Link security

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

UnrealIRCd 4.0.14 adds a concept called link security levels to describe how secure your server/network is.

Levels

Level Description
Level 0 One or more servers linked insecurely (not using SSL/TLS)
Level 1 Servers are linked with SSL/TLS but at least one of them is not verifying certificates
Level 2 Servers linked with SSL/TLS and certificates are properly verified

Each server has a level assigned of 0, 1 or 2. Older UnrealIRCd servers or services have a level UNKNOWN.

In the end this results in a network score (=the effective link-security level). This is the lowest level of all servers. This is basically the "weakest link" principle and it makes sense. For example, if any server is not using SSL/TLS (=level 0) then the network is degraded to level 0.

Risks

What is the risk of level 0

Level 0 means that traffic between (at least one of the) servers travels unencrypted. Someone could possibly wiretap IRC conversations, see user details, passwords, etc.

What is the risk of level 1

With level 1 server traffic is encrypted. However, because SSL certificates are not verified an active attacker could possibly still do a MitM attack, allowing him to decrypt and see IRC conversations, user details, passwords, etc.

Improving your level

How to get from level 0 to level 1

Simple answer: make sure all your servers link using SSL/TLS.

By default UnrealIRCd 4 will always link using SSL/TLS. UnrealIRCd 4.0.14 and later will reject non-SSL/TLS server connections by default. So, normally, and especially if you use 4.0.14 or later, you shouldn't ever sink to level 0 unless you misconfigured your server.

Steps to take:

  1. Check out your link blocks, making sure you don't have the insecure option set.
  2. Check your services too. Like all servers they should either:
    1. link securely using SSL/TLS, OR
    2. link via 127.0.0.1 (such localhost server connections are permitted and not counted as insecure).
  3. For UnrealIRCd 4.0.14 and later: search for set::plaintext-policy in your configuration file(s). Perhaps you or another administrator deliberately degraded security. Remove the block altogether or use better settings. In particular, the server portion should be set to deny (which is the default).

How to get from level 1 to level 2

Verify your certificates on both sides of the link.

If you use UnrealIRCd 4.0.16 or later on both sides of the link then see Link verification.

If you are using an older version then see below:

Use verify-certificate

If you use real SSL certificates (which is really recommended), from Let's Encrypt or bought from a Certificate Authority, then you should use this one:

Edit your link block and add verify-certificate yes; to it, like this:

link irc1.test.net {
[..your current settings..]
    verify-certificate yes;
};

Note that this assumes that irc1.test.net is serving a valid (not expired) certificate from a trusted Certificate Authority for the name irc1.test.net.

Now /REHASH, /SQUIT the server and /CONNECT it again. Make sure the server linking still works.

Verify by certificate fingerprint

Use this if you don't have a real certificate (not using Let's encrypt or any other CA).

Use the certificate fingerprint in the link { } block as outlined in the Tutorial: Linking servers

Your link block will look something like this

link irc1.test.net {
[..your current settings..]
    password "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF";
};

After making the necessary configuration changes, be sure to rehash and SQUIT + CONNECT the server(s).