IRCOp guide

From UnrealIRCd documentation wiki
Jump to: navigation, search

This is a guide for everyone who has their IRC server up and running and now needs to understand how to do server administration. Or, as we call it on IRC: how to do IRCOp tasks.

Before you read this

This guide assumes you have basic understanding of IRC. You are familiar with concepts like nicks, channels, user modes and channel modes.

What is an IRCOp?

On IRC people with special server privileges are called "IRC Operators", often shortened to "IRCOps" or "opers".

How to become an IRCOp

When setting up your server you should have added an Oper block. Then on IRC, you can type /OPER name-in-operblock password to become IRCOp. Note that both the name and password are case sEnSiTiVe.

There are various levels of IRCOp's. The operclass directive in the oper block will set this level. The highest is netadmin (which is in the default example configuration file), or netadmin-with-override (more about that later).

For more information or if you have problems /OPER'ing up, see: FAQ: How to become IRCOp / administrator

NOTE: The sections below will assume you managed to become an IRCOp.

Principles

Before we elaborate on what you can all do, let me introduce the two most popular principles / codes of conduct. It's up to you to decide which one you favor more and of course the options aren't as black/white as outlined below:

IRCOps control everything

IRCOps can join any channel, become a channel operator everywhere and reserve the right to do so whenever they deem fit.

This is often the idea someone has when setting up his/her first server. It also fits a centrally managed server where all channels are managed by server staff.

IRCOps don't interfere with channel matters

When there is a problem in a channel that can be resolved by the channel owners / channel operators, it is up to them to do so. They can kick or ban a user, there's no need to interfere. IRCOps will only step in when security is at stake or users are harassed/spammed via private messages (PM).

This is the most popular principle for more established servers. It allows more freedom to users.

Killing and banning users from the server

Killing a user (KILL)

You can forcefully disconnect a user by issuing a KILL. You do this with /KILL nickname reason. The user can still reconnect.

You can also ban a user for a specified amount of time (or permanently). This comes in a few flavors:

Banning a user from the server (KLINE)

To ban a user from the server you can use /KLINE user@host duration reason. The duration is in seconds or a time expression such as 1h or 1d. Use a duration of 0 (zero) for a permanent ban.
Example: /KLINE *@blah.example.org 3600 please go away for at least an hour
This will ban all users with the host blah.example.org for 3600 seconds (one hour).

Note that if you have a network that consists of multiple linked servers then a KLINE is generally not that useful since the user can just reconnect to another server of the IRC network. You'll want to use a GLINE instead, see next.

Banning a user from the network (GLINE)

To ban a user on the IRC network (so also on other linked servers), use /GLINE user@host duration reason.
Example: /GLINE *@blah.example.org 7200 please go away for at least two hours

ZLINE, GZLINE

In addition to KLINE (local ban) and GLINE (network ban) there is also ZLINE and GZLINE. These are special in the sense that users matching (G)ZLINE's are killed immediately when they attempt to connect to the server. In contrast, KLINE/GLINE let's the user perform a hanshake. There are pro's and con's to this.

Because (G)ZLINE bans are enforced immediately they cause very little load on the server. On the other hand there are no DNS lookups done, no ident lookups, no nickname or username is known, SSL/TLS connections are never established. In short: it has a lot of downsides but it can be used if your server is under attack by a lot of clones.

In general our advice is not to use (G)ZLINE but to use KLINE/GLINE instead.

If you do want to use (G)ZLINE the syntax is: /GZLINE *@ip duration reason. Note that ZLINE is for local bans and GZLINE for network-wide.
Example: /GZLINE *@1.2.3.4 900 Have a 15 minute timeout
As mentioned above, you need to specify an IP address and cannot use an hostname because DNS lookups are not done.

OS AKILL

If you run Services (more about that later) then you should consider using OperServ's AKILL feature (/msg operserv help akill). This will store all klines and glines in a central database that is preserved between server restarts.

Ban exceptions

Once you start banning users you may accidentally end up banning yourself.

If you have a static IP then it's worth exempting your IP's from bans. You do this by adding both an Except TKL block and Except ban block. Add this to your unrealircd.conf file (and rehash):

except tkl {
	mask *@1.2.3.4;
	type gline;
};
except ban {
	mask *@1.2.3.4;
};

Naturally you should replace 1.2.3.4 with your IP address. (Just /WHOIS yourself to see your IP)

Getting information

As an IRCOp you can gather a lot of information about the server, users and channels. Below are the most common examples.

Server notices (Snomasks)

As an IRCOp you will see notices in your status window such as users connecting/disconnecting:

*** Client connecting: The_User (~test@example.org) [192.168.0.1] {clients} [secure ECDHE-RSA-AES256-GCM-SHA384]

The type of messages you receive are controlled via Snomasks.

User list (WHO)

As an IRCOp you can use /WHO without parameters to see all users on the network. In contrast, a normal user can also use /WHO but will only see users that are visible to him (such as in the same channel).

There are some useful parameters that you can use as IRCOp such as /WHO +R to see all real hosts, and /WHO +I to see all IP addresses.

