unreal-notify Mailing List for UnrealIRCd
Status: Beta
Brought to you by:
wildchild
You can subscribe to this list here.
2000 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
(1) |
2002 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
2004 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2005 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2006 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2009 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
2014 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(4) |
2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(2) |
Oct
(3) |
Nov
(2) |
Dec
(3) |
2017 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(1) |
Dec
(2) |
2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(3) |
2019 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
(2) |
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(2) |
Oct
(1) |
Nov
(3) |
Dec
(1) |
2020 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(2) |
2021 |
Jan
(1) |
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(3) |
2022 |
Jan
(4) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(3) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
2023 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(3) |
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(4) |
Nov
|
Dec
(4) |
2024 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Bram M. <sy...@un...> - 2024-07-18 13:37:54
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Today I have released UnrealIRCd 6.1.7.1. This fixes a completely harmless log message to IRCOps popping up sometimes ("[BUG] trying to modify fd -2"). This issue did not affect everyone, it happens with certain DNSBL hits and only if you are using c-ares library version 1.31.0 or later (which happens if you don't have c-ares installed as a system library and it falls back to the UnrealIRCd shipped one). UnrealIRCd 6.1.7.1 fixes the case that caused that log message, and it also adds ASN support in WHOWAS. If you are not seeing the log messages or are not bothered by them then there is no reason to upgrade. The original 6.1.7 announcement is below It has been only a month since previous release, but I'm happy to announce UnrealIRCd 6.1.7. The main purpose of this release is adding new features, such as ASN support, more flexible ban user { } and ban authentication { } blocks and more. See the release notes below for all details. Enhancements: * In the ban user { } <https://www.unrealircd.org/docs/Ban_user_block> and require authentication { } <https://www.unrealircd.org/docs/Require_authentication_block> blocks the |mask| is now a Mask item <https://www.unrealircd.org/docs/Mask_item>. This means you can use all the power of mask items and security groups and multiple matching criteria. * The GeoIP module now contains information about Autonomous System Numbers <https://www.unrealircd.org/docs/ASN>: o The asn is shown in the user connecting notice as |[asn: ###]|, is shown in |WHOIS| (for IRCOps) and it is expanded in JSON data such as JSON Logging <https://www.unrealircd.org/docs/JSON_logging> and JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> calls like |user.list|. o Can be used in Extended server ban <https://www.unrealircd.org/docs/Extended_server_bans>: |GLINE ~asn:64496 0 This ISP is banned|. o Can be used in security groups and mask items <https://www.unrealircd.org/docs/Mask_item> so you can do like: |require authentication { mask { asn { 64496; 64497; 64498; } } reason "Too much abuse from this ISP. You are required to log in with an account using SASL."; }| o In Crule <https://www.unrealircd.org/docs/Crule> functions as |match_asn(64496)| o Also available in regular extbans/invex, but normally users don't know the IP or ASN of other users, unless you use no cloaking or change set::whois-details::asn <https://www.unrealircd.org/docs/Set_block#set::whois-details>. * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: Similar to oper and operclass, in an rpc-user <https://www.unrealircd.org/docs/Rpc-user_block> you now have to specify an rpc-user::rpc-class. The rpc-class is defined in an rpc-class block <https://www.unrealircd.org/docs/Rpc-class_block> and configures what JSON methods can be called. There are two default json-rpc classes: o |full|: access to all JSON-RPC Methods o |read-only|: access to things like /server_ban.list/ but not to /server_ban.add/ * set::spamfilter::except <https://www.unrealircd.org/docs/Set_block#set::spamfilter::except> is now a Mask item <https://www.unrealircd.org/docs/Mask_item> instead of only a list of exempted targets. A warning is created to existing users along with a suggestion of how to use the new syntax. Technically, this is not really new functionality as all this was already possible via the Except ban block <https://www.unrealircd.org/docs/Except_ban_block> with type spamfilter, but it is more visible/logical to have this also. * New option set::hide-killed-by <https://www.unrealircd.org/docs/Set_block#set::hide-killed-by>: We normally show the nickname of the oper who did the /KILL in the quit message. When set to |yes| the quit message becomes shortened to "Killed (Reason)". This can prevent oper harassment. * set::restrict-commands <https://www.unrealircd.org/docs/Restrict_commands>: new option |channel-create| for managing who may create new channels. * New option set::tls::certificate-expiry-notification <https://www.unrealircd.org/docs/Set_block#set::tls::certificate-expiry-notification>: since UnrealIRCd 5.0.8 we warn if a SSL/TLS certificate is (nearly) expired. This new option allows turning it off, it is (still) on by default. * Add the ability to capture the same data as Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> by providing an spamreport::url option. Changes: * IRCOps with the operclass |locop| can now only |REHASH| the local server and not remote servers. * Comment out some more in example.conf by default * Update shipped libraries: c-ares to 1.31.0, PCRE2 to 10.44, Sodium to 1.0.20 Fixes: * Crash when removing the |websocket| option on a websocket listener. * Silence some compiler warnings regarding deprecation of c-ares API in src/dns.c. * Memory leaks of around 1-2KB per rehash Developers and protocol: * We use numeric 569 (RPL_WHOISASN) for displaying ASN info to IRCOps: |:irc.example.net 569 x whoiseduser 64496 :is connecting from AS64496 [Example Corp]| As always, you can download UnrealIRCd from https://www.unrealircd.org/. On *NIX you can upgrade with: ./unrealircd upgrade |
From: Bram M. <sy...@un...> - 2024-07-16 11:04:09
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, It has been only a month since previous release, but I'm happy to announce UnrealIRCd 6.1.7. The main purpose of this release is adding new features, such as ASN support, more flexible ban user { } and ban authentication { } blocks and more. See the release notes below for all details. Enhancements: <https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#enhancements> * In the ban user { } <https://www.unrealircd.org/docs/Ban_user_block> and require authentication { } <https://www.unrealircd.org/docs/Require_authentication_block> blocks the |mask| is now a Mask item <https://www.unrealircd.org/docs/Mask_item>. This means you can use all the power of mask items and security groups and multiple matching criteria. * The GeoIP module now contains information about Autonomous System Numbers <https://www.unrealircd.org/docs/ASN>: o The asn is shown in the user connecting notice as |[asn: ###]|, is shown in |WHOIS| (for IRCOps) and it is expanded in JSON data such as JSON Logging <https://www.unrealircd.org/docs/JSON_logging> and JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> calls like |user.list|. o Can be used in Extended server ban <https://www.unrealircd.org/docs/Extended_server_bans>: |GLINE ~asn:64496 0 This ISP is banned|. o Can be used in security groups and mask items <https://www.unrealircd.org/docs/Mask_item> so you can do like: |require authentication { mask { asn { 64496; 64497; 64498; } } reason "Too much abuse from this ISP. You are required to log in with an account using SASL."; }| o In Crule <https://www.unrealircd.org/docs/Crule> functions as |match_asn(64496)| o Also available in regular extbans/invex, but normally users don't know the IP or ASN of other users, unless you use no cloaking or change set::whois-details::asn <https://www.unrealircd.org/docs/Set_block#set::whois-details>. * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: Similar to oper and operclass, in an rpc-user <https://www.unrealircd.org/docs/Rpc-user_block> you now have to specify an rpc-user::rpc-class. The rpc-class is defined in an rpc-class block <https://www.unrealircd.org/docs/Rpc-class_block> and configures what JSON methods can be called. There are two default json-rpc classes: o |full|: access to all JSON-RPC Methods o |read-only|: access to things like /server_ban.list/ but not to /server_ban.add/ * set::spamfilter::except <https://www.unrealircd.org/docs/Set_block#set::spamfilter::except> is now a Mask item <https://www.unrealircd.org/docs/Mask_item> instead of only a list of exempted targets. A warning is created to existing users along with a suggestion of how to use the new syntax. Technically, this is not really new functionality as all this was already possible via the Except ban block <https://www.unrealircd.org/docs/Except_ban_block> with type spamfilter, but it is more visible/logical to have this also. * New option set::hide-killed-by <https://www.unrealircd.org/docs/Set_block#set::hide-killed-by>: We normally show the nickname of the oper who did the /KILL in the quit message. When set to |yes| the quit message becomes shortened to "Killed (Reason)". This can prevent oper harassment. * set::restrict-commands <https://www.unrealircd.org/docs/Restrict_commands>: new option |channel-create| for managing who may create new channels. * New option set::tls::certificate-expiry-notification <https://www.unrealircd.org/docs/Set_block#set::tls::certificate-expiry-notification>: since UnrealIRCd 5.0.8 we warn if a SSL/TLS certificate is (nearly) expired. This new option allows turning it off, it is (still) on by default. * Add the ability to capture the same data as Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> by providing an spamreport::url option. Changes: <https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#changes> * IRCOps with the operclass |locop| can now only |REHASH| the local server and not remote servers. * Comment out some more in example.conf by default * Update shipped libraries: c-ares to 1.31.0, PCRE2 to 10.44, Sodium to 1.0.20 Fixes: <https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#fixes> * Crash when removing the |websocket| option on a websocket listener. * Silence some compiler warnings regarding deprecation of c-ares API in src/dns.c. * Memory leaks of around 1-2KB per rehash Developers and protocol: <https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#developers-and-protocol> * We use numeric 569 (RPL_WHOISASN) for displaying ASN info to IRCOps: |:irc.example.net 569 x whoiseduser 64496 :is connecting from AS64496 [Example Corp]| As always, you can download UnrealIRCd from https://www.unrealircd.org/. On *NIX you can upgrade with: ./unrealircd upgrade |
From: Bram M. <sy...@un...> - 2024-06-14 06:58:46
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, Today I'm happy to announce the release of UnrealIRCd 6.1.6 stable. This is mostly a bug fix release but also comes with some enhancements. More information in the release notes below. Enhancements: <https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#enhancements> * Crule <https://www.unrealircd.org/docs/Crule> functions can now do everything that security group blocks <https://www.unrealircd.org/docs/Security-group_block> can do. In practice, this means the following functions were added in this release: o |is_tls()| returns true if the client is using SSL/TLS o |in_security_group('known-users')| returns true if the user is in the specified security group <https://www.unrealircd.org/docs/Security-group_block>. o |match_mask('*@*.example.org')| or |match_mask('*.example.org')| returns true if client matches mask. o |match_ip('192.168.*')| or with CIDR like |match_ip('192.168.0.0/16')| returns true if IP address of client matches. o |is_identified()| which returns true if the client is identified to a services account. o |is_webirc()| which returns true if the client is connected using WEBIRC. o |is_websocket()| which returns true if the client is connected using WebSockets. o |match_realname('*xyz*')| which returns true if the real name (gecos) contains xyz. o |match_account('xyz')| which returns true if the services account name is xyz. o |match_country('NL')| which returns true if GeoIP <https://www.unrealircd.org/docs/GeoIP> determined the country to be NL. o |match_certfp('abc')| which returns true if the Certificate fingerprint <https://www.unrealircd.org/docs/Certificate_fingerprint> is abc. Changes: <https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#changes> * For many years |REHASH -all| is the same as |REHASH| so we now reject the former. * The Crule <https://www.unrealircd.org/docs/Crule> function |inchannel('#xyz')| is now called |in_channel('#xyz')| to match the naming style of the other functions. The old name will keep working for the entire UnrealIRCd 6 series too. Fixes: <https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#fixes> * Crash if you first REHASH and have a parse error (failed rehash 1) and then REHASH again but have a "late" rehash error, such as a remote include failing to load (failed rehash 2). * Crash on Windows when using Crule <https://www.unrealircd.org/docs/Crule> functions, Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> or Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>. * Conditional config <https://www.unrealircd.org/docs/Defines_and_conditional_config>: using @if with a variable like |@if $VAR == "something"| always evaluated to false. * A |~forward| <https://www.unrealircd.org/docs/Extended_bans#Group_2:_actions> ban did not check ban exemptions (+e), always forwarding the user. * When booting for the first time (without any cached files) the IRCd downloads GeoIP.dat. If that fails, e.g. due to lack of internet connectivity, we now show a warning and continue booting instead of it being a hard error. Note that we already dealt with this properly after the file has been cached (so after first download), see "What if your web server is down" in Remote includes <https://www.unrealircd.org/docs/Remote_includes#What_if_your_web_server_is_down>. Removed: * The |tls-and-known-users| security group <https://www.unrealircd.org/docs/Security-group_block> was confusing, in the sense that this group consisted of tls-users and of known-users (in an OR fashion, not AND). Since this group is rarely used it has now been removed altogether. If you used it in your configuration then you can still manually (re)create the security group with: |security-group tls-and-known-users { identified yes; reputation-score 25; tls yes; }| Developers and protocol: <https://github.com/unrealircd/unrealircd/blob/dd2242b6a80b50e1defcc85ed1e7aee3b96972a8/doc/RELEASE-NOTES.md#developers-and-protocol> * Modules can now provide SASL locally, see Dev:Authentication module <https://www.unrealircd.org/docs/Dev:Authentication_module>. As always, you can download UnrealIRCd from https://www.unrealircd.org/. On *NIX you can upgrade with: ./unrealircd upgrade |
