Difference between revisions of "ChannelSecurity"

From Chat4AllFAQ
Jump to: navigation, search
m (Knock: Added info about +K)
(Invite Exceptions)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
[[Category:EN]]
 
There are several ways on locking down your channel to restrict access. This article deals with several suggestions to make your channel less prone to attacks by malicious users.  
 
There are several ways on locking down your channel to restrict access. This article deals with several suggestions to make your channel less prone to attacks by malicious users.  
  
Line 84: Line 85:
 
===Cons===
 
===Cons===
 
* An invite evades bans (if you invite a user that otherwise wouldn't be allowed to enter because of a +b channel-mode ban, he'll be allowed to enter.)
 
* An invite evades bans (if you invite a user that otherwise wouldn't be allowed to enter because of a +b channel-mode ban, he'll be allowed to enter.)
 +
 +
==Invite Exceptions==
 +
You can use channel mode +I to create "Invite Exceptions".  These work exactly like [[Ban|bans]] (+b) and [[Ban#Ban_Exceptions|ban exceptions]] (+e) , only they will allow matching hostmasks to bypass the need for an /invite to join the channel. Please note that there is 'not' a way to save these via ChanServ like how bans have the '/chanserv akick', so when the channel is destroyed (when the last person leaves), all invite exceptions will be 'removed'.
 +
 +
Registered channels, however, can request '''ChannelKeeper''' added to a channel to retain all +I entries.
 +
 +
To just add a nick:
 +
 +
  /mode #myStaffChannel +I StaffMember!*@*
 +
 +
This however leaves the possibility open to a regular member changing their name and joining that way. A better approach would be:
 +
 +
  /mode #myStaffChannel +I StaffMember!*@I.Am.Staff
 +
 +
where I.Am.Staff is either their hostmask (provided the user's IP does not change) for [[VHost|virtual host]]. If using their hostmask, but their IP is dynamic, you may want to employ this method:
 +
 +
  /mode #myStaffChannel +I StaffMember!*ident*@*.their.isp.here
 +
 +
such that they will only be allowed in if their nick is StaffMember, they have a consistent ident as listed in the mask, and they are coming from the same ISP region all the time.
 +
 +
 +
===Pros===
 +
* You have a server side list of who is and isn't allowed to enter your channel without an /invite
 +
* People matching +I masks can just join without having to /knock or be /invite-d
 +
===Cons===
 +
* There is no method of persistent storage of the +I list in the event the channel gets destroyed
  
 
==Unregistered channels==
 
==Unregistered channels==
Line 199: Line 226:
 
By default, on a newly created channel, this is set to level -2, allowing everyone to be on the channel, unless they have a userlevel of -2 or lower.
 
By default, on a newly created channel, this is set to level -2, allowing everyone to be on the channel, unless they have a userlevel of -2 or lower.
  
However, when you enable RESTRICTED, it will automatically be changed to 0, thus disallowing everyone who is NOT on the access level with a level of 1 or higher.<br />
+
However, when you enable RESTRICTED, it will automatically be changed to 0, thus disallowing everyone who is NOT on the access list with a level of 1 or higher.<br />
 
You can still change this back manually to -2 after you've set RESTRICTED ON with:
 
You can still change this back manually to -2 after you've set RESTRICTED ON with:
 
   /CHANSERV LEVELS #channel SET NOJOIN -2
 
   /CHANSERV LEVELS #channel SET NOJOIN -2

Latest revision as of 20:26, 7 August 2012

There are several ways on locking down your channel to restrict access. This article deals with several suggestions to make your channel less prone to attacks by malicious users.

However, please note that to make sure your regulars are least affected by malicious users, the best way still remains to have sufficient active, trust-worthy, operators in your channel.

Secret channel

The simplest (and perhaps least effective) way to prevent any random user to enter your channel, is to make your channel secret:

 /MODE #channel +s

For instance if you want to make your channel #ourSecretHideout secret, you issue:

 /MODE #ourSecretHideout +s

This will hide the channel from the channel /LIST and from the /WHO and /WHOIS outputs on users (unless you share that channel with them)

Pros

  • Can be used on unregistered channels
  • Very simple to set
  • Prevents random users from knowing about your channel through the channel /LIST, /WHO or /WHOIS commands.

Cons

  • If someone mentions your channelname in a different channel, malicious users might find out about the channel as well.
  • You won't as easily get new users perhaps, since people with similar interests can't discover the channel through /LIST
  • Mode will be lost when channel is destroyed (for instance when no-one is in the channel anymore). This can be circumvented though for registered channels by adding the +s mode to the channel's ChanServ MLOCK setting.