User details (WHOIS)

You are (hopefully) already familiar with the /WHOIS nickname command. As an IRCOp you can use this same command but you will see additional information, such as: the IP address of the user and all the channels the user in (even if they are secret).

Channel list (LIST)

All users can use /LIST but if you issue this command as an IRCOp you will be able to see all channels, even if they are secret.

Channel mode querying (MODE)

You can see the modes of a channel without joining via /MODE #channel. Similarly you can see the banlist via /MODE #channel b.

Topic querying (TOPIC)

You can see the topic of a channel without joining, by using /TOPIC #channel.

See channel members (NAMES, WHO)

As an IRCOp you can see who is inside a channel, without joining the channel. Simply issue /NAMES #channel or /WHO #channel

Taking control of channels (Override)

As an IRCOp you can (with sufficient privileges) join a channel and do the same tasks as a channel operator of that channel. Note that it is highly debated matter whether this is 'good' or 'bad'. See also #Principles earlier.

In UnrealIRCd we call this "overriding", since you override the normal channel rules and behave like a chanop.

IMPORTANT: If you want to use this then you need to use the -with-override operclasses. For example if your Oper block has operclass netadmin you won't be able to override, you need to use operclass netadmin-with-override (and rehash of course).

Joining a channel even if you normally cannot

Say, you have a channel #drones you want to join because you suspect this to be a channel with troublemakers. If you try to /JOIN you will see a message like Channel is invite only (+i).

You can still join the channel (=override) by inviting yourself and retrying the join:

/INVITE myself #drones
/JOIN #drones

Note: if this doesn't work then read previous block about operclass.

An alternative is to use SAJOIN. This is not available for all operclasses but is available with netadmin-with-override:

/SAJOIN myself #drones

Both the INVITE+JOIN and SAJOIN allow you to bypass all channel modes and all bans.

Changing modes (MODE, SAMODE)

If you have override privileges you can simply use a MODE command like /MODE #channel -i. You can set the modes even if you don't have channel operator status.

There is also the command /SAMODE #channel -i. This will make the MODE appear from the server:

*** irc.server.net sets mode: -i

Kicking users (KICK, SAPART)

If you have override privileges you can simply kick users like /KICK #channel nickname reason

There is also a command to forcefully part someone, in which case most clients won't auto-rejoin the user. This is /SAPART nick #channel

Making yourself unkickable

If you have sufficient privileges you can set user mode +q on yourself like this:

/MODE yournick +q

This makes it so you cannot be kicked by anyone in any channel.

This is naturally highly abusive but may be necessary if you are to join a channel with troublemakers that will keep kicking you and refuse any form of conversation.

Services

Most networks will run "Services". These are usually visible via the (pseudo) users "NickServ" and "ChanServ". Users can register their nick names and channels at services to claim "ownership" of their nicks/channels. This also helps with preserving settings between server restarts. If you want this you will have to install additional software. See Services.

Note: Setting up services takes at least an hour for most people. It's worth the effort, but be prepared to take some time for it. If you only just set up your first IRC server, then play around a little first before you setup Services another day.

Linking servers

If you want to run a multi-server IRC network then you will have to "link" multiple servers. Basically you set up 2 or more servers first and then "link" them together. The users on server A will then also be visible on server B and vice-versa. The same is true for channels and global bans such as GLINES. See Tutorial: Linking servers.

NOTE: Linking is by many beginners considered to be a complex topic so if you are just setting up your first server you may want to hold off until you have at least a couple of users before you set up a 2nd server and try to link them together.

Fighting spam and drones

Once your servers gets (more) popular you will eventually be hit by users spamming other users/channels and possibly a drone attack as well.

Use blacklists

To fight troublemakers you should add one or more Blacklist blocks. The blacklists under Example in that article are a good start.

What this does is query an external service for each and every connecting user. If the user is on the blacklist, the user is banned.

Use antirandom

Antirandom is a module that will automatically ban users that have a nickname/username/realname that looks "too random". Note that this may not work very well for non-English/non-Western languages.

To use this, have a look at conf/modules.optional.conf and copy-paste the entire section involving antirandom to your unrealircd.conf.

Use spamfilter

UnrealIRCd has a very effective, but also slightly complex, tool called Spamfilter. It allows you for example to automatically GLINE anyone saying "Hi plz download: www.virus.com/this.exe" in a channel. It can react on private messages, channel messages, dcc's and more. It can use simple matching but also regular expressions. See the Spamfilter article for full information.

Other measures

A very effective anti-flood feature that you should definitely deploy is Channel Mode +f.

Preserving settings between restarts

If your server dies or is restarted then all settings are lost. And this will happen eventually because you will have to upgrade the software.

With "all settings" we mean everything set on IRC, such as: channels, channel memberships, KLINE/GLINE's, SPAMFILTER's, and so on. The only thing that is preserved is everything in your configuration files (such as unrealircd.conf).

To fix this you will have to run Services.

What also helps is if you have a multi-server network. Once the servers "link" all channel settings (and KLINEs, GLINEs, SPAMFILTERs, etc) are synchronized. So, as long as a channel exists on 1 of the servers on the network, the settings will be preserved (even without services). Still, you should really run Services.