Tip of the day: Connthrottle will limit the damage from big drone attacks. Check if the flood thresholds and exceptions are OK for your network.

Rpc-user block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Via the rpc-user block you tell who is authorized to use JSON-RPC. This is not meant to allow end-users (real people) direct API access, but to allow software like the webpanel.

Syntax[edit]

rpc-user <name> {
    mask <mask>;
    password <password>;
}

Every RPC user authenticates with a name and password:

  • name: the name of the rpc-user block designates the username used for JSON-RPC logins
  • password: this is the password, it can be an hashed instead of using plaintext.

Every block also has a mask which is a Mask item. It is highly recommended to use strict filter on IP addresses, because:

  • API access is very powerful: you can grab a lot of (sensitive) information very fast, and also change and set things, wreak havoc very fast, when abused.
  • The UnrealIRCd webserver and JSON-RPC functionality is quite new. When a connection is made on the RPC server port, we first check if any of the rpc-user::mask match. If not, we immediately reject the connection without even reading or parsing the request. Thus, with a strict rpc-user::mask you limit the attack surface of all the JSON-RPC components a lot.

Example[edit]

rpc-user apiuser {
    mask { ip 127.0.0.1; }
    password "test";
}
Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Rpc-user_block&oldid=11224"