrealIRCd makes use of the "dual IP stack" of your system, meaning it can listen on both IPv4 and IPv6 addresses. UnrealIRCd is always built with IPv6 support. To actually use IPv6 you'll need an IPv6 address on your machine.

Anti-flood features[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

Set block[edit]

In the configuration file in the set block you can configure a lot of the anti flood features. Note that UnrealIRCd already ships with good defaults, but you can change them if you wish.

There are many settings available in the set::anti-flood block, such as set::anti-flood::connect-flood to only allow X connections per YY seconds from the same IP. Other X per Y time settings are: nick-flood, join-flood, away-flood, invite-flood and knock-flood.

The option set::anti-flood::unknown-flood-amount is used to limit the amount of data in the handshake (rarely changed, default is a few KB's).

set::anti-flood::max-concurrent-conversations limits the number of concurrent conversions a user can have, which is another anti-flood feature so a user cannot /MSG tens of users at the same time.

set::max-targets-per-command limits the number of targets the user can specify in a command (eg: JOIN 3 channels at the same time via JOIN #a,#b,#c).

Again, the default settings are probably fine for you already, as we focus on security and do our best to have tight but good defaults.

DNS Blacklists[edit]

While technically not an anti-flood feature, it definitely helps against unwanted bots/drones/users. By using one or more blacklist blocks you can have UnrealIRCd check a DNSBL service to see if an IP was blacklisted due to abuse. This is highly recommended for a server on the internet. See the example section there.


This module is highly effective against bot/drone attacks. It will reject most "bad" connections, while still allowing most of your regular users in.

When the connthrottle module in UnrealIRCd detects a high number of users connecting from IP addresses that have not been seen before, then connections from new IP's are rejected above the set rate. For example at 10:60 only 10 users per minute can connect that have not been seen before. Known IP addresses (so: your regular users) can always get in, regardless of the set rate. Same for users who login using SASL.

This module was added in UnrealIRCd 4.2.3. At the time of writing (June 2019) it is not yet loaded by default, but this will change later in 2019.


With the antirandom module you can block random nicks like 'fhdshfdhf'.This module is not enabled by default because it may catch innocent users for non-English languages, especially for non-Western-European languages.

Channel modes[edit]

There are also some channel modes which can be very effective against floods. To name a few:

  • N: no nick changes
  • C: no CTCP's
  • M: only registered users may talk
  • K: no /KNOCK allowed

There is also the very advanced channel mode +f, see next.

Channel mode f[edit]

Instead of using scripts and bots to protect against channel floods it is now build into the ircd. An example +f mode is:

*** Blah sets mode: +f [10j]:15

This means 10 joins per 15 seconds are allowed in the channel, if the limit is hit, the channel will be set +i (Invite only) automatically.

The following floodtypes are available:

Type Name Default action Other actions Comments
c CTCPs Set channel mode +C (block all CTCP's) m, M
j joins Set channel mode +i (invite only) R
k knocks Set channel mode +K (no /knock's) Counted for local clients only
m messages/notices Set channel mode +m (regular users cannot speak) M
n nick changes Set channel mode +N (no nick-changes permitted)
t text Kick the user b Unlike all the rest, these are per-user message/notice limits. Action is to kick or kick+ban the user.


*** ChanOp sets mode: +f [20j,50m,7n]:15
<ChanOp> lalala
*** Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test
*** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test
*** Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test
*** Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test
-- snip XX lines --
*** Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test
-server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i
*** server1.test.net sets mode: +i
<Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
-- snip XX lines --
-server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m
*** server1.test.net sets mode: +m
*** Evil1 is now known as Hmmm1
*** Evil2 is now known as Hmmm2
*** Evil3 is now known as Hmmm3
*** Evil4 is now known as Hmmm4
*** Evil5 is now known as Hmmm5
*** Evil6 is now known as Hmmm6
*** Evil7 is now known as Hmmm7
*** Evil8 is now known as Hmmm8
-server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
*** server1.test.net sets mode: +N

In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

What the best +f mode is heavily depends on the channel... how many users does it have? do you have a game that makes users msg a lot (eg: trivia) or do users often use popups? is it some kind of mainchannel or in auto-join? etc..

