| Tip of the day: You can use a SSL/TLS certificate fingerprint instead of passwords. |
Cloaking
Cloaking is a security feature which hides the IP address and hostname of users on IRC. Below you can read in more detail what it is exactly, how it works and how to change the server settings with regards to cloaking.
What is cloaking
With cloaking turned off, a join on IRC looks like this:
*** User ([email protected]) has joined #test
With cloaking turned on, users will see:
*** User ([email protected]) has joined #test
The first part of the host is partially hidden or "cloaked". Other people won't see your real hostname or IP address. This security feature is useful to prevent users from flooding/attacking each other. They can't flood the other person without knowing their real host/IP. The host is not just cloaked in JOIN's, it is hidden everywhere, including in PART, WHOIS and WHO. Only IRCOps can see the real host / real IP.
The same cloaked host is always generated for the same real host/IP. Thus you can still ban the user with /MODE #test +b *!*@rox-2DCA3201.example.net.
Cloaking is enabled via user mode +x (like: /MODE yournick +x) but it is usually enabled by default already (see server configuration below).
Cloaking does not protect against everything
Cloaking helps to protect someone on IRC but there are still other ways to retrieve the IP address of users outside of IRC. A common trick by an attacker would be to paste an URL in the channel. Then, if the victim surfs to it, the attacker can see the victims' real IP address by looking at the webserver logs.
Cloaked IP addresses
When a host does not resolve, only the IP is known. In that case the join won't show the real IP:
*** User ([email protected]) has joined #test
But will instead look like this:
*** User ([email protected]) has joined #test
As expected, banning the full host *!*@AAAAAAAA.BBBBBBBB.CCCCCCCC.IP will ban the IP *!*@198.51.100.150. But, there are more options available:
| IP Address | Cloaked ban | Effective ban | Description |
|---|---|---|---|
| IPv4 | *!*@AAAAAAAA.BBBBBBBB.CCCCCCCC.IP
|
*!*@198.51.100.150
|
Only bans the IP |
*!*@*.BBBBBBBB.CCCCCCCC.IP
|
*!*@198.51.100.*
|
Bans the /24 netblock | |
*!*@*.CCCCCCCC.IP
|
*!*@198.51.*
|
Bans the /16 netblock | |
| IPv6 | *!*@AAAAAAAA:BBBBBBBB:CCCCCCCC:IP
|
*!*@2001:db8:85a3:8d3:1319:8a2e:370:7348
|
Only bans the IP |
*!*@*:BBBBBBBB:CCCCCCCC:IP
|
*!*@2001:db8:85a3:8d3:1319:8a2e:370:*
|
Bans the /112 netblock | |
*!*@*:CCCCCCCC:IP
|
*!*@2001:db8:85a3:8d3:*
|
Bans the /64 netblock |
If you want cloaking to use the cloaked IP address style always, even for hostnames that resolve fine, then see Forcing to use the IP-style cloaking at the end of next section.
Server configuration
Enabling and forcing cloaking
Admins normally want users to be cloaked by default. This is done by adding x to set::modes-on-connect. This is already done in both the example configuration files and in the default settings.
Even if users are cloaked by default, they can still unset it to disable their own cloaking. If you want to prevent this, so want users never be able to disable cloaking in any way, then add x to set::restrict-usermodes.
Disabling cloaking
If you don't want your users to be cloaked by default, then remove the x from modes-on-connect. Users can then still manually set themselves +x. If you don't want that either, then add x to set::restrict-usermodes. Note that cloaking is a security feature for your users and thus disabling it is NOT recommended.
Cloaking modules
A cloaked host is generated by a cloaking module. You must load at least one cloaking module. This too, is done by default already via the default modules.default.conf that almost everyone uses. It is also possible to use another cloaking algorithm created by a 3rd party, but not many have been written.
Cloaking keys
The cloaking algorithm requires secret cloaking keys to be set, see set::cloak-keys for more information. It is VERY important to keep the cloak keys secret. If the cloak keys are known by other (bad) people then it is theoretically possible to decode (or rather: brute force) the original host. If your cloaking keys are leaked or stolen then we suggest changing them. Note though, that this makes all current bans on cloaked hosts and IPs ineffective so this has a major impact on bans. There is no way to convert bans with cloak-keys X to bans with new cloak-keys Y. It is therefore best to avoid leaking cloak-keys at all cost!
Both the set::cloak-keys and set::hiddenhost-prefix settings must be the same on all servers. Otherwise, strange things will happen, such as users seemingly being able to join through bans and such.
Forcing to use the IP-style cloaking
Some admins find cloaked hostnames such as d5142341.example.net too revealing. They prefer to always use the cloaked IP address style instead such as 6CAB8F7C.1067B5DC.20B6CFB2.IP. If you want that, then set the option set::cloak-method to ip.