Security

From UnrealIRCd documentation wiki
Jump to: navigation, search

UnrealIRCd has many security features. Below we give you a checklist you can follow as an admin, to make sure you didn't miss anything.

Keep UnrealIRCd up to date

Be sure to subscribe to the unreal-notify mailing list. This mailing list is only used a few times per year by UnrealIRCd developers to send out security advisories and information on new UnrealIRCd releases.

If you don't subscribe then there's a high chance that you'll miss out on an important security advisory or a new release. In that case you will only figure out something is wrong after your server has mysteriously crashed. This is not recommended.

Non-IRCd vulnerabilities

In the past 15 years there have been very few, if any, remotely exploitable UnrealIRCd issues by which an attacker could execute shell code. There's a far bigger chance a box will get hacked by a non-irc(d) vulnerability than by some bug in UnrealIRCd. If you for example run HTTP, DNS, SMTP and FTP servers on the same box you have a much higher risk. Also, if you are on a multi-user machine (eg: you bought a shell) there's the increased risk of local exploits and bad permissions (see next). This risk is quite high so be careful when selecting a shell provider! Even better, buy a VPS instead, and keep the machine up to date.

File permissions

Always make sure your home directory and UnrealIRCd directory have correct permissions, otherwise other users could read your configuration file which may expose password or at the very least expose your cloak-keys and other sensitive information. Other users have no business reading your files. If unsure, run chmod go-rwx /path/to/unrealircd -R

Other similar mistakes:

  • Don't put UnrealIRCd inside the webroot or some other kind of shared directory (eg: /home/xxx/public_html)
  • If you make backups, good! But be sure you set correct permissions on the backup files! Too often it happens that everything is properly secured, yet there's a backup.tar.gz somewhere that can be read by everyone, completely eliminating all the other security measures.

Passwords

In the Oper block and at some other places passwords can be used. If doing so, be sure to:

  • Use mixed uppercase, lowercase and digits, such as Whbviwf5.
  • Do NOT use the same password anywhere else, like your e-mail account, bot password or on other internet sites.
  • Hash the password ("encrypting passwords") so it's not in plaintext in the configuration file. For a working example see using a bcrypt password in the vhost block.

Even better: if possible, don't use passwords at all and use SSL Client certificates. See Authentication types which contains examples of how to use it in the oper block.

Use SSL/TLS

Use SSL/TLS. At the very least use it when linking servers and for all your opers. Otherwise the traffic can be intercepted by 3rd parties, which means they can see your password and anything you send/receive.

For any serious (or not so serious) network we recommend to use real SSL certificates instead of a (default) self-signed certificate. Such as a wildcard *.something.org certificate you deploy on your IRC servers. This also allows you to enable Strict Transport Security (STS), further enhancing security.

Server linking

When linking servers you should really use our our Tutorial: Linking servers which demonstrates secure linking practices. It makes use of SSL/TLS and SSL client certificates.

User-related problems

Always choose your opers and admins wisely. Remember the concept of weakest-link: even though you are careful and did everything by the book, maybe your friend which is an oper did something silly. Like never running security updates, blindly clicks a link in an e-mail which carries a trojan, etc... Unfortunately it's not always in your control. You can (partially) mitigate such problems by limiting oper privileges to only what they need, via the Oper block and Operclass block

Protecting against Denial of Service attacks (DoS)

It's quite hard to defend against a (D)DoS. One of the things that help is choosing a good provider. For example, Amazon seems to deal a whole lot better with DDoS's than a random friendly local ISP.

Other than that, you can limit the damage of a DoS attack if you employ the following multi-server setup: say you have 2 client servers ("leafs"), you run services (eg: anope), and all these servers are connected via a hub server. We call these servers irc1.test.net, irc2.test.net, services.test.net and hub.test.net. What you want to do is NEVER expose the true IP addresses of services and the hub. This way an attacker can never attack the machine. They can still attack irc1 & irc2 but not take down services or your entire network.

To do this the following needs to be done:

  • In our example we call the hub server hub.test.net. You should NOT register a DNS entry (A record) for this name, hub.test.net should not resolve to a valid IP, it should not exist.
  • On irc1, irc2 and services you will want to link to the hub, but you can't use hub.test.net since it does not exist. You could use the IP address of your hub for linking instead (in link::outgoing::hostname). Or, you could use a DNS name that you keep secret (never publish), such as thisismysecrethub.test.net.

So things will look like:

link hub.test.net {
        outgoing {
                hostname 1.2.3.4; // ip of your hub
                port 6900;
                options { ssl; autoconnect; };
        };
..etc...

Note that it's much better if you do these steps from the start of your network. If you apply them afterwards then there's obviously a chance that attackers have already learned your IP address.

If you follow the instructions from above then attackers can never attack your hub, only your client servers. This limits the damage somewhat and allows easier recovery.

Information disclosure

STATS

UnrealIRCd defaults to only allow IRCOps to issue the /STATS command. You can however still override this via set::oper-only-stats. We highly recommend not to do that, as exposing /STATS to regular users may expose sensitive information such as the IP address of your other servers/hubs (/STATS C) and give attackers more clues, like which oper accounts are available (/STATS o).

MAP / LINKS

From time to time people ask us how to disable /MAP or /LINKS. Our position on this is that it's silly and gives a false sense of security, let me explain... Hiding servers that are actually used by users is useless since they already know about your servers (how else could they get on them in the first place?). For any servers that you don't want users on, see previous section (#Protecting against Denial of Service attacks (DoS)).

We do have an option called "flat map", which you can enable via set::options::flat-map. What this does is show all servers as "directly connected" rather than exposing the exact network layout. This makes it a little harder to immediately see the "weak points" in a network. It's not foolproof though, when a server split happens you can still see which server was linked to which and there are other attacks possible as well that would allow an attacker to create a network map. You should not rely on this kind of features for real security but you're free to use them, of course.

AppArmor

If you are using Ubuntu then you may be interested in Using AppArmor with UnrealIRCd. AppArmor provides secondary protection in case the IRC daemon would be compromised.

Note: Using AppArmor can be part of a security in depth approach, but your main focus should be on all previous points raised in this article since they are far more likely to happen.