There's no perfect channelmode +f that is good for all channels, but to get you started have a look at the next example and modify it to suit your needs:
+f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15

  • 30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
  • 40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
  • 7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
  • 10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
  • 30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes

If it's some kind of large user channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit as well (to eg: 60 or 75).
Especially the remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.

Extended bans[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

Extended Bans are a special type of bans (+b), exempts (+e) and invite exceptions (+I) providing "extended" functionality.

These bans start with a tilde, followed by a letter denoting the extban type. For example +b ~q denotes a quiet extban. UnrealIRCd comes with a number of built-in extbans (loaded through Modules). 3rd party modules may introduce even more types.

The following ban type can be used in front of any (ext)ban:

Extban Module Explanation Example
t extbans/timedban Timed ban that will make a ban unset after the specified number of minutes.
NOTE: This module is not loaded by default, you need to load it explicitly via loadmodule "extbans/timedban"; in your unrealircd.conf.
+b ~t:3:*!*@hostname

The following ban types specify which actions (join, nick-change or speaking) are affected by a ban:

Extban Module Explanation Example
q extbans/quiet People matching these bans can join but are unable to speak, unless they have +v or higher. +b ~q:*!*@*.blah.com
n extbans/nickchange People matching these bans cannot change nicks, unless they have +v or higher. +b ~n:*!*@*.aol.com
j extbans/join When a user matches this (s)he may not join the channel but if already in the channel then all activities are permitted such as speaking or changing the nick. This can be useful to ban an entire ISP and then manually /INVITE people to the channel so once joined they can behave as normal. +b ~j:*!*@*.aol.com
m extbans/msgbypass Bypass message restrictions. This extended ban is only available as +e and not as +b. Syntax: +e ~m:type:mask.

Valid types are: external (bypass +n), moderated (bypass +m/+M), censor (bypass +G), color (bypass +S/+c) and notice (bypass +T).
NOTE: This module is not loaded by default, you need to load it explicitly via loadmodule "extbans/msgbypass"; in your unrealircd.conf.

+e ~m:moderated:*!*@192.168.*

+e ~m:external:*!*@192.168.*
+e ~m:color:~a:ColorBot

These bantypes introduce new criteria which can be used:

Extban Module Explanation Example
a extbans/account If a user is logged in to services with this account name, then this ban will match. This is slightly different than ~R, in the sense that a user with nick ABC may be logged in under account XYZ. Not all services packages support this, in which case you will have to use ~R instead. +e ~a:SomeAccount

+I ~a:SomeAccount

c extbans/inchannel If the user is in this channel then (s)he is unable to join. A prefix can also be specified (+/%/@/&/~) which means that it will only match if the user has that rights or higher on the specified channel. +b ~c:#lamers

+e ~c:@#trustedops

O extbans/operclass If the user is an IRCOp and the oper::operclass matches this name then the ban/invex will match. You can use this to for example create *admin* only channels. +iI ~O:*admin*
r extbans/realname If the realname (gecos) of a user matches this then (s)he is unable to join. Since real names may contain spaces you can use a underscore to match a space (and underscore) +b ~r:*Stupid_bot_script*
R extbans/regnick If a user has identified to services for this nick then this ban will match. This means this ban is generally only useful for ban exemptions (+e) and invite exceptions (+I). +e ~R:Nick

+I ~R:Nick

S extbans/certfp When a user is using SSL/TLS with a client certificate then you can match the user by his/her SSL fingerprint (the one you see in /WHOIS). Useful for ban exemptions (+e) and invite exceptions (+I). +e ~S:0000000etc

+I ~S:0000000etc

T extbans/textban Channel-specific text filtering. Supports two actions: 'censor' and 'block', see examples on the right.
NOTE: This module is not loaded by default, you need to load it explicitly via loadmodule "extbans/textban"; in your unrealircd.conf.
+b ~T:censor:*badword*

+b ~T:block:*something*

You may also stack extended bans from the 2nd group with the 3rd group. For example: +b ~q:~c:#lamers would quiet all users who have joined #lamers.

Ban types from the 3rd group can be used in invite exceptions (+I). For example you can put the channel +i and then use +I ~c:#trusted and/or +I ~a:accountname.