Channel Key

One of the more naive ways to do this on a public channel is by setting a channel key:

 /MODE #channel +k key

For instance, to require people to enter the channel key 'mySecretKey' on the channel #ourStaffChannel, you'd have to use this command:

 /MODE #ourStaffChannel +k mySecretKey

If people want to join the channel then, they'd have to specify the key in the join command:

 /JOIN #channel key

For instance, to join our example room:

 /JOIN #ourStaffChannel mySecretKey

Pros

  • Can be used on unregistered channels
  • Very simple to set
  • Prevents random users from entering your channel when they see it in the channel /LIST.

Cons

  • Mode will be lost when channel is destroyed (for instance when no-one is in the channel anymore). This can be circumvented though for registered channels by adding the key mode to the channel's ChanServ MLOCK setting.
  • First user to enter will not need the channel key to enter, since the channel effectively doesn't exist at that point and thus has no key mode set. This can be worked around by requesting the ChannelKeeper bot to be added to your channel to keep the channel open.
  • It is harder for people to join the channel if they are using an applet.
  • Keys can easily be made useless if a bad user gets ahold of the key (either by someone else on the channel giving it to them, or by reading it on your website for instance). Also note that anyone in the channel can see what the channel's key is, because it is part of the channel modes and all modes are visible. So if someone gets invited to the channel, they can find out about the key as well.


Invite-only

Set channelmode

You can restrict access to your channel by only allowing people who are invited. Making the channel invite-only is done by using the channel mode +i

 /MODE #channel +i

For instance to make our channel #ourStaffChannel invite-only, use:

 /MODE #ourStaffChannel +i

Invite user

To invite a user to the channel you can use:

 /INVITE nickname #channel

For instance, to invite the user JackDaniels to #ourStaffChannel, issue:

 /INVITE JackDaniels #ourStaffChannel

The invite command is restricted to operators (@/+o) and above when the channel is invite-only. Please also note that inviting random people can be seen as a form of advertising though and could be a breach of the IRC network's terms of use/rules.

Knock

A user can also request to be invited into the channel with the /KNOCK command:

 /KNOCK #channel message goes here

For instance, if I want to be invited to #ourStaffChannel, I can use:

 /KNOCK #ourStaffChannel Hei guys, please let me in. Itsa me! Mario!

The operators in the channel will then get an opnotice with your nickname, ident@hostmask and the message you supplied:

 NoticeOp(eu.chat4all.org): [Knock] by JackDaniels!Jack@the.liquor.cabinet (I want in..)

Upon which they can decide whether or not to invite you (or ban you in case they get tired of your knocks)

You can disallow knocking completely on your channel, by setting channelmode +K:

 /MODE #channel +K

For instance, to disable knocking on the channel #porcelainStoreRoom, type:

 /MODE #porcelainStoreRoom +K

Replace +K with -K if you want to remove this setting again.

You can't knock if:

  • you are banned
  • you are already on the channel
  • the channel is not invite-only
  • the channel has mode +K (no knocks allowed) set

Pros

  • Random users can't enter your channel without your permission
  • Your channel can still be public and interested users can /KNOCK to let you know they want to enter

Cons

  • An invite evades bans (if you invite a user that otherwise wouldn't be allowed to enter because of a +b channel-mode ban, he'll be allowed to enter.)

Invite Exceptions

You can use channel mode +I to create "Invite Exceptions". These work exactly like bans (+b) and ban exceptions (+e) , only they will allow matching hostmasks to bypass the need for an /invite to join the channel. Please note that there is 'not' a way to save these via ChanServ like how bans have the '/chanserv akick', so when the channel is destroyed (when the last person leaves), all invite exceptions will be 'removed'.

Registered channels, however, can request ChannelKeeper added to a channel to retain all +I entries.

To just add a nick:

 /mode #myStaffChannel +I StaffMember!*@*

This however leaves the possibility open to a regular member changing their name and joining that way. A better approach would be:

 /mode #myStaffChannel +I StaffMember!*@I.Am.Staff

where I.Am.Staff is either their hostmask (provided the user's IP does not change) for virtual host. If using their hostmask, but their IP is dynamic, you may want to employ this method:

 /mode #myStaffChannel +I StaffMember!*ident*@*.their.isp.here

such that they will only be allowed in if their nick is StaffMember, they have a consistent ident as listed in the mask, and they are coming from the same ISP region all the time.