From: Bram M. <sy...@un...> - 2024-05-28 16:58:15
|
Hi everyone, This month UnrealIRCd celebrates its 25th birthday. IRC changed over all those years. There's a clear consolidation, with fewer IRC networks now than before, but IRC is still alive and kicking. That's in part due to a persistent user base but also very much thanks to all those people who keep IRC up to date, people making IRC server software (not just UnrealIRCd), people running IRC networks, the IRCv3 working group <https://ircv3.net/>, IRC clients that tap in a different market than traditional text-mode and desktop IRC clients, clients like IRCCloud <https://www.irccloud.com/>, The lounge <https://thelounge.chat> and Kiwi IRC <https://kiwiirc.com> to name a few. Everyone is trying to make IRC more intuitive, more modern, so new users can appreciate IRC as well. With regards to UnrealIRCd, I would like to thank our sponsors and donators <https://www.unrealircd.org/index/donations> for their support. We launched a new sponsorship program <https://forums.unrealircd.org/viewtopic.php?t=9353> this year and are grateful to our monthly sponsors to help us with our monthly hosting costs (we could still use a little help here). Thanks also to all the people contributing to the development, the documentation (wiki), all the official supporters and other people hanging out in our #unreal-support channel. As already mentioned, a big thanks to all the IRC networks, often run by volunteers, all the opers there, the individual IRC users who have been using and enjoying UnrealIRCd! Without your continued support and your feedback we wouldn't be where we are today. Let me end with this fantastic XKCD comic from several years ago. It highlights what I like most of IRC: it's not one centrally managed and dictated protocol, one network, one brand, like the big social media today. IRC is flexible and gives you choices: you can run your own network with its own community and its own rules, you choose which IRC server software to use and configure it to suit your needs. And to top it off: all your users can choose which IRC client they use to connect to your network, an IRC client set up in the way they like it, with its pros and cons and its never ending tinkering. XKCD comic #1782 "Team Chat" If you are interested in some UnrealIRCd history, and some word about the present, then you can continue reading below. *1999 - 2013* UnrealIRCd was founded by Stskeeps in May 1999. I was not involved with the first 2 years of the project, but I remember that UnrealIRCd was already quite popular when UnrealIRCd 3.1.x came out in 2000. In 2001 I joined the development team and together with codemastr and Stskeeps we made UnrealIRCd 3.2.x which took 3 years in total and was maintained for another 12 years. Feature-wise 3.2 brought a completely new configuration file, unlike all other IRC Daemons back then, which made us very flexible. Other notable major features were: support for modules, anti-flood features like channel mode +f and spam filtering. It was UnrealIRCd 3.2.x that made us conquer the market, resulting in a market share of over 50% at that time (in terms of IRC servers deployed). It were crazy times with many networks installing UnrealIRCd, even beta versions. The support channel was completely overwhelmed. Some people may even remember our support bot that we had for several years: the #unreal-support channel was moderated (+m) and upon joining you had to answer a short 5 question quiz with some basic questions in order to get voice (+v) and support. UnrealIRCd 3.2.x was awesome for many years but in the end development slowed down too much. *2014 - 2024* The old UnrealIRCd 3.2.x code base was getting in the way of implementing new things. In 2015 came UnrealIRCd 4 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_4> with the help of Heero and nenolod. It had major source code cleanups and server protocol changes, a major configuration file overhaul, improved documentation and a lot of other new features to make things more flexible and an admins life easier. Since then, UnrealIRCd was actively maintained again with regular releases. UnrealIRCd 5 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_5> came out in Dec 2019 with security enhancements, a lot more IRCv3 features, channel history and improved websocket support. Followed by UnrealIRCd 6 <https://www.unrealircd.org/docs/What%27s_new_in_UnrealIRCd_6> in Dec 2021 with a modern logging system with (optional) JSON support, again more flexibility, even more modular, an external JSON-RPC interface making a webpanel possible <https://www.unrealircd.org/docs/UnrealIRCd_webpanel>, and more. *The present* Nowadays we have a very modular IRCd, with pretty much all standardized IRCv3 features implemented and great security features. The last 12 months had a number of spam waves and we quickly developed and responded with Central Blocklist <https://www.unrealircd.org/docs/Central_Blocklist> and some other services, effectively stoping all efknockr spam. It's good to see us, along with the wider community, staying up to date with the present threats and challenges of today and we have no plans to stop! Best regards, Bram Matthys ("Syzop") |
From: Bram M. <sy...@un...> - 2024-04-22 11:11:02
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, Today I have released UnrealIRCd 6.1.5 stable. This is a regular release with various enhancements and bug fixes. More information in the release notes below. I can also announce the official launch of our sponsorship program and merchandise shop <https://forums.unrealircd.org/viewtopic.php?t=9353>. If you like UnrealIRCd and want to support us then consider becoming a sponsor, make a donation or buy yourself something nice from the shop. If you can't spare the money or don't want to donate, that is fine too. UnrealIRCd will always be free. Enhancements: * You can now use oper::auto-join <https://www.unrealircd.org/docs/Oper_block#auto-join> in an oper block to override the generic set::oper-auto-join <https://www.unrealircd.org/docs/Set_block#set::oper-auto-join> setting. * The |operclass| property is now available in the security-group block <https://www.unrealircd.org/docs/Security-group_block> and mask items. Eg: |security-group netadmin { operclass { netadmin; netadmin-with-override; } }| * Support for IRCv3 |draft/no-implicit-names| <https://ircv3.net/specs/extensions/no-implicit-names> * Improved performance by skipping useless |TAGMSG| spamfilter checks (e.g. for typing notifications). * Improved performance if you have hundreds of non-regex spamfilters. * Add more Crule <https://www.unrealircd.org/docs/Crule> functions: o |is_away()| returns true if the client is currently away o |has_user_mode('x')| returns true if all the user modes are set on the client. o |has_channel_mode('x')| can be used for spamfilters with a destination channel, such as messages: it returns true if all specified channel modes are set on the channel. * Add |example.pt.conf| - (Brazilian) Portuguese example configuration file. Changes: * The config parser now logs a warning if you have a |/*| within a |/*| Fixes: * The whowasdb module caused |WHOWAS| entries to vanish (way too soon) * If your shell account only allowed very few file descriptors (eg: |ulimit -n| returned |150|), then UnrealIRCd would fail to boot. This, because due to reserved file descriptors you would have 0 left, or even a negative number. * Crash when running |SPAMFILTER| as an IRCOp when using UTF8 spamfilters. * Set blocks for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group> allow you to set a custom set::modes-on-connect <https://www.unrealircd.org/docs/Set_block#set::modes-on-connect> for a security group. However this setting happened too early, so security groups matching account names or 'identified' (when using SASL <https://www.unrealircd.org/docs/SASL>) were not working. * |+I ~operclass| was not working properly. * Removed confusing "Central blocklist too slow to respond" message when using soft bans <https://www.unrealircd.org/docs/Soft_ban> or a require authentication block <https://www.unrealircd.org/docs/Require_authentication_block>. You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-12-16 15:52:03
|
Hi everyone, UnrealIRCd 6.1.0 through 6.1.3 contain a bug which makes it possible for a websocket user to crash the IRC server. For the issue to trigger you need to have a listen block with websockets enabled. UnrealIRCd 6.1.4 has been released to fix this issue. However, *NIX users can also fix the issue without restart by using a "hot-patch". The hot-patch takes less than a minute to install and causes no downtime. If you just want to apply the hot-patch on *NIX without reading all of below, the command to run in your unrealircd directory is: ./unrealircd hot-patch websocket61xcrash The output should end with "Rehashed succesfully. Patch installed and server rehashed correctly. All should be good now!" This issue was assigned CVE-2023-50784. For the full story with all details, see below. Affected versions & configurations UnrealIRCd 6.1.0 through 6.1.3 have a buffer overflow issue in the websocket handling code. For the issue to trigger you need to have websockets enabled, which is popular but not present in the default/example configuration. Websockets are a nice feature to allow web chat directly from a browser to the IRC server without any intermediate gateways. If you are unsure if you have a listen block with websockets enabled, then search for "websocket" (without quotes) in your configuration file(s), such as unrealircd.conf. A websocket listen block looks like this in the config file: listen { ip *; port 8888; options { websocket { type text; }; tls; } } If you have such a listen block for websockets and are using UnrealIRCd 6.1.0 through 6.1.3 then you are affected by this bug. If you are using an older UnrealIRCd version or you have no listen block for websockets then you are not affected. Besides normal websocket connections, the websocket handling code is also reachable by trusted JSON-RPC hosts (such as the UnrealIRCd admin panel), but in that case only after authentication by an rpc-user { } block. That particular scenario is likely of little interest since authenticated rpc-users already have complete power over the ircd, they can already gline and kill everyone. It is only mentioned here for completeness. Triggering the bug Any user who can connect to the websocket port can trigger this bug. The bug can be triggered pre-authentication, so before the user is online on IRC. This means allow block { } restrictions and similar restrictions (including glines) will not protect you. Now that the patch is out we expect bad actors to read the patch, understand how to trigger the crash (which is relatively easy) and potentially crash IRC servers in the wild. Effects of this issue On all reasonably modern tested Linux distro's this issue is caught by "fortified functions", a security feature with which we compile by default since 2016, if the compiler supports this. Examples of tested safe distro's are Ubuntu 16.04/18.04/20.04/22.04 and Debian 9/10/11. When the bug is caught by fortified functions, the buffer overflow is prevented but it triggers a crash instead. When testing on FreeBSD and Windows, the overflow is not caught but the overflow seems to happen to other (harmless) buffers and there is no effect (no crash, nothing). For 99%+ of the affected servers that have websockets enabled, the effect is a crash or no effect. When using very old compilers, or a compiler other than gcc/clang, and/or possibly non-Linux, and/or unusual architectures, when fortified functions do not catch the issue and in the unfortunate event that buffers may have a different layout than during our tests we cannot 100% rule out more grave issues. Technically, the buffer overflow happens with a "static char" variable which is in the isolated data segment of the websocket_common module (.so file), making further exploitation beyond a crash unlikely. Again, in none of our tests anything beyond a crash was possible. Recommendations If you have websockets enabled and are using an affected version, then we recommend applying the hot-patch or upgrading to 6.1.4. The hot-patch will fix the issue without any downtime. To apply the hot-patch run the following command: ./unrealircd hot-patch websocket61xcrash The script should end with the output: "Rehashed succesfully. Patch installed and server rehashed correctly. All should be good now!" It is also safe to run the hot-patch command on unaffected UnrealIRCd versions, for example 6.0.7, in which case it will print "This UnrealIRCd version does not require that patch". If you prefer upgrading to 6.1.4 you can download latest UnrealIRCd version from www.unrealircd.org <http://www.unrealircd.org>. On versions 6.1.0 through 6.1.2.3 the hot-patch will fix the websocket crash issue. This is git commit b0e87dca <https://github.com/unrealircd/unrealircd/commit/b0e87dcafa75f8bced7a0b11dd335e9b7aa86334>. On version 6.1.3 the hot-patch will fix the websocket crash issue (commit b0e87dca <https://github.com/unrealircd/unrealircd/commit/b0e87dcafa75f8bced7a0b11dd335e9b7aa86334>) and also fix another issue that does not cause a crash but prevents websockets from working properly in Chrome and other browsers (fa84174d <https://github.com/unrealircd/unrealircd/commit/fa84174d22251fec428b17c0cd1ba2f6a7cbaf86>). These two changes are the same two changes between 6.1.3 and 6.1.4. Checking for the issue remotely You would have to check for 3 things and all 3 must be true: 1. A websocket port must be open 2. UnrealIRCd version must be 6.1.0 through 6.1.3 3. If you run "MODULE -all" on IRC (lots of output!) then look for the version number in the line for websocket_common. If it shows 6.1.4 then you are patched, any lower version means unpatched. It is important to point out that if any of the above is not true, then you are not vulnerable. For example when you run an old UnrealIRCd 6.0.x and MODULE -all outputs 6.0.0 for websocket_common then you are not affected. If you have command line access, then just run the hot-patch commands under RECOMMENDATIONS. Workaround While not the preferred method of dealing with this, just mentioning for completeness: If you don't want to patch and don't want to upgrade, a possible workaround is disabling any listen blocks for websockets. Cause of the bug For programmers and users who are curious how this happened. Websockets are a binary protocol so have completely different parsing than IRC. These packets can also be much longer than regular IRC protocol lines. This requires extreme caution when parsing messages. In the websocket parsing code, there are two functions: one does a length check to see if the packet is larger than the 1st buffer and then the secondary function did a memcpy without further length checks in a 2nd buffer. In UnrealIRCd 6.0.7 and earlier the length of the 1st buffer is less or equal to the 2nd buffer, which was intended, so any oversized packet is already rejected by the 1st function and this means the memcpy in the 2nd function is safe and there is no issue. However, a change in 6.1.0 - completely unrelated to websockets - made the 1st buffer much larger without changing the size of the 2nd buffer. The same buffer sizes (same defines) should have been used at both places, but we didn't. An additional factor of confusion is that we have defines for "READBUF_SIZE" and "READBUFSIZE" with different sizes. If the one without the underscore would be used, there would have been no issue. In the final patch we opted for using a different define, to match the exact name in both functions which is how it should have been done, but that is besides this point. The issue was not caught by our internal fuzzer because the fuzzer only dealt with a single websocket packet at a time. It did not try a multiple packets scenario (frame reassembly). After another bug was fixed (which had no security impact), the fuzzer was adjusted to also try multiple packets. When running the updated fuzzer, to verify the former issue was properly fixed, this new issue was triggered immediately. CVSS score Based on the crash scenario, the CVSS v3.1 base score is 7.5, temporal score 7.2, total score 7.2. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C Timeline 2023-12-13: Issue discovered internally after fixing a related issue in a different module, CVE requested 2023-12-14: CVE-2023-50784 assigned, sent out pre-announcement / heads up 2023-12-16: Release of hot-patch and UnrealIRCd 6.1.4 Reference This post (and any potential updates) is available at https://forums.unrealircd.org/viewtopic.php?t=9340 |
From: Bram M. <sy...@un...> - 2023-12-14 08:38:09
|
This is a 48+ hours heads up, so UnrealIRCd admins know they should be around to patch their server next Saturday: Internally we discovered a serious issue in UnrealIRCd. In a common configuration scenario, a regular user can cause UnrealIRCd to crash, which results in all users being disconnected from the server. This issue is present in all recent UnrealIRCd releases (the latest 6.1.3, but also older ones are affected). At the moment, the risk seems limited to a crash only, at least on all tested commonly used Linux variants. A fixed version, UnrealIRCd 6.1.4, will be released on _*Saturday, December 16, 2023, at 16:00 GMT *_At the same date/time we will also release a "hot patch" so *NIX users can fix the issue without restart. When the fix comes out next Saturday, we suggest admins on *NIX to apply the patch immediately (which is possible without downtime and only takes a minute) or to upgrade quickly to UnrealIRCd 6.1.4 (e.g. when on Windows or if you just feel like upgrading). This is also the reason for sending out this pre-announcement with an exact date and time. This way people can be "ready" and fix things immediately, minimizing the time for bad people potentially crashing IRC servers. Please understand that until the release at Saturday we cannot provide any further information. |
From: Bram M. <sy...@un...> - 2023-12-09 08:24:40
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, I'm happy to announce the release of UnrealIRCd 6.1.3 stable. The main focus of this release is adding countermeasures against large scale spam/drones. We do this by offering a central API which can be used for accessing Central Blocklist, Central Spamreport and Central Spamfilter. See the release notes below. Enhancements: * Central anti-spam services: o The services from below require a central-api key, which you can request here <https://www.unrealircd.org/central-api/>. o Central Blocklist <https://www.unrealircd.org/docs/Central_Blocklist> is an attempt to detect and block spammers. It works similar to DNS Blacklists but the central blocklist receives many more details about the user that is trying to connect and therefore can make a better decision on whether a user is likely a spammer. o Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> allows you to send spam reports (user details, last sent lines) via the |SPAMREPORT| command. This information may then be used to improve Central Blocklist <https://www.unrealircd.org/docs/Central_Blocklist> and/or Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>. o The Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>, which provides spamfilter { } blocks that are centrally managed, is now fetched from a different URL if you have an Central API key set. This way, we can later provide spamfilter { } blocks that build on central blocklist scoring functionality, and also so we don't have to reveal all the central spamfilter blocks to the world. * New option |auto| for set::hide-ban-reason <https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason>, which is now the default. This will hide the *LINE reason to other users if the *LINE reason contains the IP of the user, for example when it contains a DroneBL URL which has |lookup?ip=XXX|. This to protect the privacy of the user. Other possible settings are |no| (never hide, the previous default) and |yes| to always hide the *LINE reason. In all cases the user affected by the server ban can still see the reason and IRCOps too. * Make Deny channel <https://www.unrealircd.org/docs/Deny_channel_block> support escaped sequences like |channel "#xyz\*";| so you can match a literal |*| or |?| via |\*| and |\?|. * New option listen::options::websocket::allow-origin <https://www.unrealircd.org/docs/Listen_block#options_block_(optional)>: this allows to restrict websocket connections to a list of websites (the sites hosting the HTML/JS page that makes the websocket connection). It doesn't /securely/ restrict it though, non-browsers will bypass this restriction, but it can still be useful to restrict regular webchat users. * The Proxy block <https://www.unrealircd.org/docs/Proxy_block> already had support for reverse proxying with the |Forwarded| header. Now it also properly supports |X-Forwarded-For|. If you previously used a proxy block with type |web|, then you now need to choose one of the new types explicitly. Note that using a reverse proxy for IRC traffic is rare (see the proxy block docs for details), but we offer the option. Changes: * Reserve more file descriptors for internal use. For example, when there are 10,000 fd's are available we now reserve 250, and when 2048 are available we reserve 32. This so we have more fd's available to handle things like log files, do HTTPS callbacks to blacklists, etc. * Get rid of compiler check for modules vs core, this is mostly an issue when you are upgrading a system (eg. Linux distro) and it would previously make REHASHing impossible after such an upgrade. Though, if you are doing a major distro upgrade you can still be bitten by things like library removals such as major openssl upgrades. * Make |$client.details| in logs follow the ident rules for users in the handshake too, so use the |~| prefix if ident lookups are enabled and identd fails etc. * More validation for operclass names (a-zA-Z0-9_-) * Hits for central-blocklist are now broadcasted globally instead of staying on the same server. Fixes: * When using a trusted reverse proxy with the Proxy block <https://www.unrealircd.org/docs/Proxy_block>, under some circumstances it was possible for end-users to spoof IP's. * Crash issue when a module is reloaded (not unloaded) and that module no longer provides a particular moddata object, e.g. because it was renamed or no longer needed. This is rare, but did happen for one third party module recently. * The crash reporter was no longer able to submit reports. * Module manager <https://www.unrealircd.org/docs/Module_manager> fixes * For people running git versions, who did not use 'make clean', 3rd party modules were not always automatically recompiled, causing potential problems such as crashes. * Fix memory leak when unloading a module for good and that module provided ModData objects for "unknown users" (users still in the handshake). * Don't ask to generate TLS certificate if one already exists (issue introduced in 6.1.2). Developers and protocol: * New hooks: |HOOKTYPE_WATCH_ADD|, |HOOKTYPE_WATCH_DEL|, |HOOKTYPE_MONITOR_NOTIFICATION|. * The hook |HOOKTYPE_IS_HANDSHAKE_FINISHED| is now properly called at all places. * A new URL API <https://www.unrealircd.org/docs/Dev:URL_API> to easily fetch URLs from modules. You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-12-01 09:20:18
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The release candidate for 6.1.3 is now available. Help with testing this release would be greatly appreciated. Last time the 6.1.2-rc's were undertested, which resulted in needing several 6.1.2 fix releases (up to 6.1.2.3). If you find anything, you can report the bug at https://bugs.unrealircd.org<https://bugs.unrealircd.org>. The main focus of this release is adding countermeasures against large scale spam/drones. We do this by offering a central API which can be used for accessing Central Blocklist, Central Spamreport and Central Spamfilter. See the release notes below. Enhancements: * Central anti-spam services: o The services from below require a central-api key, which you can request here <https://www.unrealircd.org/central-api/>. o Central Blocklist <https://www.unrealircd.org/docs/Central_Blocklist> is an attempt to detect and block spammers. It works similar to DNS Blacklists but the central blocklist receives many more details about the user that is trying to connect and therefore can make a better decision on whether a user is likely a spammer. o Central Spamreport <https://www.unrealircd.org/docs/Central_spamreport> allows you to send spam reports (user details, last sent lines) via the |SPAMREPORT| command. This information may then be used to improve Central Blocklist <https://www.unrealircd.org/docs/Central_Blocklist> and/or Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>. o The Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter>, which provides spamfilter { } blocks that are centrally managed, is now fetched from a different URL if you have an Central API key set. This way, we can later provide spamfilter { } blocks that build on central blocklist scoring functionality, and also so we don't have to reveal all the central spamfilter blocks to the world. * New option |auto| for set::hide-ban-reason <https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason>, which is now the default. This will hide the *LINE reason to other users if the *LINE reason contains the IP of the user, for example when it contains a DroneBL URL which has |lookup?ip=XXX|. This to protect the privacy of the user. Other possible settings are |no| (never hide, the previous default) and |yes| to always hide the *LINE reason. In all cases the user affected by the server ban can still see the reason and IRCOps too. * Make Deny channel <https://www.unrealircd.org/docs/Deny_channel_block> support escaped sequences like |channel "#xyz\*";| so you can match a literal |*| or |?| via |\*| and |\?|. * New option listen::options::websocket::allow-origin <https://www.unrealircd.org/docs/Listen_block#options_block_(optional)>: this allows to restrict websocket connections to a list of websites (the sites hosting the HTML/JS page that makes the websocket connection). It doesn't /securely/ restrict it though, non-browsers will bypass this restriction, but it can still be useful to restrict regular webchat users. * The Proxy block <https://www.unrealircd.org/docs/Proxy_block> already had support for reverse proxying with the |Forwarded| header. Now it also properly supports |X-Forwarded-For|. If you previously used a proxy block with type |web|, then you now need to choose one of the new types explicitly. Note that using a reverse proxy for IRC traffic is rare (see the proxy block docs for details), but we offer the option. Changes: * Reserve more file descriptors for internal use. For example, when there are 10,000 fd's are available we now reserve 250, and when 2048 are available we reserve 32. This so we have more fd's available to handle things like log files, do HTTPS callbacks to blacklists, etc. * Get rid of compiler check for modules vs core, this is mostly an issue when you are upgrading a system (eg. Linux distro) and it would previously make REHASHing impossible after such an upgrade. Though, if you are doing a major distro upgrade you can still be bitten by things like library removals such as major openssl upgrades. * Make |$client.details| in logs follow the ident rules for users in the handshake too, so use the |~| prefix if ident lookups are enabled and identd fails etc. * More validation for operclass names (a-zA-Z0-9_-) * Hits for central-blocklist are now broadcasted globally instead of staying on the same server. Fixes: * Crash issue when a module is reloaded (not unloaded) and that module no longer provides a particular moddata object, e.g. because it was renamed or no longer needed. This is rare, but did happen for one third party module recently. * The crash reporter was no longer able to submit reports. * Module manager <https://www.unrealircd.org/docs/Module_manager> fixes * For people running git versions, who did not use 'make clean', 3rd party modules were not always automatically recompiled, causing potential problems such as crashes. * Fix memory leak when unloading a module for good and that module provided ModData objects for "unknown users" (users still in the handshake). * Don't ask to generate TLS certificate if one already exists (issue introduced in 6.1.2). Developers and protocol: * New hooks: |HOOKTYPE_WATCH_ADD|, |HOOKTYPE_WATCH_DEL|, |HOOKTYPE_MONITOR_NOTIFICATION|. * The hook |HOOKTYPE_IS_HANDSHAKE_FINISHED| is now properly called at all places. * A new URL API <https://www.unrealircd.org/docs/Dev:URL_API> to easily fetch URLs from modules. You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-10-13 07:07:24