User modes[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎
User mode Module Description Restrictions
B usermodes/bot Marks you as being a bot. This will add a line to /WHOIS so people can easily recognize bots.
d built-in Makes it so you can not receive channel PRIVMSG's, except for messages prefixed with a set::channel-command-prefix character. Could be used by bots to reduce traffic so they only see !somecmd type of things.
D usermodes/privdeaf Makes it so you can not receive private messages (PM's) from anyone except IRCOps, servers and services.
NOTE: This module is new in 4.0.10 and is NOT loaded by default.
G usermodes/censor Swear filter: filters out all the "bad words" configured in the Badword block
H built-in Hide IRCop status. Regular users using /WHOIS or other commands will not see that you are an IRC Operator. IRCOp-only
I built-in Hide online time in /WHOIS. IRCOp-only
i built-in Makes you so called 'invisible'. A confusing term to mean that you're just hidden from /WHO and /NAMES if queried by someone outside the channel. Normally set by default through set::modes-on-connect (and otherwise by the users' IRC client).
o built-in IRC Operator Set by server
p usermodes/privacy Hide channels you are in from /WHOIS, for extra privacy.
q usermodes/nokick Unkickable (only by U:lines, eg: services) IRCOp-only (but not all)
r built-in Indicates this is a "registered nick" Set by services
R usermodes/regonlymsg Only receive private messages from users who are "registered users" (authenticated by Services)
S usermodes/servicebot User is a services bot (gives some extra protection) Services-only
s built-in Server notices, see Snomasks Mostly IRCOp-only
T usermodes/noctcp Prevents you from receiving CTCP's.
t built-in Indicates you are using a /VHOST Set by server upon /VHOST, /OPER, /*HOST, ..
W usermodes/showwhois Lets you see when people do a /WHOIS on you. IRCOp-only
w built-in Can listen to wallops messages (/WALLOPS from IRCOps')
x built-in Gives you a hidden / cloaked hostname.
Z usermodes/secureonlymsg Allows only users on a secure connection to send you private messages/notices/CTCPs. Conversely, you can't send any such messages to non-secure users either.
z built-in Indicates you are connected via SSL/TLS Set by server

Channel modes[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

Access levels[edit]

These are the modes that grant a certain 'level' to a user.

Channel mode Module Description Restrictions
v built-in Voice. This makes the user able to speak in +m/+M channels. User can also still speak if banned. May be set by +hoaq users
h built-in Half-Op. Gives some of the usual channel operator rights, but not all. They are basically a light version of channel ops. May be set by +oaq users
o built-in Channel Op. This is the channel operator privilege everyone knows about, allows the user to do almost all administrative tasks in a channel such as /KICK, /MODE, etc.. May be set by +oaq users
a built-in Channel Admin. A level above channel ops but with no special extra privileges except for one: people below chanadmin (so +h/+o) cannot KICK +a people. May be set by +q users
q built-in Channel Owner. The highest level. Channel owners can't be kicked by any level below. Usually there's only one person with +q and the mode is set by services. Normal users can't set this

Note that often Services are used to manage +vhoaq lists in so called "access lists" or AOP/HOP/etc. Consult your services documentation.

IRCOp's with OperOverride privileges may also set +vhoaq, same for IRCOp's with access to the /SAMODE command.

List modes[edit]

These are so called 'list modes'.

Channel mode Module Description Restrictions
b built-in Ban. Prevents a user from joining the channel. Requires +h or higher
e built-in Ban exception. When a user is banned (due to +b) and they are on this +e list then they may still join the channel. Requires +h or higher
I built-in Invite exception. When the channel is +i (invite only) then people on this list may still join the channel. Requires +h or higher

All these modes take a nick!user@host parameter, like: +b *!*@*.isp.com. See also Extended bans for other syntaxes (eg: +e ~c:@#channel).

Channel settings[edit]

These are channel modes that configure channel settings.