Pros

  • You have a server side list of who is and isn't allowed to enter your channel without an /invite
  • People matching +I masks can just join without having to /knock or be /invite-d

Cons

  • There is no method of persistent storage of the +I list in the event the channel gets destroyed

Unregistered channels

Unregistered channels only have access to the above commands. They'll also lose the +i mode when the channel is destroyed (for instance if the last user of the channel has left).

Extra cons for unregistered channels

  • The +i mode will be lost when the channel is 'destroyed' because the last user left.
  • The first user to enter does not need to be invited, because since +i is only set after the first user has entered. This can only be worked-around for registered channels using ChannelKeeper and ChanServ MLOCK; see the next section for details)
  • An operator always needs to be active to let people in (though there are ways for registered channels to work around this, see further sections)

Registered channels

Registered channels can add the +i channel-mode to the ChanServ MLOCK, so it will automatically be set (and not allowed to be unset) upon channel creation (when the first user enters the room). However, since no channel-modes are in effect when a channel has no users, the first user to enter the channel will be able to enter without being invited (since +i will be set after the first user has entered). This can be circumvented by requesting the ChannelKeeper to be added to your room to always keep it open.

Users with the appropriate rights can also use the /CHANSERV INVITE #channel command to invite themselves into the channel. See the following sections for details on what the appropriate rights are. For instance, to invite yourself to #ourStaffChannel, you can use:

 /CHANSERV INVITE #ourStaffChannel

This can only be used to invite yourself and not others.

Extra pros for registered channels

  • You can add +i to the channel's ChanServ MLOCK setting.
  • You can request a ChannelKeeper to keep the channel open so the +i mode is also effective for the first real user to enter the channel.
  • CHANSERV INVITE can be used by users with the proper rights (see next sections for details)

Extra cons for registered channels

  • Access levels need to be managed

Using xOP system

If you are using the xOP ChanServ user-management system (which is being used by default on newly registered channels), you can add people to the AOP list to allow them to invite themselves into the channel through ChanServ:

 /CHANSERV AOP #channel ADD nickname

For instance, to add JackDaniels to the AOP list of #ourStaffChannel, issue the command:

 /CHANSERV AOP #ourStaffChannel ADD JackDaniels

After which JackDaniels can issue:

 /CHANSERV INVITE #ourStaffChannel

to have himself invite into the channel by ChanServ (or it will appear to come from the channel's BotServ bot if BOTSERV SET SYMBIOSIS is set to ON and a BotServ bot has been assigned to the channel).

Extra cons for xOP

  • The use of CHANSERV INVITE can only be granted to AOPs and above

Using ACCESS system

If you are using the ACCESS LEVELS system instead of the xOP system, you have a bit more control over who you'll allow access to the ChanServ INVITE command to invite themselves into the channel. For information on how/when to enable the ACCESS LEVELS system by disabling the xOP system, please read the main article on access levels.

Using the default access levels, you can add a user with the minimum of level 5 to your channel's ChanServ Access list:

 /CHANSERV ACCESS #channel ADD nickname level

For instance to add JackDaniels to the access list of channel #liquorStore with level 5, issue:

 /CHANSERV ACCESS #liquorStore ADD JackDaniels 5

You can also chose to lower/raise the required level for the Chanserv INVITE command by changing the minimum required level with:

 /CHANSERV LEVELS #channel SET INVITE minLevel

For instance to lower the minimum required access level for INVITE on #liquoreStore to 1, you can use:

 /CHANSERV LEVELS #liquoreStore SET INVITE 1

Now everyone with access level 1 or higher can use the INVITE command.

For instance:

 /CHANSERV ACCESS #liquorStore ADD JackDaniels 1

will allow JackDaniels to use /CHANSERV INVITE #liquorStore without giving him KICK/OP/etc rights (at least with the default chanserv levels settings)

Extra pros for ACCESS

  • The use of CHANSERV INVITE can be granted to any minimum level you set for it.

ChanServ Restricted

With ChanServ's RESTRICTED setting you can have people that aren't allowed in the channel automatically kick-banned. Set this setting with:

 /CHANSERV SET #channel RESTRICTED [ON|OFF]

For instance, to enable ChanServ's RESTRICTED setting for channel #liquorStore, use:

 /CHANSERV SET #liquorStore RESTRICTED ON

From now on, only registered people on the channel's access lists will be able to join the channel. If the channel's SECURE setting is ON, they also need to be identified for their nickname through NickServ, if it is set to OFF, they will also be allowed in if they are semi-identified.

About semi-identified

You are semi-identified when:

  1. You have a registered nickname
  2. You are NOT identified for that nickname through /NICKSERV IDENTIFY
  3. Your NickServ SECURE setting is set to OFF (please note that this by default is set to ON)
  4. You are connected from a host that matches the hostmask in your /NICKSERV ACCESS LIST

Channels will only grant you the appropriate rights if its ChanServ SECURE setting is OFF. If the channel's ChanServ SECURE is set to ON, it will require users to be identified for their nicknames before regarding them as the registered user.

using xOP system

You need to add registered people to the VOP/HOP/AOP/SOP lists to grant them access to the channel. Command's syntax:

 /CHANSERV [VOP|HOP|AOP|SOP] #channel ADD nickname

For instance, to add the registered user JackDaniels to the VOP (auto-voice) list of the channel #liquorStore, issue:

 /CHANSERV VOP #liquorStore ADD JackDaniels

Since the minimal required level is VOP, I suggest to just add them as VOP unless they require operator rights as well.

You can revoke their access by using:

 /CHANSERV [VOP|HOP|AOP|SOP] #channel DEL nickname

For instance to revoke JohnnieWalker's access to #liquoreStore (if he was previously added to the VOP list), type:

 /CHANSERV VOP #liquorStore DEL JohnnieWalker

Followed by a swift /kick #liquorStore JohnnieWalker Be gone thou foul excuse for whisky! if the user was still on the channel.

using ACCESS system

You need to add registered users to the ChanServ ACCESS list with an access level of at least 1 to grant them access to the channel. Use the following command syntax:

 /CHANSERV ACCESS #channel ADD nickname level

For instance, to grant WilliamLawson access to #liquorStore with level 1, issue:

 /CHANSERV ACCESS #liquorStore ADD WilliamLawson 1

Since the minimal required level is 1, I suggest for users that only need to be allowed on the channel and don't require other rights, you only add them with level 1. If they require more rights, raise their level appropriately. See the Access Levels article for details.

If you need to revoke someone's access, use:

 /CHANSERV ACCESS #channel DEL nickname

For instance, to revoke Tequila's access to #liquorStore, issue:

 /CHANSERV ACCESS #liquorStore DEL Tequila

Please note that to be able to alter the ACCESS list, you need a level of at least ACC-CHANGE (change this required minimum level with /CHANSERV LEVELS #channel SET ACC-CHANGE level (if you have the minimum require level for the SET command)).

NOJOIN Level

There is also a NOJOIN level you can alter through ChanServ:

 /CHANSERV LEVELS #channel SET NOJOIN level

By default, on a newly created channel, this is set to level -2, allowing everyone to be on the channel, unless they have a userlevel of -2 or lower.

However, when you enable RESTRICTED, it will automatically be changed to 0, thus disallowing everyone who is NOT on the access list with a level of 1 or higher.
You can still change this back manually to -2 after you've set RESTRICTED ON with:

 /CHANSERV LEVELS #channel SET NOJOIN -2

Which will allow everyone to your channel, unless they are on the channel's ChanServ ACCESS list with a level of -2 or below.

Please note that the RESTRICTED setting seems to only work as a toggle for the NOJOIN level; even with RESTRICTED set to OFF, you can still limit access to your channel based on the NOJOIN level. The command seems to be only added to work as a toggle for channels that are using the xOP system.

After testing, we've deducted that: RESTRICT ON will force NOJOIN to 0 if the current NOJOIN level is negative RESTRICT OFF will force NOJOIN to -2 if the current NOJOIN is equal or greater than 0

Here's an overview of what we tested with the given NOJOIN levels:

NOJOIN -2 ->

 Kickbans:
   # only those who are on the access list with a level of -2 or below
 Allows:
   # everyone who is on the access list with a level of -1 or above
   # everyone who isn't on the access list

NOJOIN -1 ->

 Kickbans:
   # people who aren't identified for their nickname
   # people with nicks on the access list, but who aren't identified for their nickname, nor semi-identified
 Allows: 
   # people who are identified for their nickname, 
   # people who are on the ChanServ ACCESS list with a nickname that is semi-identified (unless the channel's SECURE setting is ON)

NOJOIN 0 ->

 Kickbans:
   # everyone who is NOT on the access list
   # everyone who is on the access list with a negative level
 Allows:
   # everyone who is on the access list with a positive level

Pros

  • You have a very strict way of selecting which users you want in your channel
  • All your users need to be registered

Cons

  • You need to manually add every single user to your channel's access list
  • Users need to be registered
  • Users need to make sure they are identified for their nickname (or semi-identified if your channel's SECURE setting is OFF) before they join the channel. Otherwise they'll automatically get banned, and unless they have the required level for the /CHANSERV UNBAN command, they still can't get in.