Security-group block

Security groups can match users based on various criteria. The two most important default groups are:
 * known-users: user is identified to services or has a reputation of 25 or more
 * unknown-users: all other users

These other groups also exist by default:
 * tls-users: all users who are using SSL/TLS
 * tls-and-known-users: all users using SSL/TLS, plus all users that are identified to Services or have 25 or more reputation score.
 * webirc-users: all users using WEBIRC. (UnrealIRCd 5.2.0 and later)
 * websocket-users: all users using Websockets. (UnrealIRCd 6.0.7 and later)

The server admin can change the criteria of all six built-in security groups. They can also add new security groups.

Where security groups are used

 * In any mask { } item in the configuration file, like
 * That is in: allow::mask, oper::mask, tld::mask, vhost::mask, link::incoming::mask, deny channel::mask, allow channel::mask, connthrottle::except, blacklist::except, set::restrict::commands::except, set::antimixedutf8::except and set::antirandom::except
 * In the  extban, eg:   to block low reputation and unidentified users
 * In the set::anti-flood block, where the groups known-users and unknown-users have different flood limits
 * In the Connthrottle module to temporarily keep out unknown-users during an attack.
 * Channel mode +f and +F take different actions if >75% of the flood is caused by unknown-users. When that is the case, they will temporarily ban ~security-group:unknown-users and still allow known-users in.
 * In set name-of-security-group { } - through which you can override some set items per security group

Syntax
security-group { /* Match people based on ANY of these criteria (OR) */ mask { ; }; ip { ; }; identified ; webirc ; websocket ; tls ; reputation-score ; connect-time ; security-group { ; }; account { ; }; country { ; }; realname { ; }; certfp { ; };

/* Optionally EXCLUDE people based on this (even if they matched above) */ exclude-mask { ; }; exclude-ip { ; }; exclude-identified ; exclude-webirc ; exclude-websocket ; exclude-tls ; exclude-reputation-score ; exclude-connect-time ; exclude-security-group { ; }; exclude-account { ; }; exclude-country { ; }; exclude-realname { ; }; exclude-certfp { ; }; }

All the selection criteria of security groups are also available in mask { } items elsewhere in the configuration file (eg in the oper block, allow block, vhost block, etc.)

Example and changing the known-users group
The default security group known-users has the following settings: security-group known-users { identified yes; webirc no; reputation-score 25; } If you have no security-group known-users { } in your configuration file then these are the defaults. If you want to change the settings, then add the block to your config and modify it.

The magic unknown-users security-group
The unknown-users security group is a special group matching users that are NOT matched by the known-users group. In other words:  is the same as   (the exclamation mark prefix meaning 'NOT').