Channel mode Module Description Restrictions
c chanmodes/nocolor No color allowed in the channel. Will block ANSI and mIRC color codes. Requires +o or higher
C chanmodes/noctcp No CTCP's allowed in the channel. Requires +o or higher
D chanmodes/delayjoin Delays someone's JOIN message until that person speaks. Chanops and higher, opers and ulines/services are exempt. Requires +o or higher
d chanmodes/delayjoin When unsetting +D, Unreal needs to process all remaining delayed users (i.e. invisible in the channel to regular users) to make them JOIN. +d is an intermediate/temporary mode to facilitate this and will be unset once all users are properly "joined". Set by server
f chanmodes/floodprot Flood protection. This is a highly advanced feature, see Anti-flood features#Channel_mode_f Requires +o or higher
G chanmodes/censor Filter out bad words configured in Badword block Requires +o or higher
i built-in Invite only. Requires people to be /INVITE'd to the channel or be on the +I (Invite Exceptions) list (for that latter, see the List modes section above) Requires +o or higher
k built-in Require users to specify a channel key in order to join (/JOIN #chan key). Example: +k secret Requires +h or higher
K chanmodes/noknock /KNOCK command is not allowed. Requires +o or higher
L built-in Channel link. If the +l user limit (see below) is reached then users will automatically be redirected to this channel. Example: +L #something Requires +h or higher
l built-in Limit the amount of users that may be in the channel. If the limit is reached then any new JOIN's are rejected (see also +L above). Requires +o or higher
m built-in Moderated channel. Only people with +v or higher (+vhoaq) may speak. Requires +h or higher
M chanmodes/regonlyspeak Must be authenticated to services or have +v or higher to speak. Requires +o or higher
N chanmodes/nonickchange No nick-changes permitted. Normally not set, only during a a nick-flood flood attack. Requires +o or higher
n built-in No external messages. If you don't set +n then users outside the channel may still send messages to it. Thus, almost everyone will set their channel +n. Requires +h or higher
O chanmodes/operonly IRC Operator only channel IRCOp-only
P chanmodes/permanent Permanent channel. After all users leave a channel it is normally destroyed. If you set +P then this won't happen and all settings are preserved. IRCOp-only
p built-in Private channel Requires +o or higher
Q chanmodes/nokick No /KICK allowed. Can be used to force all chanops to use Services for kicking. Unusual, but possible. Requires +o or higher
R chanmodes/regonly Only registered users may join the channel. Registered users are users authenticated to Services. Requires +o or higher
r built-in Channel is registered at Services Set by services
s built-in Secret channel. The channel won't show up in /LIST and won't show up in /WHOIS (unless you are in the same channel or an IRCOp) Requires +o or higher
S chanmodes/stripcolor Strip color codes. This removes any mIRC or ANSI color codes by converting it to regular text. Requires +o or higher
T chanmodes/nonotice Channel notices are not permitted (/NOTICE #chan hi!). On many clients a beeping sound will happen on notices, hence why this mode is sometimes set. Requires +o or higher
t built-in Restricts /TOPIC to +h or higher. Without +t anyone in the channel may set the topic. Most channels are +t. Requires +h or higher
V chanmodes/noinvite /INVITE is not permitted. Requires +o or higher
z chanmodes/secureonly Only clients which are connected through SSL/TLS may join the channel Requires +o or higher
Z chanmodes/issecure Indicates that only people who are using SSL/TLS are on the channel. This channel mode is (only) set by the server when the channel is also +z and everyone on the channel is connected via SSL. Set by server


Other languages:
English • ‎français • ‎中文(台灣)‎

Spamfilter is a highly advanced system to fight spam, advertising, worms and other bad things on IRC. Spamfilters can be added through the /SPAMFILTER command or through spamfilter { } blocks in the configuration file.

SPAMFILTER command[edit]

On IRC spamfilters are added via the /SPAMFILTER command which uses the following syntax:
/spamfilter [add|del] [match-type] [target] [action] [tkltime] [reason] [match string]

Item Explanation & possible options
add / del Indicates if you want to add or remove a spamfilter
match-type The type of match string you're going to use (see also the examples later on). Right now you have two / three choices:
  • simple means simple matching with ? and * wildcard support
  • regex uses regular expressions (more on that later)
  • posix is the old 3.2.x regex method which is only included for compatibility.
target specifies the target type, the targets this spamfilter will look into:
Character Config item Description
c channel Channel message
p private Private message (from user->user)
n private-notice Private notice
N channel-notice Channel notice
P part Part reason
q quit Quit reason
d dcc DCC filename
a away Away message
t topic Setting a topic
u user User ban, will be matched against nick!user@host:realname

You can (and often will) specify multiple targets, like: cpNn

action specifies the action to be taken, such as kline. See Actions for a list of all possible actions.
tkltime The duration of the *line/shun added by the filter, use '-' to use the default or to skip (eg: if action = 'block')
reason Block/*line/shun reason.. you CANNOT use spaces in this, but underscores ('_') will be translated into spaces at runtime. And double underscore ('__') gets an underscore ('_'). Again, use '-' to use the default reason.
match-string This is the actual string that should be blocked or that we should perform the specified action on. The syntax of this string depends on the match-type. See also examples below.