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, Another dot release: UnrealIRCd 6.1.2.3. This dot release fixes a possible crash if you have parse errors in your conf and REHASH. Also, if you use UTF8 regexes in spamfilter { } blocks (which is a new feature in 6.1.2) then these were not working when booting the IRCd but they would work after a REHASH. The problem with this is that if you were happily adding UTF8 spamfilter blocks you could create an unbootable IRCd until you removed those spamfilter blocks. This is fixed now. Two changes are: fixing ::exclude-security-group which was not working and we now give DNSBL lookups some more time. If you are already on a previous 6.1.2.x then there may be little need to upgrade, though there is that potential crash when you typo your config file, like a missing ; or }. For new installations, we do recommend using 6.1.2.3 and not an older 6.1.2.x. The original UnrealIRCd 6.1.2 release notes are below: Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. o This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> and can also be set to |never| if you don't want rechecking. o To skip checking for specific blacklists, you can set blacklist::recheck <https://www.unrealircd.org/docs/Blacklist_block> to |no|. * The reputation score <https://www.unrealircd.org/docs/Reputation_score> of connected users (actually IP's) is increased every 5 minutes. We still do this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers. * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or change the value of one. It also supports changing the reputation score <https://www.unrealircd.org/docs/Reputation_score>. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled by default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | * A new |~flood| extended ban <https://www.unrealircd.org/docs/Extended_bans>. This mode allows you to exempt users from channel mode |+f| and |+F|. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where /types/ are the same letters as used in channel mode +f <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>. Example: |+e ~flood:t:*!*@*.textflood.example.org| Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * Temporary high CPU usage (99%) under some conditions. * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. * A leading slash was silently stripped in config file items, when not in quotes. * |./unrealircd module upgrade| only showed output for one module upgrade, even when multiple modules were upgraded. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-10-06 08:21:23
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, Another dot release: UnrealIRCd 6.1.2.2. I figured it would be best to get this out before more people upgrade over the weekend. The opt-in Central Spamfilter <https://www.unrealircd.org/docs/Central_Spamfilter> has its first rules deployed now which triggered a bug in tkldb accidentally storing these central spamfilters in db, causing duplicates to show up in "STATS spamfilter" after a restart. Also, now that there are more users using 6.1.2.x, we got reports of a crash while booting if you previously used spamfilters with non-UTF8 characters in them (this is pretty rare on most networks), and a possible crash with SETNAME when using the SPAMFILTER 'u' target. This dot release also adds a "REHASH -centralspamfilter" command. If you already upgraded to 6.1.2.1 from two days ago, then the tkldb issue and the crash bugs can also be hot-patched on *NIX without needing a restart, by running: ./unrealircd hot-patch 6121 That command fixes the crashbugs and tkldb issue but your version will stay visible as 6.1.2.1. For users of older versions (eg 6.1.1), you can upgrade to 6.1.2.x whenever you feel like it. Either by downloading the .tar.gz or by running: ./unrealircd upgrade The original UnrealIRCd 6.1.2 release notes are below: Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. o This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> and can also be set to |never| if you don't want rechecking. o To skip checking for specific blacklists, you can set blacklist::recheck <https://www.unrealircd.org/docs/Blacklist_block> to |no|. * The reputation score <https://www.unrealircd.org/docs/Reputation_score> of connected users (actually IP's) is increased every 5 minutes. We still do this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers. * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or change the value of one. It also supports changing the reputation score <https://www.unrealircd.org/docs/Reputation_score>. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled by default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | * A new |~flood| extended ban <https://www.unrealircd.org/docs/Extended_bans>. This mode allows you to exempt users from channel mode |+f| and |+F|. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where /types/ are the same letters as used in channel mode +f <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>. Example: |+e ~flood:t:*!*@*.textflood.example.org| Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * Temporary high CPU usage (99%) under some conditions. * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. * A leading slash was silently stripped in config file items, when not in quotes. * |./unrealircd module upgrade| only showed output for one module upgrade, even when multiple modules were upgraded. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-10-04 08:41:16
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, I'm happy to announce the release of UnrealIRCd 6.1.2.1 stable. This release focuses on adding spamfilter features but also contains various other new features and some fixes. This release is a little ahead of schedule because I had the impression that the Release Candidate(s) were not being tested much, so then there is no point in delaying the stable release anymore. UPDATE: And indeed, only after 6.1.2 stable release people started using it. A crash issue was found when using spamfilter::rule. So, a quick release again today to minimize the affected people by that issue. This 6.1.2.1 fixes that bug. Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. o This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> and can also be set to |never| if you don't want rechecking. o To skip checking for specific blacklists, you can set blacklist::recheck <https://www.unrealircd.org/docs/Blacklist_block> to |no|. * The reputation score <https://www.unrealircd.org/docs/Reputation_score> of connected users (actually IP's) is increased every 5 minutes. We still do this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers. * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or change the value of one. It also supports changing the reputation score <https://www.unrealircd.org/docs/Reputation_score>. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled by default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | * A new |~flood| extended ban <https://www.unrealircd.org/docs/Extended_bans>. This mode allows you to exempt users from channel mode |+f| and |+F|. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where /types/ are the same letters as used in channel mode +f <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>. Example: |+e ~flood:t:*!*@*.textflood.example.org| Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * Temporary high CPU usage (99%) under some conditions. * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. * A leading slash was silently stripped in config file items, when not in quotes. * |./unrealircd module upgrade| only showed output for one module upgrade, even when multiple modules were upgraded. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-10-04 05:37:02
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, I'm happy to announce the release of UnrealIRCd 6.1.2 stable. This release focuses on adding spamfilter features but also contains various other new features and some fixes. This release is a little ahead of schedule because I had the impression that the Release Candidate(s) were not being tested much, so then there is no point in delaying the stable release anymore. Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. o This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> and can also be set to |never| if you don't want rechecking. o To skip checking for specific blacklists, you can set blacklist::recheck <https://www.unrealircd.org/docs/Blacklist_block> to |no|. * The reputation score <https://www.unrealircd.org/docs/Reputation_score> of connected users (actually IP's) is increased every 5 minutes. We still do this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers. * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or change the value of one. It also supports changing the reputation score <https://www.unrealircd.org/docs/Reputation_score>. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled by default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | * A new |~flood| extended ban <https://www.unrealircd.org/docs/Extended_bans>. This mode allows you to exempt users from channel mode |+f| and |+F|. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where /types/ are the same letters as used in channel mode +f <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>. Example: |+e ~flood:t:*!*@*.textflood.example.org| Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * Temporary high CPU usage (99%) under some conditions. * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. * A leading slash was silently stripped in config file items, when not in quotes. * |./unrealircd module upgrade| only showed output for one module upgrade, even when multiple modules were upgraded. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-09-23 10:42:05
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The second release candidate for 6.1.2 is now available for testing. You can help us by testing and reporting any issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. If enough people help with testing, then hopefully we can release 6.1.2 in a month or so. This release mainly focuses on adding spamfilter features but also contains fixes and other new features. See the release notes below. Compared to -rc1, this -rc2 includes a feature which limits reputation score bumping for users not in any channels, supports reputation setting via the REPUTATION command, fixes a display issue when using ./unrealircd module upgrade, fixes an issue with unquoted leading slashes in the configuration file, add documentation for set::blacklist::recheck-time and extban ~flood, and updates example conf with new windows commands for mkpasswd/gencloak/spkifp. Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. o This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> and can also be set to |never| if you don't want rechecking. o To skip checking for specific blacklists, you can set blacklist::recheck <https://www.unrealircd.org/docs/Blacklist_block> to |no|. * The reputation score <https://www.unrealircd.org/docs/Reputation_score> of connected users (actually IP's) is increased every 5 minutes. We still do this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers. * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or change the value of one. It also supports changing the reputation score <https://www.unrealircd.org/docs/Reputation_score>. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled by default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | * A new |~flood| extended ban <https://www.unrealircd.org/docs/Extended_bans>. This mode allows you to exempt users from channel mode |+f| and |+F|. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where /types/ are the same letters as used in channel mode +f <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>. Example: |+e ~flood:t:*!*@*.textflood.example.org| Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. * A leading slash was silently stripped in config file items, when not in quotes. * |./unrealircd module upgrade| only showed output for one module upgrade, even when multiple modules were upgraded. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-09-08 16:44:15
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The release candidate for 6.1.2 is now available for testing. You can help us by testing and reporting any issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. This release mainly focuses on adding spamfilter features but also contains fixes and other new features. See the release notes below. Enhancements: * We now give tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices <https://www.unrealircd.org/docs/Set_block#set::best-practices>. * security-group { } block <https://www.unrealircd.org/docs/Security-group_block> and mask item <https://www.unrealircd.org/docs/Mask_item> enhancements: o Add support for |channel "#xyz";| and |channel "@#need_ops_here";| o Add support for Crule <https://www.unrealircd.org/docs/Crule> to allow things like |rule "inchannel('@#main')||reputation()>1000";| * DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL. This is controlled via set::blacklist::recheck-time <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time> * spamfilter { } block <https://www.unrealircd.org/docs/Spamfilter_block> improvements: o Spamfilters now always run, even for users that are exempt via a except ban block <https://www.unrealircd.org/docs/Except_ban_block> with |type spamfilter|. However, for exempt users no action is taken or logged. This allows us to count hits and hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hitcounts are exposed in |SPAMFILTER| and |STATS spamfilter|. o Optional items allowing more complex rules: + spamfilter::rule <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit). + spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item <https://www.unrealircd.org/docs/Mask_item>. If this matches, then the spamfilter will not run at all (no hit). o New target type |raw| (or |R| on IRC) to match a raw command / IRC protocol line (except message tags), such as |LIST*|. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected. o The |action| item now supports multiple actions: + A new action |stop| to stop other spamfilters from processing. + A new action |set| to set a TAG <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags> on a user, or increasing the value of one. + A new action |report| to call a spamreport block, see next. * A new spamreport { } block <https://www.unrealircd.org/docs/Spamreport_block>: o This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit. * Optional Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter>: This will fetch and refresh spamfilter rules every hour from unrealircd.org. o This feature is not enabled default. Use |set { central-spamfilter { enabled yes; } }| to enable. o set::central-spamfilter::feed decides which feed to use: |fast| for early access to spamfilter rules that are new, and |standard| (the default) for rules that have been in fast for a while. o set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged. o See the Central Spamfilter <https://www.unrealircd.org/docs/Central_spamfilter> article for the disclaimer and all other options you can set. * set::spamfilter::utf8 <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is now on by default: o This means you can safely use UTF8 characters in like |[]| in regex. o Case insensitive matches work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o You can turn it off via: |set { spamfilter { utf8 no; } }| * Via set::spamfilter::show-message-content-on-hit <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit> you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it. * You can restrict includes to only contain certain blocks, the style is: |include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } } | Changes: * We now compile the argon2 library shipped with UnrealIRCd by default, because it is often two times faster than the OS library. If you don't want this, which would be quite rare but for example because you are packaging UnrealIRCd as a .deb or .rpm, then you can use |--with-system-argon2| as a configure option. * The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for our purposes. Fixes: * UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed. * On 32 bit architectures you can now use more than 32 channel modes. * Set block for a security group <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>: was not working for the |unknown-users| group. Developers and protocol: * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex). * Several API changes, like |place_host_ban| to |take_action| You can download UnrealIRCd from https://www.unrealircd.org/ |
