This command set will be one of the most used security settings for your server. It has the same function as a KLINE but works in a clustered/server to server environment. This will prohibity users from gaining access to your server, or in the case of a multi server environment all the servers on your network by method of matching the mask of the user trying to connect to the server. If the user matches a mask they will be given the reason that you placed in the akill as part of their disconnection notice.
/as help security akill <topic>
In a single server environment you can also use the SECURITY KLINE command set to do the exact same thing.
Enables and disables as command logging. If 'all' is set then it logs every as command issued on the server and who set them. If the 'config' option is set, then only commands that potentially change the configuration are logged. The log file is in db/cradmin.log
/as security aslog config
This command set gives you complete control over channel naming conventions on your server. There are two concepts that you need to understand prior to using this system:
The first is allow and deny. You use allow and deny to set up what can be used on your server. An ALLOW will always take priority over a DENY. So if you DENY all channels on your server, then you ALLOW a specific channel name or names then people will be able to join the channels that are ALLOWED inside the wider DENY. So you could DENY all channels that start with #help* and then allow only those channels you select by adding each one, or by using masks (as discussed below).
The second concept is wildcards: There are two main wildcards that can be used the first is the * and it will allow any characters and any length to be used following it. If you wanted to block out all names that end with Serv then you can do DENY #*Serv. Now you've just blocked any channels that end with serv. Consequently you can also block all channels that start with a specific word. So if you wanted to block all channels that start with #support then you can do DENY #Support*.
The second wildcard is a ? this wildcard lets you do a single character replacement. If you added a mask of ALLOW #support.? Then #support.1 #support.d could be used but #support.11 couldn't as that is two characters and not the single one that you added an ALLOW for.
/as security chan add deny #* We follow a channel naming convention.
/as security chan add allow #alt.* Alt Group
/as security chan add deny #alt.warez* No warez allowed
/as security chan add allow #sci.* Science Group
/as security chan add allow #foo.* Something to Delete
/as security chan del allow #foo.*
/as security chan list
In the above example we set a DENY of all the channels on the server, then we used ALLOW and wildcards to specify what could be used on the server. In this way we have made a server where #alt.* and #sci.* can be used. So you could have a channel called #alt.irc.foo or #alt.games and one called #sci.math or #sci.physics but only channels that start with #alt. or #sci. can be used.
Note: This series of commands replaces the previous NOCHAN commands found in the 2.0x and earlier servers.
JOINS-PER-SECOND - Sets the maximum number of allowed joins per second.
MUTE-INTERVAL - Sets the time that a new channel user is muted after they join.
REJOIN-INTERVAL - Set the minimum amount of time between a user that leaves and rejoins a channel.
The channel commands allow the server to
/as help security channel <command> <time>
Clones are duplicate clients from the same client address. There are two general types: The first is an internet café or similar that is connecting through something like WinGate to access the web, these are valid users for your system. The second is a user that loads your server with fake clients that are usually harmful or disruptive. The default level of clone detection is set to 10 if a single host brings on more than 10 clients the server will send you an alert. To set it so that a single host can have more than 10 you use the trigger command to lift that host's threshold.
ALERT - Send notices to local or remote servers.
DETECT - Detect on local or remote servers.
LEVEL - Set the number of clones before it alerts.
OFF - Disable clone detection.
ON - Enable clone detection.
/as help security clone <topic>
Clones are a problem for two reasons. First, they take up space and resources for no particular point. Most administrators would rather their servers have a large number of people on their servers, rather than a smaller number on multiple times. The second problem is that most people load up clones with bad motivations. Some do so simply to see if they can or to experiment, but some do it to flood rooms or engage in similarly disruptive behaviors. Clones are generally not a major problem, but they should be monitored and dealt with.
The 'cps' commands sets a limit on the number of connections per second the chat server will allow on each port. If connections exceed this rate, new connections on that port will not be allowed. This is used to protect the server from connection floods.
/as security cps 10
An extra security feature that limits the ability of massive amounts of clones gaining entry to your server. It is possible that by setting this number to low an attack could prevent regular users from gaining access to the server.
The security set commands are used for configuring specific DCC validation and filtering settings on your server.