Spamfilter block[edit]

You can also put spamfilters in your configuration file, see the Spamfilter block. For information about each of the fields see above.


Block simple spam[edit]

Say, you see a user mass-spamming in channels and in PM (Private Message). In each case, the user is saying: Hey <NICK>, come watch me on my webcam! connect to It looks always like that, except for a varying IP/URL. You want any user who says this to be immediately GLINEd for 1 day.


/SPAMFILTER add -simple pc gline 1d You_are_spamming_or_you_have_a_virus! *Hey*come watch me on my webcam*

Or in the configuration file:

spamfilter {
        match-type simple;
        target { private; channel; };
        action gline;
        ban-time 1d;
        reason "You are spamming or you have a virus!";
        match "*Hey*come watch me on my webcam*";

Regex to block mIRC exploit[edit]

Regular expressions (regex) are much more powerful than the simple method. Several years ago mIRC had a bug: you could crash any mIRC v6.12 by sending a DCC SEND message with a filename of 225 (or more) characters. With the simple method from above you can't block this, with regex you can. For regex this is even an easy case.


/SPAMFILTER add -regex pc kill - Possible_mIRC_exploit_attempt \x01DCC (SEND|RESUME).{225}

Or in the configuration file:

spamfilter {
        match-type regex;
        target { private; channel; };
        action kill;
        reason "Possible mIRC exploit attempt";
        match "\x01DCC (SEND|RESUME).{225}";

To learn more about regex, see Introduction to regex (PCRE).


Other languages:
English • ‎français • ‎中文(台灣)‎

UnrealIRCd supports the CIDR notation when allowing/disallowing IP's. This can be used in bans, allow blocks, oper::mask, etc. etc. If you prefer to use CIDR, you can use it.

An example of CIDR would be which matches through In this example we could just as easily have written 127.*.

For more information see Wikipedia - CIDR.

Nick Character Sets[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

In UnrealIRCd you can specify which "character sets" or languages should be allowed in nicknames. You do this in set::allowed-nickchars.

Available character sets[edit]

Table of all possible choices:

Name Description Character set / encoding
catalan Catalan characters iso8859-1 (latin1)
danish Danish characters iso8859-1 (latin1)
dutch Dutch characters iso8859-1 (latin1)
french French characters iso8859-1 (latin1)
german German characters iso8859-1 (latin1)
swiss-german Swiss-German characters (no es-zett) iso8859-1 (latin1)
icelandic Icelandic characters iso8859-1 (latin1)
italian Italian characters iso8859-1 (latin1)
spanish Spanish characters iso8859-1 (latin1)
swedish Swedish characters iso8859-1 (latin1)
latin1 catalan, danish, dutch, french, german, swiss-german, spanish, icelandic, italian, swedish iso8859-1 (latin1)
hungarian Hungarian characters iso8859-2 (latin2), windows-1250
polish-iso Polish characters (note that polish-w1250 is more common!) iso8859-2 (latin2)
romanian Romanian characters iso8859-2 (latin2), windows-1250, iso8859-16
latin2 hungarian, polish-iso, romanian iso8859-2 (latin2)
polish-w1250 Polish characters, windows variant windows-1250
slovak-w1250 Slovak characters, windows variant windows-1250
czech-w1250 Czech characters, windows variant windows-1250
windows-1250 polish-w1250, slovak-w1250, czech-w1250, hungarian, romanian windows-1250
greek Greek characters iso8859-7
turkish Turkish characters iso8859-9
russian-w1251 Russian characters windows-1251
belarussian-w1251 Belarussian characters windows-1251
ukrainian-w1251 Ukrainian characters windows-1251
windows-1251 russian-w1251, belarussian-w1251, ukrainian-w1251 windows-1251
hebrew Hebrew characters iso8859-8-I/windows-1255
chinese-simp Simplified Chinese Multibyte: GBK/GB2312
chinese-trad Tradditional Chinese Multibyte: GBK
chinese-ja Japanese Hiragana/Pinyin Multibyte: GBK
chinese chinese-* Multibyte: GBK
gbk chinese-* Multibyte: GBK

