Security

From the makers of InspIRCd.
Jump to: navigation, search

In general, there are many things that can affect the security of an IRC server-- not all of them are IRC related. Insecure passwords are a big vulnerability, and they don't necessarily just affect your IRC server. What if someone got your shell password? They could then delete all your user data. The following are some questions, if you answer 'Yes' to them, please read the rest of that section.

Do you use plain passwords, such as 'blue', 'college' or 'cheese'?

Passwords like this are very insecure, methods known as 'brute forcing' will easily pick up a weak password like this, and may result in network takeovers. Consider obscuring your passwords, add some random numbers and capital letters. Even the simplest of password can be made difficult to guess or brute force, lets take 'cheese' as an example, possible alternatives include:
ch33s3
ch3353 - Be careful when replacing all letters with their numeric alternative, Generally its better to mix them up a little.
Ch3EsE - Yes, capital letters can make a difference due to case sensitivity.

And with just one of these minor adjustments, your password can be over 1000 times stronger than it was before!

Do you use plain text passwords?

When setting up your passwords, in the InspIRCd configuration file, hashing your passwords can greatly increase oper security in case of server/shell take-overs of malicious type. Passwords can be hashed, in the conf, as either md5 or sha256. This does not compensate for having a weak password, as stated above, as hashing only protects the password from being viewed and used from the configuration file.

For more information on hashing, you can read the entry on the configuration page, for setting up <oper> Configuration:Oper

When setting up an Oper, do you use a wildcard?

In a perfect world, when setting up an oper, you should always use the ident and full host. As shown here (The 'X' characters are my censored out IP digits):

<oper name="eLement" pass="inspired" host="eLement@c-XX-XXX-XX-XX.hsd1.pa.comcast.net" type="root">

Assuming your IRC Operator has a static IP address, this is the ideal way to secure an oper's hostname access. Most ISP have dynamic IP addresses, so that previous example is bound to cause "Invalid Credential" errors. So we continue down. To compensate for for dynamic IP addresses, we'll use the dreaded, yet sometimes useful, asterisk '*'. Mind you, these hosts can be setup a few different ways to work:

<oper name="eLement" pass="inspired" host="eLement@c-*-*-*-*.hsd1.pa.comcast.net" type="root">
<oper name="eLement" pass="inspired" host="eLement@c-*.hsd1.pa.comcast.net" type="root">
<oper name="eLement" pass="inspired" host="eLement@*.hsd1.pa.comcast.net" type="root">

These are just a few examples, as the possibilities are almost limitless.

You should never omit the ident, as an oper's ident should never change. Now we get to the issue where the Hostname doesn't always resolve correct, as well as having a dynamic IP. This is where a person's hostname is encrypted to something like: ident@F1A297.2142E5.A367A5.FEBE1C at which point your asterisk may be the only option.

DANGER WILL ROBINSON!
Warning:  Using in asterisk in the host configuration, or any configuration for authorization (unless specified otherwise), can be dangerous and weaken the network's security!!
If you must, as a final option, use an asterisk make sure you use strong passwords, hashed passwords, and make sure your files are not chmoded to 777! This should keep your network secure!


<oper name="eLement" hash="sha256" pass="5f067754ad0a57929f782612011c01e32a92772e331a8270df89eb2840467776"
      host="eLement@*" type="root">
<oper name="eLement" hash="md5" pass="f2f2f47f264f7ffe875250d1fc76afea" host="eLement@*" type="root">

If I was infact using an asterisk, I would require a stronger password than "inspired" and the password would be hashed, in my configuration, as shown.

If you have any questions in regards to configuration and hashing please refer to our configuration page.
Configuration
Configuration:Oper

Do you use the same password for your shell, IRC Services and Oper?

This is a BAD idea, if someone manages to hack one of these passwords, then everything relating to your server AND IRC becomes vulnerable, all in one shot. Consider using different passwords for each seperate IRC 'Access Point'.

Do you store backups of your passwords?

Whether on paper, or as a text file on your machine, any form of 'hard copy' of a password is a dangerous thing to have, if someone grabs the file or paper (probably unlikely.. but it could happen), once again, things could get nasty. Its best to try and commit passwords to memory, if you can't remember a long password, try to obfusticate something small (See my 'cheese' example above)

Do you know what a chmod of 777 does?

Well, really, you should. It is VERY important that you understand this. Basically, chmod 777 allows ANYONE using the machine to access the file, and do what they want with it (Read / Write / Execute), Obviously, this is instantly a security issue. by Default, InspIRCd keeps files to the local user, but occasionally, files may be released by a third party with a bad chmod. Its always wise to check your files first. For more information with regards to chmodding, please use http://www.analysisandsolutions.com/code/chmod.htm as a reference source.

Do you keep up-to-date with regards to latest bugs and patches in your IRCd and Services package?

I'm going to start by saying, no code is perfect. With new compiler releases, standards may change, functions may disappear, some may appear or be required, a coder may have overlooked something or something trivial may have been fixed. Either way, it is important to know about these especially if there is a chance that a major hole is found which could allow a user to maliciously execute any code on the IRCd they wish. Bugs like this DO happen, and there is no avoiding them, so it's always best to regurarly check websites and bugtrackers.

Is the software you use out of date?

As before, this is generally a bad thing. New releases of software generally implement important bugfixes, as well as feture improvements, on large networks massive downtime can be an issue, if so, read through the ChangeLog, and decide if this update is for you. If nothing else, make sure you are always AWARE of the latest version, and what it includes.

Do you know IRC well?

This question isn't related to IRCds, but more the features you may add to them (Services for example), you need to know how passwords are stored, plain text or encrypted etc. Knowing this information can go a long way to securing your IRC Network.

Would you provide a developer with your oper password?

The InspIRCd staff will NEVER ask for any of your passwords, EVER. If you find a bug, report it via the bug tracker, along with ways to reproduce it. Some people enjoy being 'imposters', coming onto networks pretending to be developers and requesting o:lines, if someone attempts to do this, REPORT IT IMMEDIATELY, with the hostname or DNS, the nickname they were using and logs to Craig@inspircd.org