From: Bram M. <sy...@un...> - 2023-07-07 13:13:00
|
This is a bit of an unusual post, as it is not an UnrealIRCd release. However, many IRC networks were hit by a wave of spam past few days. The spam uses this tool https://github.com/acidvegas/efknockr <https://github.com/acidvegas/efknockr> and the text ranges from simple phrases about SUPERNETS to ASCII art, colors, all kinds of stuff, being spammed in both channels and private message. What sets this spam aside is not so much the content or that it exists, but that it affects so many IRC networks. I have started a forum thread at https://forums.unrealircd.org/viewtopic.php?t=9318 with some tips that could possibly help and a new module. I myself have mostly been working on long-term solutions for spam and have not been involved much in combating this particular spam, but the forum thread is an invitation to discuss things by everyone. The current tips mentioned there are not a 100% solution at the moment but it should be a good start. If there are any major updates, like new tools or great tips, i will keep them on the forum and not post to this mailing list again, since this unreal-notify mailing list is meant to be low-volume and actually only for release announcements. Best regards, Bram -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-06-16 16:29:30
|
Hi everyone, Just a small note: i just released 6.1.1.1 to fix a small bug in 6.1.1 that is rather specific and probably only affects 1-2% of users, but still: If a WEBIRC gateway was on IPv6 and was introducing/spoofing an IPv4 user then the maxperip handling would be incorrect and would also cause a small memory leak. The same is the case for if the WEBIRC gateway was on IPv4 and it was introducing/spoofing an IPv6 user. I decided to release a 6.1.1.1 immediately so new installations from this point won't be affected by this bug. Of the 100 people who downloaded 6.1.1 already only 1 complained. The bug is very visible with a BUG_DECREASE_IPUSERS_BUCKET IRCOp notice when affected user(s) quit so it is hard to miss. My advice: if you already installed 6.1.1 then only upgrade from 6.1.1 to 6.1.1.1 if this issue really affects you. Otherwise, don't bother. The original 6.1.1 announcement is below: I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This release comes with various bug fixes and performance improvements, especially for channels with thousands of users. It also has more options to override settings per security group, for example if you want to give trusted users or bots more rights or higher flood rates than regular users. All these options are now in a single Special users <https://www.unrealircd.org/docs/Special_users> article on the wiki. Other notable features are showing better connection errors to SSL/TLS users and a new proxy { } block for websocket reverse proxies. See the full release notes below. As usual on *NIX you can upgrade easily with the command: ./unrealircd upgrade Reminder: UnrealIRCd 5 is no longer supported <https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. Admins should upgrade to UnrealIRCd 6. Enhancements: Enhancements: * Two new features that are conditionally on: o SSL/TLS users will now correctly receive the error message if they are rejected due to throttling (connect-flood) and some other situations. o DNS lookups are done before throttling. This allows exempting a hostname from both maxperip and connect-flood restrictions. A good example for IRCCloud would be: |except ban { mask *.irccloud.com; type { maxperip; connect-flood; } }| o Both features are temporarily disabled whenever a high rate of connection attempts <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected, to save CPU and other resources during such an attack. The default rate is 1000 per second, so this would be unusual to trigger accidentally. * It is now possible to override some set settings <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group> per-security group by having a set block with a name, like set unknown-users { } o You could use this to set more limitations for unknown-users: |set unknown-users { max-channels-per-user 5; static-quit "Quit"; static-part yes; } | o Or to set higher values (higher than the normal set block) for trusted users: |security-group trusted-bots { account { BotOne; BotTwo; } } set trusted-bots { max-channels-per-user 25; }| o Currently the following settings can be used in a set xxx { } block: set::auto-join, set::modes-on-connect, set::restrict-usermodes, set::max-channels-per-user, set::static-quit, set::static-part. o See also Special users <https://www.unrealircd.org/docs/Special_users> in the documentation for applying settings to a security groups. * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block> that can be used for spoofing IP addresses when: o Reverse proxying websocket connections (eg. via NGINX, a load balancer or other reverse proxy) o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }| block in the future, though the old one will still work for now. * New setting set::handshake-boot-delay <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay> which allows server linking autoconnects to kick in (and incoming servers on serversonly ports), before allowing clients in. This potentially avoids part of the mess when initially linking on-boot. This option is not turned on by default, you have to set it explicitly. o This is not a useful feature on hubs, as they don't have clients. o It can be useful on client servers, if you |autoconnect| to your hub. o If you connect services to a server with clients this can be useful as well, especially in single-server setups. You would have to set a low |retrywait| in your anope conf (or similar services package) of like |5s| instead of the default |60s|. Then after an IRCd restart, your services link in before your clients and your IRC users have SASL available straight from the start. * JSON-RPC: o New call |log.list| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch past 1000 log entries. This functionality is only loaded if you include |rpc.modules.default.conf|, so not wasting any memory on servers that are not used for JSON-RPC. Changes: * set::topic-setter <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and set::ban-setter <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now by default set to |nick-user-host| instead of |nick|, so you can see the full nick!user@host of who set the topic/ban/exempt/invex. * You can no longer (accidentally) load an old |modules.default.conf|. People must always use the shipped version of this file as the file VERY clearly says in the beginning (see also that file for instructions on how to deal with customizations). People run into lots of (strange) problems, not only missing nice new functionality, but also Services not working because the svslogin module is not loaded, etc. Usually mistakes with an old modules.default.conf are not deliberate, like a cp *.conf of an old installation, so this error should be helpful for those users (who otherwise tend to bang their head for hours). * Some small DNS performance improvements: o We now 'negatively cache' unresolved hosts for 60 seconds. o The maximum number of cached records (positive and negative) was raised to 4096. o We no longer use "search domains" to avoid silly lookups for like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|. * Data buffer chunks bumped from 512 bytes to ~4K. This results in less write calls (lower CPU usage) and more data per TCP/IP packet. * We now cache sending of lines in |sendto_channel| via a new "LineCache" system. It saves CPU on (very) large channels. * Several other performance improvements such as checking maxperip via a hash table and faster invisibility checks for delayjoin. * Blacklist hits are now logged globally. This means they show up in snomask |B|, are logged, and show up in the webpanel "Logs" view. * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|. * Update shipped libraries: c-ares to 1.19.1 Fixes: * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing rpc_call symbol in their libc library. * Crash when removing a |listen { }| block for websocket or rpc (or changin the port number) * When using the webpanel, if an IRC client tried to connect with the same IP as the webpanel server, it would often receive the error "Too many unknown connections". This only affected non-localhost connections. * The |require module| block <https://www.unrealircd.org/docs/Require_module_block> was only checked of one side of the link, thus partially not working. Removed: * set::maxbanlength <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has been removed as it was not deemed useful and only confusing to users and admins. Developers and protocol: * Server to server lines can now be 16384 bytes in size when |PROTOCTL BIGLINES| is set. This will allow us to do things more efficiently and possibly raise some other limits in the future. This 16k is the size of the complete line, including sender, message tags, content and \r\n. Also, in server-to-server traffic we now allow 30 parameters (MAXPARA*2). The original input size limits for non-servers remain the same: the complete line can be 4k+512, with the non-mtag portion limit set at 512 bytes (including \r\n), and MAXPARA is still 15 as well. * In command handlers, individual |parv[]| elements can be 510 bytes max, even if they add up like parv[1] and parv[2] both being 510 bytes each. If you need more than that, then you need to set the flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter can be near ~16k. This is so, because a lot of the code does not expect parameters bigger than 512 bytes (but can still handle the total of parameters being greater than 512). The new flag allows gradually opting in commands to allow bigger parameters, after such code has been checked and modified to handle it. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-06-14 07:57:16
|
Hi everyone, I'm happy to announce the release of UnrealIRCd 6.1.1 stable. This release comes with various bug fixes and performance improvements, especially for channels with thousands of users. It also has more options to override settings per security group, for example if you want to give trusted users or bots more rights or higher flood rates than regular users. All these options are now in a single Special users <https://www.unrealircd.org/docs/Special_users> article on the wiki. Other notable features are showing better connection errors to SSL/TLS users and a new proxy { } block for websocket reverse proxies. See the full release notes below. As usual on *NIX you can upgrade easily with the command: ./unrealircd upgrade Reminder: UnrealIRCd 5 is no longer supported <https://www.unrealircd.org/docs/UnrealIRCd_5_EOL> after July 1, 2023. Admins should upgrade to UnrealIRCd 6. Enhancements: Enhancements: * Two new features that are conditionally on: o SSL/TLS users will now correctly receive the error message if they are rejected due to throttling (connect-flood) and some other situations. o DNS lookups are done before throttling. This allows exempting a hostname from both maxperip and connect-flood restrictions. A good example for IRCCloud would be: |except ban { mask *.irccloud.com; type { maxperip; connect-flood; } }| o Both features are temporarily disabled whenever a high rate of connection attempts <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected, to save CPU and other resources during such an attack. The default rate is 1000 per second, so this would be unusual to trigger accidentally. * It is now possible to override some set settings <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group> per-security group by having a set block with a name, like set unknown-users { } o You could use this to set more limitations for unknown-users: |set unknown-users { max-channels-per-user 5; static-quit "Quit"; static-part yes; } | o Or to set higher values (higher than the normal set block) for trusted users: |security-group trusted-bots { account { BotOne; BotTwo; } } set trusted-bots { max-channels-per-user 25; }| o Currently the following settings can be used in a set xxx { } block: set::auto-join, set::modes-on-connect, set::restrict-usermodes, set::max-channels-per-user, set::static-quit, set::static-part. o See also Special users <https://www.unrealircd.org/docs/Special_users> in the documentation for applying settings to a security groups. * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block> that can be used for spoofing IP addresses when: o Reverse proxying websocket connections (eg. via NGINX, a load balancer or other reverse proxy) o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }| block in the future, though the old one will still work for now. * New setting set::handshake-boot-delay <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay> which allows server linking autoconnects to kick in (and incoming servers on serversonly ports), before allowing clients in. This potentially avoids part of the mess when initially linking on-boot. This option