A few notes:

  • The following basic nick characters are always allowed/included: a-z A-Z 0-9 [ \ ] ^ _ - { | }
  • Some combinations can cause problems and will cause an error. For example, combining latin* and chinese-* can not be properly handled by the IRCd and UnrealIRCd will refuse it. Mixing of other charsets might cause display problems. UnrealIRCd will print out a warning if you try to mix latin1/latin2/greek/other incompatible groups.
  • Casemapping (if a certain lowercase character belongs to an upper one) is done according to US-ASCII, this means that characters like ö and Ö are not recognized as 'the same' and hence someone can have a nick with álpha and someone else Ápha at the same time. This is a limitation of the current system and IRCd standards that is hard to solve. People should be aware of this limitation. Note that this limitation already existed in channels (in which nearly any characters have always been available for use, and casemapping was also always performed in US-ASCII).

Example 1: Western Europe[edit]

For people in western europe:

set { allowed-nickchars { latin1; }; };

Example 2: Chinese[edit]

This allows nick names to contain both Simplified Chinese and Traditional Chinese characters:

set { allowed-nickchars { chinese-simp; chinese-trad; }; };

WebSocket Support[edit]

UnrealIRCd 4.0.10 and later support the WebSocket protocol (ws:// and wss://). This allows Javascript (internet browsers) to connect directly to IRC, without the need of intermediate 'gateways'. (Read more)

WebIRC Support[edit]

UnrealIRCd supports the WEBIRC / CGIIRC protocol. Similarly to WebSocket support (see above) this allows users to use an internet browser rather than a "real" IRC client and still make them show up on IRC with their real IP. If you want your users to be able to use Mibbit or IRCCloud then you need to configure this. (Read more)

Time synchronization[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

Having correct time is extremely important for IRC servers. Without correct time, channels can desynch, innocent users can be killed, channels might not show up properly in /LIST, in short: a lot of trouble will occur.

UnrealIRCd has some built-in time synchronization support. Although not optimal (time can still be off a few seconds), it should get rid of many time differences.

What UnrealIRCd's TimeSynch does (by default) is do a one-shot timesync attempt when booting. It sends (by default) a request to multiple time servers and when it gets the first (fastest) reply, it will adjust the internal ircd clock (NOT the system clock). If, for some reason, Unreal does not get a reply from the timeserver within 3 seconds, the IRCd will continue to boot regardless.

Time synchronization is configured (and can be turned off) through the set::timesynch block, see the set documentation for more information.

UnrealIRCd vs NTP[edit]

If you can, we recommend you to run time synchronization software on your system. Such software is more suited to keep your system clock correct.

On *NIX (Linux) you should install the 'ntp' package (as root):

sudo apt-get install ntp


sudo yum install ntp

On Windows you can use the time synchronization service (enabled by default nowadays?).

Disabling TimeSynch[edit]

You can disable timesynch, for example if you use NTP or another time synchronization service on your system (and you're absolutely sure it works correctly) through:

set { timesynch { enable no; }; };

If your system clock is always correct (because you use NTP) then leaving timesynch enabled won't cause any issues. UnrealIRCd's timesynch will detect the clock is off by zero seconds and thus won't adjust the IRCd clock.

Authentication types[edit]

Other languages:
English • ‎français • ‎中文(台灣)‎

At various places in the configuration file, for example the Oper block, Vhost block, Link block and Allow block you can authenticate clients by password or other means. You can specify the password as plaintext, but you can also specify an "authentication type".

