Tip of the day: Almost every channel mode can be disabled. Don't like halfops? Use blacklist-module chanmodes/halfop;
|
Security-group block
Security groups are introduced in UnrealIRCd 5.0.8. The two most important groups that exist by default are: known-users (user is identified to services or has high enough reputation) and unknown-users (all other users).
There are also three more groups that exist by default:
- tls-users: all users who are using SSL/TLS
- tls-and-known-users: all users using SSL/TLS, plus all users that are identified to Services or have 25 or more reputation score.
- webirc-users: all users using WEBIRC. (UnrealIRCd 5.2.0 and later)
Where security groups are used[edit]
- In the ~G extban, eg:
MODE #chan +b ~G:unknown-users
to block low reputation and unidentified users - In the set::anti-flood block
New syntax (UnrealIRCd 6.0.4 and later)[edit]
security-group <name> { /* Match people based on ANY of these criteria (OR) */ mask { <mask>; }; ip { <ip>; }; identified <yes|no>; webirc <yes|no>; tls <yes|no>; reputation-score <value>; connect-time <timevalue>; security-group { <list>; }; account { <list>; }; country { <list>; }; realname { <list>; }; certfp { <list>; }; /* Optionally EXCLUDE people based on this (even if they matched above) */ exclude-mask { <mask>; }; exclude-ip { <ip>; }; exclude-identified <yes|no>; exclude-webirc <yes|no>; exclude-tls <yes|no>; exclude-reputation-score <value>; exclude-connect-time <timevalue>; exclude-security-group { <list>; }; exclude-account { <list>; }; exclude-country { <list>; }; exclude-realname { <list>; }; exclude-certfp { <list>; }; }
The items are as follows:
- mask: list of masks that would result in a match, like
*.example.net
- ip: list of IP addresses that would result in a match, eg
127.*
or using CIDR notation127.0.0.0/8
. - identified: if set to yes, then if the user is identified to Services then it is considered a match.
- webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
- tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
- reputation-score: if set to a value, like
10
, then if the user has a reputation score of this value or higher, it is considered a match. You can also use<10
to say match on a score of below 10. - connect-time: if set to a time value, like
300
(seconds) or5m
(5 minutes), then if the user has been connected for longer than this time, it is considered a match. You can also use a value like<5m
to say less than 5 minutes. - security-group: this is a match if any of the security groups in this list match.
- account: list of account name(s) that would result in a match, eg:
account { TrustedAccount1; TrustedAccount2; }
- country: list of country codes that would result in a match, eg:
country { NL; BE; UK; }
- realname: list of realnames (gecos) that would result in a match, eg:
realname "*Bot*";
- certfp: list of certificate fingerprints (sha256) that would result in a match, eg:
certfp "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
- Other Extended server bans (from 3rd party modules too) can expose more values
Matching rules:
- Any items set to no mean the check will be skipped (ignored).
- Any items set to yes that are true mean the result is a match. Only 1 item that is set to yes needs to match! (But.. see next..)
- If any of the exclude- items match then the final result is NOT a match, even if other things matched.
Old Syntax (UnrealIRCd 5.x and up to 6.0.3)[edit]
security-group <name> { identified <yes|no>; webirc <yes|no>; tls <yes|no>; reputation-score <value>; include-mask { <mask>; }; }
identified: if set to yes, then if the user is identified to Services then it is considered a match.
webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
reputation-score: if set to a value, like 10
, then if the user has a reputation score of this value or higher, it is considered a match.
include-mask: if a mask item matches, then the security group is considered a match. (UnrealIRCd 5.2.1 or later)
Matching rules:
- Any items set to no mean the check will be skipped (ignored).
- Any items set to yes that are true mean the security group matches the user. Only 1 item that is set to yes needs to match!
Example and changing the known-users group[edit]
The default security group known-users has the following settings:
security-group known-users { identified yes; webirc no; reputation-score 25; }
If you have no security-group known-users { } in your configuration file then these are the defaults. If you want to change the settings, then add the block to your config and modify it.
The magic unknown-users security-group[edit]
The unknown-users security group is a special group matching users that are NOT matched by the known-users group. In other words: unknown-users
is the same as !known-users
(the exclamation mark prefix meaning 'NOT').
See also[edit]
- Reputation score: what is a reputation score, how is it calculated, and where else can it be used
- Extended bans: In particular the ~G extban that can be added in a channel to match a security group.
- Extended server bans: In particular ~G that can be used in GLINE/ELINE/etc to match a security group.