Tip of the day: You can allow trusted users to send more messages per second without having to make them IRCOp. Especially useful for bots.

Translations:Security/79/en

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The problem is the "never exposing the IP address" part:

  • Of course, you should not publish any DNS record pointing to it, nor have a reverse DNS record with a name that gives it away
  • Scanbots crawl the internet all the time, bad guys will find your IRC server if the server port is open to everyone. You should use a firewall and make the machine only reachable from a limited set of IP addresses (your leaf servers). Don't just block only the IRC server port, block all incoming connections from everywhere except a few trusted IP addresses. For example, if you set the hostname to your full hub name and you run Apache on the server and it response to a page not founds as "Page not found. -- Server hub.xyz.net using Apache X.Y.Z" then you still leaked your host/IP address in scanners.
  • If you also run Services on the same hub machine (which is generally a good idea), most likely the services package will send e-mails, such as for account confirmation mails and passwords resets. In emails to users it will very likely expose IP address in the email headers. You would have to configure the machine to forward mail to another mail server. And you must configure that other mail server to not include the hub/services IP address in the "Received" header, usually by stripping the "Received" header entirely (either for that host, or always).
    • In Exim this would be achieved by adding headers_remove = received to your existing SMTP transport configuration, like somewhere at: 
      begin transports
Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Translations:Security/79/en&oldid=14476"