is not turned on by default, you have to set it explicitly. o This is not a useful feature on hubs, as they don't have clients. o It can be useful on client servers, if you |autoconnect| to your hub. o If you connect services to a server with clients this can be useful as well, especially in single-server setups. You would have to set a low |retrywait| in your anope conf (or similar services package) of like |5s| instead of the default |60s|. Then after an IRCd restart, your services link in before your clients and your IRC users have SASL available straight from the start. * JSON-RPC: o New call |log.list| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch past 1000 log entries. This functionality is only loaded if you include |rpc.modules.default.conf|, so not wasting any memory on servers that are not used for JSON-RPC. Changes: * set::topic-setter <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and set::ban-setter <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now by default set to |nick-user-host| instead of |nick|, so you can see the full nick!user@host of who set the topic/ban/exempt/invex. * You can no longer (accidentally) load an old |modules.default.conf|. People must always use the shipped version of this file as the file VERY clearly says in the beginning (see also that file for instructions on how to deal with customizations). People run into lots of (strange) problems, not only missing nice new functionality, but also Services not working because the svslogin module is not loaded, etc. Usually mistakes with an old modules.default.conf are not deliberate, like a cp *.conf of an old installation, so this error should be helpful for those users (who otherwise tend to bang their head for hours). * Some small DNS performance improvements: o We now 'negatively cache' unresolved hosts for 60 seconds. o The maximum number of cached records (positive and negative) was raised to 4096. o We no longer use "search domains" to avoid silly lookups for like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|. * Data buffer chunks bumped from 512 bytes to ~4K. This results in less write calls (lower CPU usage) and more data per TCP/IP packet. * We now cache sending of lines in |sendto_channel| via a new "LineCache" system. It saves CPU on (very) large channels. * Several other performance improvements such as checking maxperip via a hash table and faster invisibility checks for delayjoin. * Blacklist hits are now logged globally. This means they show up in snomask |B|, are logged, and show up in the webpanel "Logs" view. * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|. * Update shipped libraries: c-ares to 1.19.1 Fixes: * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing rpc_call symbol in their libc library. * Crash when removing a |listen { }| block for websocket or rpc (or changin the port number) * When using the webpanel, if an IRC client tried to connect with the same IP as the webpanel server, it would often receive the error "Too many unknown connections". This only affected non-localhost connections. * The |require module| block <https://www.unrealircd.org/docs/Require_module_block> was only checked of one side of the link, thus partially not working. Removed: * set::maxbanlength <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has been removed as it was not deemed useful and only confusing to users and admins. Developers and protocol: * Server to server lines can now be 16384 bytes in size when |PROTOCTL BIGLINES| is set. This will allow us to do things more efficiently and possibly raise some other limits in the future. This 16k is the size of the complete line, including sender, message tags, content and \r\n. Also, in server-to-server traffic we now allow 30 parameters (MAXPARA*2). The original input size limits for non-servers remain the same: the complete line can be 4k+512, with the non-mtag portion limit set at 512 bytes (including \r\n), and MAXPARA is still 15 as well. * In command handlers, individual |parv[]| elements can be 510 bytes max, even if they add up like parv[1] and parv[2] both being 510 bytes each. If you need more than that, then you need to set the flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter can be near ~16k. This is so, because a lot of the code does not expect parameters bigger than 512 bytes (but can still handle the total of parameters being greater than 512). The new flag allows gradually opting in commands to allow bigger parameters, after such code has been checked and modified to handle it. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-05-31 06:49:30
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The release candidate for 6.1.1 is now available for testing. You can help us by testing and reporting any issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. Also some new documentation that is worth mentioning: sometimes you want to give trusted users/bots more rights than others but you don't want to make them IRCOp, the new Special users <https://www.unrealircd.org/docs/Special_users> article explains how. Enhancements: * Two new features that are conditionally on: o SSL/TLS users will now correctly receive the error message if they are rejected due to throttling (connect-flood) and some other situations. o DNS lookups are done before throttling. This allows exempting a hostname from both maxperip and connect-flood restrictions. A good example for IRCCloud would be: |except ban { mask *.irccloud.com; type { maxperip; connect-flood; } } | o Both features are temporarily disabled whenever a high rate of connection attempts <https://www.unrealircd.org/docs/FAQ#hi-conn-rate> is detected, to save CPU and other resources during such an attack. The default rate is 1000 per second, so this would be unusual to trigger accidentally. * It is now possible to override some set settings per-security group by having a set block with a name, like |set unknown-users { }| o You could use this to set more limitations for unknown-users: |set unknown-users { max-channels-per-user 5; static-quit "Quit"; static-part yes; } | o Or to set higher values (higher than the normal set block) for trusted users: |security-group trusted-bots { account { BotOne; BotTwo; } } set trusted-bots { max-channels-per-user 25; } | o Currently the following settings can be used in a set xxx { } block: set::auto-join, set::modes-on-connect, set::restrict-usermodes, set::max-channels-per-user, set::static-quit, set::static-part. * New |proxy { }| block <https://www.unrealircd.org/docs/Proxy_block> that can be used for spoofing IP addresses when: o Reverse proxying websocket connections (eg. via NGINX, a load balancer or other reverse proxy) o WEBIRC/CGI:IRC gateways. This will replace the old |webirc { }| block in the future, though the old one will still work for now. * New setting set::handshake-boot-delay <https://www.unrealircd.org/docs/Set_block#set%3A%3Ahandshake-boot-delay> which allows server linking autoconnects to kick in (and incoming servers on serversonly ports), before allowing clients in. This potentially avoids part of the mess when initially linking on-boot. This option is not turned on by default, you have to set it explicitly. o This is not a useful feature on hubs, as they don't have clients. o It can be useful on client servers, if you |autoconnect| to your hub. o If you connect services to a server with clients this can be useful as well, especially in single-server setups. You would have to set a low |retrywait| in your anope conf (or similar services package) of like |5s| instead of the default |60s|. Then after an IRCd restart, your services link in before your clients and your IRC users have SASL available straight from the start. * JSON-RPC: o New call |log.list| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.list> to fetch past 1000 log entries. This functionality is only loaded if you include |rpc.modules.default.conf|, so not wasting any memory on servers that are not used for JSON-RPC. Changes: * set::topic-setter <https://www.unrealircd.org/docs/Set_block#set::topic-setter> and set::ban-setter <https://www.unrealircd.org/docs/Set_block#set::ban-setter> are now by default set to |nick-user-host| instead of |nick|, so you can see the full nick!user@host of who set the topic/ban/exempt/invex. * You can no longer (accidentally) load an old |modules.default.conf|. People must always use the shipped version of this file as the file VERY clearly says in the beginning (see also that file for instructions on how to deal with customizations). People run into lots of (strange) problems, not only missing nice new functionality, but also Services not working because the svslogin module is not loaded, etc. Usually mistakes with an old modules.default.conf are not deliberate, like a cp *.conf of an old installation, so this error should be helpful for those users (who otherwise tend to bang their head for hours). * Some small DNS performance improvements: o We now 'negatively cache' unresolved hosts for 60 seconds. o The maximum number of cached records (positive and negative) was raised to 4096. o We no longer use "search domains" to avoid silly lookups for like |4.3.2.1.dnsbl.dronebl.org.mydomain.org|. * Data buffer chunks bumped from 512 bytes to ~4K. This results in less write calls (lower CPU usage) and more data per TCP/IP packet. * We now cache sending of lines in |sendto_channel| via a new "LineCache" system. It saves CPU on (very) large channels. * Several other performance improvements such as checking maxperip via a hash table and faster invisibility checks for delayjoin. * Blacklist hits are now logged globally. This means they show up in snomask |B|, are logged, and show up in the webpanel "Logs" view. * The event |REMOTE_CLIENT_JOIN| was mass-triggered when servers were syncing. They are now hidden, like |REMOTE_CLIENT_CONNECT|. * Update shipped libraries: c-ares to 1.19.1 Fixes: * Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing rpc_call symbol in their libc library. * Crash when removing a |listen { }| block for websocket or rpc (or changin the port number) * When using the webpanel, if an IRC client tried to connect with the same IP as the webpanel server, it would often receive the error "Too many unknown connections". This only affected non-localhost connections. * The |require module| block <https://www.unrealircd.org/docs/Require_module_block> was only checked of one side of the link, thus partially not working. Removed: * set::maxbanlength <https://www.unrealircd.org/docs/Set_block#set::maxbanlength> has been removed as it was not deemed useful and only confusing to users and admins. Developers and protocol: * Server to server lines can now be 16384 bytes in size when |PROTOCTL BIGLINES| is set. This will allow us to do things more efficiently and possibly raise some other limits in the future. This 16k is the size of the complete line, including sender, message tags, content and \r\n. Also, in server-to-server traffic we now allow 30 parameters (MAXPARA*2). The original input size limits for non-servers remain the same: the complete line can be 4k+512, with the non-mtag portion limit set at 512 bytes (including \r\n), and MAXPARA is still 15 as well. * In command handlers, individual |parv[]| elements can be 510 bytes max, even if they add up like parv[1] and parv[2] both being 510 bytes each. If you need more than that, then you need to set the flag |CMD_BIGLINES| in |CommandAdd()|, then an individual parameter can be near ~16k. This is so, because a lot of the code does not expect parameters bigger than 512 bytes (but can still handle the total of parameters being greater than 512). The new flag allows gradually opting in commands to allow bigger parameters, after such code has been checked and modified to handle it. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-05-05 05:37:37
|
Hi everyone, I'm happy to announce the release of UnrealIRCd 6.1.0 stable. This is the direct successor to 6.0.7, there will be no 6.0.8. This release contains several channel mode |+f| enhancements and introduces a new channel mode |+F| which works with flood profiles like |+F normal| and |+F strict|. It is much easier for users than the scary looking mode +f. UnrealIRCd 6.1.0 also contains lots of JSON-RPC improvements, which is used by the UnrealIRCd admin panel <https://www.unrealircd.org/docs/UnrealIRCd_webpanel>. Live streaming of logs has been added and the webpanel now communicates to UnrealIRCd which web user issued a command (eg: who issued a kill, who changed a channel mode, ..). Other improvements are whowasdb (persistent WHOWAS history) and a new guide on running a Tor Onion service <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd>. The release also fixes a crash bug related to remote includes and fixes multiple memory leaks. See the full release notes below. As usual on *NIX you can upgrade easily with the command: ./unrealircd upgrade Enhancements: * Channel flood protection improvements: o New channel mode |+F| <https://www.unrealircd.org/docs/Channel_anti-flood_settings> (uppercase F). This allows the user to choose a "flood profile", which (behind the scenes) translates to something similar to an |+f| mode. This so end-users can simply choose an |+F| profile without having to learn the complex channel mode |+f|. + For example |+F normal| effectively results in |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15| + Multiple profiles are available and changing them is possible, see the documentation <https://www.unrealircd.org/docs/Channel_anti-flood_settings>. + Any settings in mode |+f| will override the ones of the |+F| profile. To see the effective flood settings, use |MODE #channel F|. o You can optionally set a default profile via set::anti-flood::channel::default-profile <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>. This profile is used if the channel is |-F|. If the user does not want channel flood protection then they have to use an explicit |+F off|. o When channel mode |+f| or |+F| detect that a flood is caused by >75% of "unknown-users" <https://www.unrealircd.org/docs/Security-group_block>, the server will now set a temporary ban on |~security-group:unknown-users|. It will still set |+i| and other modes if the flood keeps on going (eg. is caused by known-users). o Forced nick changes (eg. by NickServ) are no longer counted in nick flood for channel mode |+f|/|+F|. o When a server splits on the network, we now temporarily disable +f/+F join-flood protection for 75 seconds (set::anti-flood::channel::split-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>). This because a server splitting could mean that server has network problems or has died (or restarted), in which case the clients would typically reconnect to the remaining other servers, triggering an +f/+F join-flood and channels ending up being |+i| and such. That is not good because we want +f/+F to be as effortless as possible, with as little false positives as possible. + If your network has 5+ servers and the user load is spread evenly among them, then you could disable this feature by setting the amount of seconds to |0|. This because in such a scenario only 1/5th (20%) of the users would reconnect and hopefully don't trigger +f/+F join floods. o All these features only work properly if all servers are on 6.1.0-rc1 or later. * New module |whowasdb| (persistent |WHOWAS| history): this saves the WHOWAS history on disk periodically and when we terminate, so next server boot still has the WHOWAS history. This module is currently not loaded by default. * New option listen::spoof-ip <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid when using UNIX domain sockets (so listen::file). This way you can override the IP address that users come online with when they use the socket (default was and still is |127.0.0.1|). * Add a new guide Running Tor Onion service with UnrealIRCd <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd> which uses the new listen::spoof-ip and optionally requires a services account. * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: o Logging of JSON-RPC requests (eg. via snomask |+R|) has been improved, it now shows: + The issuer, such as the user logged in to the admin panel (if known) + The parameters of the request o The JSON-RPC calls |channel.list| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>, |channel.get| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>, |user.list| <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and |user.get| <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now support an optional argument |object_detail_level| which specifies how detailed the Channel <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel> and User <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object> response object will be. Especially useful if you don't need all the details in the list calls. o New JSON-RPC methods |log.subscribe| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and |log.unsubscribe| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe> to allow real-time streaming of JSON log events <https://www.unrealircd.org/docs/JSON_logging>. o New JSON-RPC method |rpc.set_issuer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to indiciate who is actually issuing the requests. The admin panel uses this to communicate who is logged in to the panel so this info can be used in logging. o New JSON-RPC methods |rpc.add_timer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and |rpc.del_timer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so you can schedule JSON-RPC calls, like stats.get, to be executed every xyz msec. o New JSON-RPC method |whowas.get| <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to fetch WHOWAS history. o Low ASCII is no longer filtered out in strings in JSON-RPC, only in JSON logging. * A new message tag |unrealircd.org/issued-by| which is IRCOp-only (and used intra-server) to communicate who actually issued a command. See docs <https://www.unrealircd.org/issued-by>. Changes: * The RPC modules are enabled by default now. This so remote RPC works from other IRC servers for calls like |modules.list|. The default configuration does NOT enable the webserver nor does it cause listening on any socket for RPC, for that you need to follow the JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions. * The blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive> directive now accepts wildcards, eg |blacklist-module rpc/*;| * The setting set::modef-boot-delay has been moved to set::anti-flood::channel::boot-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>. * We now only exempt |127.0.0.1| and |::1| from banning by default (hardcoded in the source). Previously we exempted whole |127.*| but that gets in the way if you want to allow Tor with a require authentication <https://www.unrealircd.org/docs/Require_authentication_block> block or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its not affected by the default exemption. Fixes: * Crash if there is a parse error in an included file and there are other remote included files still being downloaded. * Memory leak in WHOWAS * Memory leak when connecting to a TLS server fails * Workaround a bug in some websocket implementations where the WSOP_PONG frame is unmasked (now permitted). Developers and protocol: * The |cmode.free_param| definition changed. It now has an extra argument |int soft| and for return value you will normally |return 0| here. You can |return 1| if you resist freeing, which is rare and only used by |+F| with set::anti-flood::channel::default-profile. * New |cmode.flood_type_action| which can be used to indicate a channel mode can be used from +f/+F as an action. You need to specify for which flood type your mode is, eg |cmode.flood_type_action = 'j';| for joinflood. * JSON-RPC supports UNIX domain sockets <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket> for making RPC calls. If this is used, we now split on |\n| (newline) so multiple parallel requests can be handled properly. * Message tag |unrealircd.org/issued-by|, sent to IRCOps only. See docs <https://www.unrealircd.org/issued-by>. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-04-15 12:27:36
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The second release candidate for 6.1.0 is now available for testing. Thanks to everyone for testing the -rc1! UnrealIRCd 6.1.0-rc2 should be the last release candidate before stable 6.1.0 release in May, 2023. You can help us by testing and reporting any issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. This release contains channel mode +f enhancements and introduces a new channel mode +F which should be much easier for users than the scary looking +f. Compared to 6.1.0-rc1, this 6.1.0-rc2 contains: some minor +F fixes if setting a default profile, optional persistent whowas history (whowasdb), lots of JSON-RPC improvements and new API methods, HELPOP updates, fixes for streaming logs over websockets, fixes a memory leak and there is a ban exemption change and a new Tor guide. Enhancements: * Channel flood protection improvements: o New channel mode |+F| <https://www.unrealircd.org/docs/Channel_anti-flood_settings> (uppercase F). This allows the user to choose a "flood profile", which (behind the scenes) translates to something similar to an |+f| mode. This so end-users can simply choose an |+F| profile without having to learn the complex channel mode |+f|. + For example |+F normal| effectively results in |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15| + Multiple profiles are available and changing them is possible, see the documentation <https://www.unrealircd.org/docs/Channel_anti-flood_settings>. + Any settings in mode |+f| will override the ones of the |+F| profile. To see the effective flood settings, use |MODE #channel F|. o You can optionally set a default profile via set::anti-flood::channel::default-profile <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>. This profile is used if the channel is |-F|. If the user does not want channel flood protection then they have to use an explicit |+F off|. o When channel mode |+f| or |+F| detect that a flood is caused by >75% of "unknown-users" <https://www.unrealircd.org/docs/Security-group_block>, the server will now set a temporary ban on |~security-group:unknown-users|. It will still set |+i| and other modes if the flood keeps on going (eg. is caused by known-users). o Forced nick changes (eg. by NickServ) are no longer counted in nick flood for channel mode |+f|/|+F|. o When a server splits on the network, we now temporarily disable +f/+F join-flood protection for 75 seconds (set::anti-flood::channel::split-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>). This because a server splitting could mean that server has network problems or has died (or restarted), in which case the clients would typically reconnect to the remaining other servers, triggering an +f/+F join-flood and channels ending up being |+i| and such. That is not good because we want +f/+F to be as efortless as possible, with as little false positives as possible. + If your network has 5+ servers and the user load is spread evenly among them, then you could disable this feature by setting the amount of seconds to |0|. This because in such a scenario only 1/5th (20%) of the users would reconnect and hopefully don't trigger +f/+F join floods. o All these features only work properly if all servers are on 6.1.0-rc1 or later. * New module |whowasdb| (persistent |WHOWAS| history): this saves the WHOWAS history on disk periodically and when we terminate, so next server boot still has the WHOWAS history. This module is currently not loaded by default. * New option listen::spoof-ip <https://www.unrealircd.org/docs/Listen_block#spoof-ip>, only valid when using UNIX domain sockets (so listen::file). This way you can override the IP address that users come online with when they use the socket (default was and still is |127.0.0.1|). * Add a new guide Running Tor Onion service with UnrealIRCd <https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd> which uses the new listen::spoof-ip and optionally requires a services account. * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: o Logging of JSON-RPC requests (eg. via snomask |+R|) has been improved, it now shows: + The issuer, such as the user logged in to the admin panel (if known) + The parameters of the request o The JSON-RPC calls |channel.list| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>, |channel.get| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>, |user.list| <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and |user.get| <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now support an optional argument |object_detail_level| which specifies how detailed the Channel <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel> and User <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object> response object will be. Especially useful if you don't need all the details in the list calls. o New JSON-RPC methods |log.subscribe| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.subscribe> and |log.unsubscribe| <https://www.unrealircd.org/docs/JSON-RPC:Log#log.unsubscribe> to allow real-time streaming of JSON log events <https://www.unrealircd.org/docs/JSON_logging>. o New JSON-RPC method |rpc.set_issuer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to indiciate who is actually issuing the requests. The admin panel uses this to communicate who is logged in to the panel so this info can be used in logging. o New JSON-RPC methods |rpc.add_timer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.add_timer> and |rpc.del_timer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer> so you can schedule JSON-RPC calls, like stats.get, to be executed every xyz msec. o New JSON-RPC method |whowas.get| <https://www.unrealircd.org/docs/JSON-RPC:Whowas#whowas.get> to fetch WHOWAS history. o Low ASCII is no longer filtered out in strings in JSON-RPC, only in JSON logging. * A new message tag |unrealircd.org/issued-by| which is IRCOp-only (and used intra-server) to communicate who actually issued a command. See docs <https://www.unrealircd.org/issued-by>. Changes: * The RPC modules are enabled by default now. This so remote RPC works from other IRC servers for calls like |modules.list|. The default configuration does NOT enable the webserver nor does it cause listening on any socket for RPC, for that you need to follow the JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions. * The blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive> directive now accepts wildcards, eg |blacklist-module rpc/*;| * The setting set::modef-boot-delay has been moved to set::anti-flood::channel::boot-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>. * We now only exempt |127.0.0.1| and |::1| from banning by default (hardcoded in the source). Previously we exempted whole |127.*| but that gets in the way if you want to allow Tor with a require authentication <https://www.unrealircd.org/docs/Require_authentication_block> block or soft-ban. Now you can just tell Tor to bind to |127.0.0.2| so its not affected by the default exemption. Fixes: * Memory leak in WHOWAS * Workaround a bug in some websocket implementations where the WSOP_PONG frame is unmasked (now permitted). Developers and protocol: * The |cmode.free_param| definition changed. It now has an extra argument |int soft| and for return value you will normally |return 0| here. You can |return 1| if you resist freeing, which is rare and only used by |+F| with set::anti-flood::channel::default-profile. * New |cmode.flood_type_action| which can be used to indicate a channel mode can be used from +f/+F as an action. You need to specify for which flood type your mode is, eg |cmode.flood_type_action = 'j';| for joinflood. * JSON-RPC supports UNIX domain sockets <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket> for making RPC calls. If this is used, we now split on |\n| (newline) so multiple parallel requests can be handled properly. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-04-07 14:20:03
|
