Tip of the day: Almost every channel mode can be disabled. Don't like halfops? Use blacklist-module chanmodes/halfop;

Security-group block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Security groups are introduced in UnrealIRCd 5.0.8. The two most important groups that exist by default are: known-users (user is identified to services or has high enough reputation) and unknown-users (all other users).

There are also three more groups that exist by default:

  • tls-users: all users who are using SSL/TLS
  • tls-and-known-users: all users using SSL/TLS, plus all users that are identified to Services or have 25 or more reputation score.
  • webirc-users: all users using WEBIRC. (UnrealIRCd 5.2.0 and later)

Where security groups are used[edit]

  • In the ~G extban, eg: MODE #chan +b ~G:unknown-users to block low reputation and unidentified users
  • In the set::anti-flood block

New syntax (UnrealIRCd 6.0.4 and later)[edit]

security-group <name> {
        /* Match people based on ANY of these criteria (OR) */
        mask { <mask>; };
        ip { <ip>; };
        identified <yes|no>;
        webirc <yes|no>;
        tls <yes|no>;
        reputation-score <value>;
        connect-time <timevalue>;
        security-group { <list>; };
        account { <list>; };
        country { <list>; };
        realname { <list>; };
        certfp { <list>; };

        /* Optionally EXCLUDE people based on this (even if they matched above) */
        exclude-mask { <mask>; };
        exclude-ip { <ip>; };
        exclude-identified <yes|no>;
        exclude-webirc <yes|no>;
        exclude-tls <yes|no>;
        exclude-reputation-score <value>;
        exclude-connect-time <timevalue>;
        exclude-security-group { <list>; };
        exclude-account { <list>; };
        exclude-country { <list>; };
        exclude-realname { <list>; };
        exclude-certfp { <list>; };
}

The items are as follows:

  • mask: list of masks that would result in a match, like *.example.net
  • ip: list of IP addresses that would result in a match, eg 127.* or using CIDR notation 127.0.0.0/8.
  • identified: if set to yes, then if the user is identified to Services then it is considered a match.
  • webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
  • tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
  • reputation-score: if set to a value, like 10, then if the user has a reputation score of this value or higher, it is considered a match. You can also use <10 to say match on a score of below 10.
  • connect-time: if set to a time value, like 300 (seconds) or 5m (5 minutes), then if the user has been connected for longer than this time, it is considered a match. You can also use a value like <5m to say less than 5 minutes.
  • security-group: this is a match if any of the security groups in this list match.
  • account: list of account name(s) that would result in a match, eg: account { TrustedAccount1; TrustedAccount2; }
  • country: list of country codes that would result in a match, eg: country { NL; BE; UK; }
  • realname: list of realnames (gecos) that would result in a match, eg: realname "*Bot*";
  • certfp: list of certificate fingerprints (sha256) that would result in a match, eg: certfp "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
  • Other Extended server bans (from 3rd party modules too) can expose more values

Matching rules:

  • Any items set to no mean the check will be skipped (ignored).
  • Any items set to yes that are true mean the result is a match. Only 1 item that is set to yes needs to match! (But.. see next..)
  • If any of the exclude- items match then the final result is NOT a match, even if other things matched.

Old Syntax (UnrealIRCd 5.x and up to 6.0.3)[edit]

security-group <name> {
        identified <yes|no>;
        webirc <yes|no>;
        tls <yes|no>;
        reputation-score <value>;
        include-mask { <mask>; };
}

identified: if set to yes, then if the user is identified to Services then it is considered a match.
webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
reputation-score: if set to a value, like 10, then if the user has a reputation score of this value or higher, it is considered a match. include-mask: if a mask item matches, then the security group is considered a match. (UnrealIRCd 5.2.1 or later)

Matching rules:

  • Any items set to no mean the check will be skipped (ignored).
  • Any items set to yes that are true mean the security group matches the user. Only 1 item that is set to yes needs to match!

Example and changing the known-users group[edit]

The default security group known-users has the following settings: 

security-group known-users {
        identified yes;
        webirc no;
        reputation-score 25;
}

If you have no security-group known-users { } in your configuration file then these are the defaults. If you want to change the settings, then add the block to your config and modify it.

The magic unknown-users security-group[edit]

The unknown-users security group is a special group matching users that are NOT matched by the known-users group. In other words: unknown-users is the same as !known-users (the exclamation mark prefix meaning 'NOT').

See also[edit]

  • Reputation score: what is a reputation score, how is it calculated, and where else can it be used
  • Extended bans: In particular the ~G extban that can be added in a channel to match a security group.
  • Extended server bans: In particular ~G that can be used in GLINE/ELINE/etc to match a security group.
Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Security-group_block&oldid=10751"