Security-group block

Security groups can match users based on various criteria. The two most important default groups are:
 * known-users (user is identified to services or has a reputation of 25 or more)
 * unknown-users (all other users)

There are also three more groups that exist by default:
 * tls-users: all users who are using SSL/TLS
 * tls-and-known-users: all users using SSL/TLS, plus all users that are identified to Services or have 25 or more reputation score.
 * webirc-users: all users using WEBIRC. (UnrealIRCd 5.2.0 and later)
 * websocket-users: all users using Websockets. (UnrealIRCd 6.0.7 and later)

The server admin can change the criteria for all six built-in groups, as well as add new security groups.

Where security groups are used

 * In the set::anti-flood block, where the groups known-users and unknown-users have different flood limits
 * In the Connthrottle module as well
 * From a mask { } item, like
 * In the  extban, eg:   to block low reputation and unidentified users
 * Channel mode +f and +F take different actions if >75% of the flood is caused by unknown-users (it will temporarily ban ~security-group:unknown-users).

New syntax (UnrealIRCd 6.0.4 and later)
security-group { /* Match people based on ANY of these criteria (OR) */ mask { ; }; ip { ; }; identified ; webirc ; websocket ; tls ; reputation-score ; connect-time ; security-group { ; }; account { ; }; country { ; }; realname { ; }; certfp { ; };

/* Optionally EXCLUDE people based on this (even if they matched above) */ exclude-mask { ; }; exclude-ip { ; }; exclude-identified ; exclude-webirc ; exclude-websocket ; exclude-tls ; exclude-reputation-score ; exclude-connect-time ; exclude-security-group { ; }; exclude-account { ; }; exclude-country { ; }; exclude-realname { ; }; exclude-certfp { ; }; }

All the selection criteria of security groups are also available in mask { } items elsewhere in the configuration file (eg in the oper block, allow block, vhost block, etc.)

Old Syntax (UnrealIRCd 5.x and up to 6.0.3)
security-group { identified ; webirc ; tls ; reputation-score ; include-mask { ; }; }

identified: if set to yes, then if the user is identified to Services then it is considered a match. webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match. tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match. reputation-score: if set to a value, like, then if the user has a reputation score of this value or higher , it is considered a match. include-mask: if a mask item matches, then the security group is considered a match. (UnrealIRCd 5.2.1 or later)

Matching rules:
 * Any items set to no mean the check will be skipped (ignored).
 * Any items set to yes that are true mean the security group matches the user. Only 1 item that is set to yes needs to match!

Example and changing the known-users group
The default security group known-users has the following settings: security-group known-users { identified yes; webirc no; reputation-score 25; } If you have no security-group known-users { } in your configuration file then these are the defaults. If you want to change the settings, then add the block to your config and modify it.

The magic unknown-users security-group
The unknown-users security group is a special group matching users that are NOT matched by the known-users group. In other words:  is the same as   (the exclamation mark prefix meaning 'NOT').