(You can unsubscribe from this list here <https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>) Hi everyone, The first release candidate for 6.1.0 is now available for testing. This release contains channel mode +f enhancements and introduces a new channel mode +F which should be much easier for users than the scary looking +f. You can help us by testing and reporting any issues at https://bugs.unrealircd.org/ <https://bugs.unrealircd.org/>. The stable 6.1.0 release is scheduled for May, 2023. Enhancements: * Channel flood protection improvements: o New channel mode |+F| <https://www.unrealircd.org/docs/Channel_anti-flood_settings> (uppercase F). This allows the user to choose a "flood profile", which (behind the scenes) translates to something similar to an |+f| mode. This so end-users can simply choose an |+F| profile without having to learn the complex channel mode |+f|. + For example |+F normal| effectively results in |[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15| + Multiple profiles are available and changing them is possible, see the documentation <https://www.unrealircd.org/docs/Channel_anti-flood_settings>. + Any settings in mode |+f| will override the ones of the |+F| profile. To see the effective flood settings, use |MODE #channel F|. o You can optionally set a default profile via set::anti-flood::channel::default-profile <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Default_profile>. This profile is used if the channel is |-F|. If the user does not want channel flood protection then they have to use an explicit |+F off|. o When channel mode |+f| or |+F| detect that a flood is caused by >75% of "unknown-users" <https://www.unrealircd.org/docs/Security-group_block>, the server will now set a temporary ban on |~security-group:unknown-users|. It will still set |+i| and other modes if the flood keeps on going (eg. is caused by known-users). o Forced nick changes (eg. by NickServ) are no longer counted in nick flood for channel mode |+f|/|+F|. o When a server splits on the network, we now temporarily disable +f/+F join-flood protection for 75 seconds (set::anti-flood::channel::split-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>). This because a server splitting could mean that server has network problems or has died (or restarted), in which case the clients would typically reconnect to the remaining other servers, triggering an +f/+F join-flood and channels ending up being |+i| and such. That is not good because we want +f/+F to be as efortless as possible, with as little false positives as possible. + If your network has 5+ servers and the user load is spread evenly among them, then you could disable this feature by setting the amount of seconds to |0|. This because in such a scenario only 1/5th (20%) of the users would reconnect and hopefully don't trigger +f/+F join floods. o All these features only work properly if all servers are on 6.1.0-rc1 or later. * JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC>: o Logging of JSON-RPC requests (eg. via snomask |+R|) has been improved, it now shows: + The issuer, such as the user logged in to the admin panel (if known) + The parameters of the request o The JSON-RPC calls |channel.list| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list>, |channel.get| <https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get>, |user.list| <https://www.unrealircd.org/docs/JSON-RPC:User#user.list> and |user.get| <https://www.unrealircd.org/docs/JSON-RPC:User#user.get> now support an optional argument |object_detail_level| which specifies how detailed the Channel <https://www.unrealircd.org/docs/JSON-RPC:Channel#Structure_of_a_channel> and User <https://www.unrealircd.org/docs/JSON-RPC:User#Structure_of_a_client_object> response object will be. Especially useful if you don't need all the details in the list calls. o New JSON-RPC method |rpc.set_issuer| <https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer> to indiciate who is actually issuing the requests. The admin panel uses this to communicate who is logged in to the panel so this info can be used in logging. * A new message tag |unrealircd.org/issued-by| which is IRCOp-only (and used intra-server) to communicate who actually issued a command. See docs <https://www.unrealircd.org/issued-by>. Changes: * The RPC modules are enabled by default now. This so remote RPC works from other IRC servers for calls like |modules.list|. The default configuration does NOT enable the webserver nor does it cause listening on any socket for RPC, for that you need to follow the JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> instructions. * The blacklist-module <https://www.unrealircd.org/docs/Blacklist-module_directive> directive now accepts wildcards, eg |blacklist-module rpc/*;| * The setting set::modef-boot-delay has been moved to set::anti-flood::channel::boot-delay <https://www.unrealircd.org/docs/Channel_anti-flood_settings#config>. Developers and protocol: * The |cmode.free_param| definition changed. It now has an extra argument |int soft| and for return value you will normally |return 0| here. You can |return 1| if you resist freeing, which is rare and only used by |+F| with set::anti-flood::channel::default-profile. * New |cmode.flood_type_action| which can be used to indicate a channel mode can be used from +f/+F as an action. You need to specify for which flood type your mode is, eg |cmode.flood_type_action = 'j';| for joinflood. * JSON-RPC supports UNIX domain sockets <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation#UNIX_domain_socket> for making RPC calls. If this is used, we now split on |\n| (newline) so multiple parallel requests can be handled properly. You can download UnrealIRCd from https://www.unrealircd.org/ -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-04-05 18:04:26
|
Hi everyone, This is a friendly reminder that UnrealIRCd 5 will be End Of Life after _July 1, 2023_. After that date, it will be completely unmaintained and won't even get security fixes anymore. *The end of UnreaIRCd 5* UnrealIRCd 5.0.0 was released on Dec 13, 2019, so this will conclude the end of 3,5 years of UnrealIRCd 5. The first announcement about the EOL date was in October 2021. For full details and the timeline, see https://www.unrealircd.org/docs/UnrealIRCd_5_EOL. We are also listed at this great website for keeping track of EOL dates: https://endoflife.date/unrealircd *Are you still using UnrealIRCd 5?* We recommend anyone running UnrealIRCd 5 (or older) to upgrade to UnrealIRCd 6.0.7. UnrealIRCd 6 has proven to be stable and has lots of useful features. Two weeks ago UnrealIRCd 6.0.7 was released and it has been downloaded 300 times already. If you have no idea what's new, then check out https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6 If you are upgrading from UnrealIRCd 5 to UnrealIRCd 6, then you will find the following article helpful: https://www.unrealircd.org/docs/Upgrading_from_5.x Best regards, Bram Matthys (Syzop) -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-03-24 12:50:31
|
UnrealIRCd 6.0.7 makes WHOWAS show more information to IRCOps and adds an experimental spamfilter feature. It also contains other enhancements and quite a number of bug fixes. One notable change is that on linking of anope or atheme, every server will now check if they have ulines { } for that services server, since it's a common mistake to forget this, leading to desyncs or other weird problems. As a reminder, since previous release the UnrealIRCd Administration Webpanel <https://github.com/unrealircd/unrealircd-webpanel/> is very much usable. It allows admins to view the users/channels/servers lists, view detailed information on users and channels, manage server bans and spamfilters, all from a web browser. You can download UnrealIRCd from unrealircd.org <https://unrealircd.org/>, and on *NIX you can easily upgrade with |./unrealircd upgrade| Enhancements: * Spamfilter <https://www.unrealircd.org/docs/Spamfilter> can now be made UTF8-aware: o This is experimental, to enable: |set { spamfilter { utf8 yes; } }| o Case insensitive matches will then work better. For example, for extended Latin, a spamfilter on |ę| then also matches |Ę|. o Other PCRE2 features such as \p <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5> can then be used. For example the regex |\p{Arabic}| would block all Arabic script. See also this full list of scripts <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure. o As a consequence of this we require PCRE2 10.36 or newer. If your system PCRE2 is older, then the UnrealIRCd-shipped-library version will be compiled and |./Config| may take a little longer than usual. * |WHOWAS| now shows IP address and account information to IRCOps * Allow services to send a couple of protocol messages in the unregistered / SASL stage. These are: |CHGHOST|, |CHGIDENT| and |SREPLY| o This allows services to set the vhost on a user during SASL, so the user receives the vhost straight from the start, before all the auto-joining/re-rejoining of channels. o Future anope/atheme/etc services will presumably support this. * WebSocket <https://www.unrealircd.org/docs/WebSocket_support> status is now synced over the network and an extra default security group <https://www.unrealircd.org/docs/Security-group_block> |websocket-users| has been added. Similarly there is now security-group::websocket and security-group::exclude-websocket item. Same for mask items <https://www.unrealircd.org/docs/Mask_item> such as in set::restrict-commands::command::except <https://www.unrealircd.org/docs/Restrict_commands>. * Support for IRCv3 Standard Replies <https://ircv3.net/specs/extensions/standard-replies>. Right now nothing fancy yet, other than us sending |ACCOUNT_REQUIRED_TO_CONNECT| from the authprompt module when a user is soft-banned <https://www.unrealircd.org/docs/Soft_ban>. * Add support for sending IRCv3 Standard Replies intra-server, eg from services (|SREPLY| server-to-server command) * Support |NO_COLOR| environment variable, as per no-color.org <https://no-color.org>. Changes: * We now verify that all servers have ulines { } <https://www.unrealircd.org/docs/Ulines_block> for Anope and Atheme servers and reject the link if this is not the case. * The |FLOOD_BLOCKED| log message now shows the target of the flood for |target-flood-user| and |target-flood-channel|. * When an IRCOp sets |+H| to hide ircop status, only the swhois items that were added through oper will be hidden (and not the ones added by eg. vhost). Previously all were hidden. * Update shipped libraries: c-ares to 1.19.0, Jansson to 2.14, PCRE2 to 10.42, and on Windows LibreSSL to 3.6.2 and cURL to 8.0.1. Fixes: * Crash if a third party module is loaded which allows very large message tags (e.g. has no length check) * Crash if an IRCOp uses |unrealircd.org/json-log| <https://www.unrealircd.org/docs/JSON_logging#Enabling_on_IRC> on IRC and during |REHASH| some module sends log output during MOD_INIT (eg. with some 3rd party modules) * Crash when parsing deny link block <https://www.unrealircd.org/docs/Deny_link_block> * The Module manager <https://www.unrealircd.org/docs/Module_manager> now works on FreeBSD and similar. * In |LUSERS| the "unknown connection(s)" count was wrong. This was just a harmless counting error with no other effects. * Silence warnings on Clang 15+ (eg. Ubuntu 23.04) * Don't download |GeoIP.dat| if you have |blacklist-module geoip_classic;| <https://www.unrealircd.org/docs/Blacklist-module_directive> * Channel mode |+S| stripping too much on incorrect color codes. * Make |@if module-loaded()| <https://www.unrealircd.org/docs/Defines_and_conditional_config> work correctly for modules that are about to be unloaded during REHASH. * Some missing notices if remotely REHASHing a server, and one duplicate line. * Check invalid host setting in oper::vhost, just like we already have in vhost::vhost. -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
From: Bram M. <sy...@un...> - 2023-02-03 06:22:04
|
I'm happy to announce UnrealIRCd 6.0.6. The main objective of this release is to enhance the new JSON-RPC functionality. In 6.0.5 we made a start and in 6.0.6 it is expanded a lot, plus some important bugs were fixed in it. Thanks everyone who has been testing the functionality! The new UnrealIRCd Administration Webpanel <https://github.com/unrealircd/unrealircd-webpanel/> (which uses JSON-RPC) is very much usable now. It allows admins to view the users/channels/servers lists, view detailed information on users and channels, manage server bans and spamfilters, all from the browser. Both the JSON-RPC API and the webpanel are work in progress. They will improve and expand with more features over time. If you are already using UnrealIRCd 6.0.5 and you are NOT interested in JSON-RPC or the webpanel then there is NO reason to upgrade to 6.0.6. As usual, you can download UnrealIRCd from unrealircd.org <https://unrealircd.org/>, and on *NIX you can easily upgrade with |./unrealircd upgrade| Enhancements: * The JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> API for UnrealIRCd has been expanded a lot. From 12 API methods to 42: |stats.get|, |rpc.info|, |user.part|, |user.join|, |user.quit|, |user.kill|, |user.set_oper|, |user.set_snomask|, |user.set_mode|, |user.set_vhost|, |user.set_realname|, |user.set_username|, |user.set_nick|, |user.get|, |user.list|, |server.module_list|, |server.disconnect|, |server.connect|, |server.rehash|, |server.get|, |server.list|, |channel.kick|, |channel.set_topic|, |channel.set_mode|, |channel.get|, |channel.list|, |server_ban.add|, |server_ban.del|, |server_ban.get|, |server_ban.list|, |server_ban_exception.add|, |server_ban_exception.del|, |server_ban_exception.get|, |server_ban_exception.list|, |name_ban.add|, |name_ban.del|, |name_ban.get|, |name_ban.list|, |spamfilter.add|, |spamfilter.del|, |spamfilter.get|, |spamfilter.list|. o Server admins can read the JSON-RPC <https://www.unrealircd.org/docs/JSON-RPC> documentation on how to get started. For developers, see the Technical documentation <https://www.unrealircd.org/docs/JSON-RPC:Technical_documentation> for all info on the different RPC calls and the protocol. o Some functionality requires all servers to be on 6.0.6 or later. o Some functionality requires all servers to include |rpc.modules.default.conf| instead of only the single server that the webpanel interfaces with through JSON-RPC. When all servers have that file included then the API call |server.module_list| can work for remote servers, and the API call |server.rehash| for remote servers can return the actual rehash result and a full log of the rehash process. It is not used for any other API call at the moment, but in the future more API calls may need this functionality because it allows us to do things that are otherwise impossible or very hard. o Known issue: logging of RPC actions needs to be improved. For some API calls, like adding of server bans and spamfilters, this already works, but in other API calls it is not clearly logged yet "who did what". Changes: * Previously some server protocol commands could only be used by services, commands such as |SVSJOIN| and |SVSPART|. We now allow SVS* command to be used by any servers, so the JSON-RPC API can use them. There's a new option set::limit-svscmds <https://www.unrealircd.org/docs/Set_block#set::limit-svscmds> so one can revert back to the original situation, if needed. * All JSON-RPC calls that don't change anything, such as |user.list| are now logged in the |rpc.debug| facility. Any call that changes anything like |user.join| or |spamfilter.add| is logged via |rpc.info|. This because JSON-RPC calls can be quite noisy and logging the read-only calls is generally not so interesting. Fixes: * When using JSON-RPC with UnrealIRCd 6.0.5 it would often crash * Fix parsing services version (anope) in |EAUTH|. Developers and protocol: * A new |RRPC| server to server command to handle RPC-over-IRC. This way the JSON-RPC user, like the admin panel, can interface with a remote server. If you are writing an RPC handler, then the remote RPC request does not look much different than a local one, so you can just process it as usual. See the code for |server.rehash| or |server.module_list| for an example (src/modules/rpc/server.c). -- Bram Matthys Security and software eng...@vu... Website:www.vulnscan.org PGP key:www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |