Link security

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

UnrealIRCd has a concept called "link security" which consists of multiple levels to describe how secure your server/network is.

Levels[edit]

Level Description
Level 0 One or more servers linked insecurely (not using SSL/TLS)
Level 1 Servers are linked with SSL/TLS but at least one of them is not verifying certificates
Level 2 Servers linked with SSL/TLS and certificates are properly verified

Each server has a level assigned of 0, 1 or 2. Older UnrealIRCd servers or services have a level UNKNOWN.

In the end this results in a network score (=the effective link-security level). This is the lowest level of all servers. This is basically the "weakest link" principle and it makes sense. For example, if any server is not using SSL/TLS (=level 0) then the network is degraded to level 0.

Risks[edit]

What is the risk of level 0[edit]

Level 0 means that traffic between (at least one of the) servers travels unencrypted. Someone could possibly wiretap IRC conversations, see user details, passwords, etc.

What is the risk of level 1[edit]

With level 1 server traffic is encrypted. However, because SSL certificates are not verified an active attacker could possibly still do a MitM attack, allowing him to decrypt and see IRC conversations, user details, passwords, etc.

Improving your level[edit]

How to get from level 0 to level 1[edit]

Simple answer: make sure all your servers link using SSL/TLS.

By default UnrealIRCd will always link using SSL/TLS. UnrealIRCd 4.0.14 and later will reject non-SSL/TLS server connections by default. So, you shoul never sink to level 0 unless you misconfigured your server.

Steps to take:

  1. Check out your link blocks, making sure you don't have the insecure option set.
  2. Check your services too. Like all servers they should either:
    1. link securely using SSL/TLS, OR
    2. link via 127.0.0.1 (such localhost server connections are permitted and not counted as insecure).
  3. Check for set::plaintext-policy in your configuration file(s). Perhaps you or another administrator deliberately degraded security. Remove the block altogether or use better settings. In particular, the server portion should be set to deny (which is the default).

How to get from level 1 to level 2[edit]

Verify your certificates on both sides of the link. See the Link verification article. This assumes that all servers are on UnrealIRCd 4.0.16 or later.