Available auth-types[edit]

The following auth-types are available:

Auth-type Description Security level How to generate
none Plaintext / cleartext password Bad Plaintext password directly in the config. Not recommended.
md5 MD5 with salt Deprecated Deprecated. Do not use.
sha1 SHA1 with salt Deprecated Deprecated. Do not use.
ripemd160 RIPEMD160 with salt Deprecated Deprecated. Do not use.
crypt UNIX crypt. The exact hashing algorithm depends on the type of crypt

and the security can therefore range from bad to reasonable.

Bad or reasonable Not recommended.
bcrypt Blowfish crypt with salt and many rounds [1] Reasonable On IRC: /MKPASSWD bcrypt <password>

On *NIX shell: ./unrealircd bcrypt mkpasswd

argon2 Argon2 hashing algorithm. Many rounds, anti-GPU cracking measures, etc. [2]

Added in UnrealIRCd 4.2.1.

Good On IRC: /MKPASSWD argon2 <password>

On *NIX shell: ./unrealircd mkpasswd argon2

sslclientcert SSL Client certificate Excellent Path to a public SSL certificate (.pem file)
sslclientcertfp SSL Client certificate fingerprint Excellent For a given SSL certificate such as client.pem, run:
openssl x509 -in client.pem -sha256 -noout -fingerprint

and copy the AA:BB:CC:DD:etc... fingerprint.

The last two types, sslclientcert and sslclientcertfp require a bit more work and expertise, as the user (or server link) must generate their own SSL Certificate and then use it to connect to the server via SSL/TLS. We suggest to use this auth-type to authenticate server links (as described in our Tutorial: Linking servers), and also for /OPER (in the Oper block). See example 2 and 3 below.

If you just want to authenticate by password then use the argon2 algorithm (or, if you are using 4.2.0 or lower then bcrypt). It's the best password hashing algorithm we can offer and it's slow to crack.

Example 1: bcrypt password in vhost block[edit]

Say, you want to use the password test and want to use bcrypt hashed passwords.
NOTE: Starting with UnrealIRCd 4.2.1 you better use 'argon2' instead of 'bcrypt', because it's even better.

  • As IRCOp run:
/MKPASSWD bcrypt test

or on the *NIX command line run:

irc@system:~/unrealircd$ ./unrealircd mkpasswd bcrypt
Enter password to hash:
Encrypted password is: $2y$09$vy1yzAEDsvps.4.2WEjgm.RZ0A7q.PYnbYGKGjngt0UOmZfo10cky
  • You should get back a string that starts with $ followed by a lot of characters.
  • Put this string in your vhost block like this:
vhost {
    vhost I.love.Tux;
    mask *@*;
    login Tux;
    password "$2y$09$vy1yzAEDsvps.4.2WEjgm.RZ0A7q.PYnbYGKGjngt0UOmZfo10cky";
  • /REHASH your IRCd server configuration (Execute /REHASH as an IRCop on IRC)
  • Try to use the new vhost by typing /VHOST Tux test

Example 2: Oper by SSL Client certificates[edit]

sslclientcert and sslclientcertfp are exceptional auth-types which can be used to authenticate SSL users by their client certificate. With these authentication methods you can be sure the user is using SSL and is using the specified client certificate. It's very secure but is a slightly advanced feature.

Here's an example of how to use it for the oper block:

  • Create an SSL client certificate if you don't have one already (search the web for 'create ssl certificate' if you don't know how)
  • Grab the SHA256 hash of the certificate by running this on your *NIX shell or in Windows in your C:\Program Files (x86)\UnrealIRCd 4 directory:
openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint

where name-of-pem-file.pem is your SSL certificate.

  • In the configuration file, set the password to the AA:BB:CC:DD:etc.. hash you saw from previous command. Example:
oper test {
     password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
     flags { global; can_override; };
     class clients;
  • Rehash your server (type /REHASH on IRC as an IRCop)
  • Connect with your SSL client and make sure it uses your SSL client certificate. You will have to specify it somewhere in your client, consult your clients' documentation.
  • Now oper up through /OPER test (on older servers /OPER test x). When you try this, make sure that you are not already an IRCOp.
  • You should now have IRC Operator rights.
  • Congratulations, you are now using the most secure authentication method available in UnrealIRCd!

Example 3: SSL Client certificates when linking servers[edit]

When you are linking servers via the Link block we highly suggest you follow the Tutorial: Linking servers as it uses the SSL client certificate fingerprint authentication type.