/as help security dcc <topic>
DCC filtering is very nice for your community members as it will protect them from many (not all) of the dangerous scripts and viruses that can be sent from one user to another. If you're using a java/html/wap system and aren't allowing IRC clients then you do not need to enable these settings.
Domain Name Service Black List is a services that provides companies a way to report known spam and exploited hosts. The following commands allow you to add specific lists to ConferenceRoom. If you just enable this service a default list is provided.
/as help security DNSBL <topic>
This command will disable the ident client inside ConferenceRoom. All clients will no longer be checked, or held pending checks for a client ident server.
/as security list
Java clients are never held fo ident client requests.
This command set will be one of the most used security settings for your server. It has the same function as AKILL but works in a single server environment. This will prohibity users from gaining access to your server by method of matching the mask of the user trying to connect to the server. If the user matches a mask they will be given a reason why they couldn't connect.
/as help security kline <topic>
If you run an open chat network, then you should make sure to go through your klines and remove old ones. Since these klines will never go away on their own, you may end up with people being banned for a very long time. Even if a ban only affects one user, many users will reform and begin behaving eventually and most bans will block chatters who use the same ISP.
This command will give you a list of all of your security settings.
/as security list
It's a good idea to skim over your security settings every so often. The list will probably be somewhat lengthy.
The 'security memtarget' command sets a soft limit on how much memory ConferenceRoom will use. It can be set either in kilboytes or as a percentage of physical memory (on platforms where ConferenceRoom can determine how much physical memory is present). As memory gets close to the target, ConferenceRoom will beging refusing to perform expensive commands. If memory usage exceeds the target, new connections will not be allowed.
/as security memtarget 40%
/as security memtarget 500KB
This will protect systems with limited memory resources. This setting is normally not needed as only very large event/client servers will ever use enough memory on a system to impact it.
These commands control the list of nicknames that users are prohibited from using. Network operators can still switch to these nicks. These prohibited nicknames stay on your server until deleted.
/as help security nonick <topic>
There are some pre-set prohibited nicknames on every ConferenceRoom server. They are there to ban a list of nicknames that are commonly used in various chat places as the nicknames for services or administration. On networks that do not ban them, sometimes users will switch to these nicks and try to harm other users who recognize them as services or official nicknames.
The 'numtrim' command is used to protect the server from attacks that cause the server to generate large numbers of numerics. Most attacks of this type are already defended against by other methods, so this command is rarely needed. Two trims are used, if needed. The first trim is a gentle trim designed only to disconnect users with outrageously large send queues. The second trim is more aggressive and may disconnect ordinary users to protect the server.
Each trim has a configured threshold which determines whether the trim takes place. By default, the first trim takes place when 128,000 numerics are in flight and the second when 198,000 numerics are (though these may be bumped up on systems with more than 256Mb). Each trim also has a configured limit -- connections that exceed the limit are disconnected. The first limit defaults to 2,000, the second limit defaults to 400 (though these may be bumped up on systems with many users or channels).
/as security numtrim
Because the 'LIST' code has been rewritten to minimize the number of numerics in flight, this command is generally no longer needed. The expensive command code generally protects against the use of commands like 'NAMES' for this purpose. Thus this command is generally not needed and the defaults are generally sufficient and non-invasive.
DISABLE - Turn off or disable Proxy checking.
ENABLE - Turn on or enable Proxy checking.
LIST - List proxycheck settings..
PORT - Specify specific ports to be scanned.
REASON - Set the reason that a client gets disconnected.
REPORT - Set reporting options.
SET - Set specific proxycheck settings.
The proxycheck command allows you to control the built-in proxy server scanner to prevent abuse on the server from people using insecure wingates or proxies. When a connection is attempted, the scanner will attempt to establish a connection back to the client, and verify that no insecure proxy server is installed on the system. If a proxy server is detected, options are available to specify what action should be taken.
Note: this option will require at 1 TCP connection attempt to be made to the user, for each protocol and each port that is scanned for.
/as help security proxycheck <topic>
Proxy checking is highly recommended. Insecure proxies and wingates allow users to go through other people's connections to cause problems. This gives the actual abuser anonymity. People with unsecured proxies generally are simply uneducated about how to run a secure one. They will usually fix the problem once they understand it and what they need to do.
The security set commands are used for configuring specific security settings on your server.
ALLOW-NULL-REALNAME - Doesn't let clients connect with a blank real-name field.
CHANNELONLY - Disable all private messages.
CLONE-KILL-MULTIPLIER - Set the clone kill multiplier.
DEFTRIGGER - Set the default trigger.
FLOOD - Manage the flood control settings for users.
GRANULARITY - Set the services warning granularity.
INVITE - Set how often people can send invites.
JOINUNMANAGED - Determine if users can join unmanaged channels.
JOINUNREGISTERED - Determine if useres can join unregistered channels.
LOGLEVEL - Server log output.
MAXBANS - Set the maximum ban list size for a room.
MAXCHANS - Set maximum number of rooms a user can join.
MINLIST - Set the minimum number of users a room needs to be included in the room list.
NEWCHAN - Determine who can create rooms on the server.
NOOP - Determine whether people get opped when joining rooms.
NOSPOOF - Turn on spoof protection on your server.
REASONS - Enable or disable quit and part messages from users in rooms.
STATS - Set stats on or off for users to see.
SUPERINVIS - Changes the behaviour of user mode +i (invisible).
USERNAMELENGTH - Set the maximum length a user name can be set to.
WHOCHAN - Create a more restrictive /who output for users.
/as help security set <topic>
These settings should be reviewed before a chat server is opened to the public. While you can change them while your server is in use, several of them will create changes visible to the users. With all such changes, some people will be confused and there will be a period of adjustment.
Throttle sets limits on the rate for connections allowed from the same place. When enabled it will throttle when a user exceeds THRESHOLD connections in TIMEOUT seconds
/as help security throttle <topic>
Sets a threshold for the server clone detection on a per host/hostmask basis.
/as help security trigger <topic>
These are permanent triggers for clone detection. Triggers allow you to make an exception to the normal trigger level for specific masks. This allows you to add cybercafes or similar at higher trigger levels or problem hosts at lower trigger levels. Over time, your clone alerts will become more efficient.
If you run an open server that allows anyone to register and join the server you may be faced with those that wish to spam your client base with URL's advertising products or other sights. URL filtering is a system that allows you to specifically deny hosts based on masks and wildcards.
ADD - Adds a URL.
ALL - Filteres all messages.
CHANNEL - Filters only channel messages.
DEL - Deletes a URL.
LIST - Lists all filtered URLs.
NONE - Turns of filtering.
NOTICE - Sends a notice for each URL filtered.
STATS - Statistics on the number URLs that have been hit.
/as help security urlfilt <topic>
DEFAULT - Sets the default action.
JOIN - Launches a remote web based join channel script.
NICKCHANGE - Launches a remote web based nickname change script.
SIGNON - Launches a remote web based script to allow users access.
TIMEOUT - Determines the time that the server will wait before using the default action.
Previously ConferenceRoom allowed you to connect to a community via our external methods. Basically this was a set of DLL's or SO's that you would code in C++ to hook into specific functions in the chat server. This allowed you to control access control, nickname changes and channel joins. Now you can accomplish the same thing using web based scripts that return specific instructions to the chat server via a web page.
This makes integration of ConferenceRoom very easy to almost any community solution that use perl/php/cgi based scripts.
/as help security weblink <topic>
Enterprise Edition Feature
PIRCH has an exploit, where if you type a certain number of #'s in a message (around 300, on or off by 10 or 20) the client crashes. When it is enabled the server prevents messages with more than that number of #'s from being sent to a channel or a private message.
/as security workaround pirch-overflow disable
Pirch is a very popular IRC client and this feature should remain enabled if you are servicing IRC type clients.
A zline will reject any attempt from a specific or masked IP to contact the server. The zline acts as a sort of firewall.
ADD - Add a permanent zline mask.
AUTO - Set automated zline options.
DEL - Delete a permanent zline mask.
LIST - List all the permanent Zlines on your server.
NUMBER - Sets the number of seconds that zlines will remain active on the server.
/as help security zline <command>
Zlines are the strongest form of server ban. As with any ban, make sure to set them no broader than necessary and to periodically review the list and clean out old entries.