[DONE] Config tamper protection

These are old archives. They are kept for historic purposes only.

Moderators: Gottem, Supporters

Post Reply
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

[DONE] Config tamper protection

Post by Gottem »

Mostly written for the challenge, I'm sure someone will get some use out of this. It's quite complex and requires custom build flags, so this may or may not be hard to follow fam. These modules allow the hub of a network to verify the leaves' configs, so you could have random people link with you without having to worry about them changing your configuration. The hub itself is considered trusted as it's the heart of your network and as such should only be managed by you (or someone you know well etc). You could also (optionally) verify the leaf-exclusive mod itself to prevent them from changing the source.

First off, these modules assume you're using a few sort-of-best practices:
  • You're only working with remote includes
  • Split network and hub/leaf configs (so unrealircd.conf contains just 2 include "httpx://..." lines) -- network comes before hub/leaf
  • Includes aren't nested more than once (top ones go in unrealircd.conf, those may contain only includes that don't include anything themselves)
It consists of two modules, one exclusively for hubs (m_confprot) and another exclusively for leaves (m_md5fjert). Both of them need some additional build flags, so use the following BEFORE executing make and make install:

Hub:
For UnrealIRCd versions below 4.0.10:

Code: Select all

export EXLIBS="-L<Unreal homedir>/curl/lib -lcurl -L<Unreal source dir>/extras/c-ares/lib /extras/c-ares/lib/libcares.a"
For >= 4.0.10:

Code: Select all

export EXLIBS="-L<Unreal install dir>/lib -lcurl -L<Unreal install dir>/lib <Unreal install dir>/lib/libcares.so";
Leaf:

Code: Select all

export EXLIBS='-DFJERT=\"${INCLUDEDIR}\"'
Obviously, replace <Unreal homedir> with the actual homedir. Also change <Unreal source dir> to the top dir of the source. Both need to be absolute paths. <Unreal install dir> is where you actually installed it to.
Example: /home/unreal, /home/unreal/build/unrealircd-4.0.7 and /home/unreal/unrealircd, respectively). =]

===

When you got both modules to compile, it's time to start configuring. The leaf mod doesn't require any, so fire up an editor and get to your hub config. Add something that looks like this:

Code: Select all

confprot {
    NETWORK "https://includes.domain.tld/network.conf";
    myleaf.domain.tld "https://includes.domain.tld/myleaf.conf";
    myleaf2.domain.tld "https://includes.domain.tld/myleaf2.conf";
    ....
};
If m_confprot encounters an error of any kind, it will GZ:Line the leaf's IP for the specified time of which opers will be notified.

Also, if for some reason you don't have a network common config (e.g. you copypaste it to the leaf configs), you are allowed to leave it out. If you want to verify the leaf module itself, you can also add an entry like this:

Code: Select all

FJERT "https://includes.domain.tld/m_md5fjert.c";
There are some additional settings you may wanna tweak (these go outside the confprot block):
  • confprot_allowunknown <0/1> -- allow links to happen despite errors, default = 0
  • confprot_zlinetime <timestr> -- format is like 60, 1h5m, etc; default = 60 (seconds)
  • confprot_sslverify <0/1> -- verify SSL cert for the FJERT entry, default = 1
I may add these to the confprot { } block itself at some point in the future. ;3

Any server that's not in the list will be allowed/denied right away, as specified with the directive confprot_allowunknown. The default is to deny, except ulines for obvious raisins. =] If set to 1, the module will still run through the checks as much as it can so you can still see when shit goes down (basically a dry run).

===

Wew lads, hope that's clear enough. =]

Git links:
m_confprot (hub-only)
m_md5fjert (leaf-only)
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [DONE] Config tamper protection

Post by Gottem »

Gottem wrote:I may add these to the confprot { } block itself at some point in the future. ;3
Which I've now done. =] The new config block is similar to:

Code: Select all

confprot {
	protected {
		NETWORK "https://includes.domain.tld/network.conf";
		FJERT "https://includes.domain.tld/m_md5fjert.c";
		myleaf.domain.tld "https://includes.domain.tld/myleaf.conf";
		myleaf2.domain.tld "https://includes.domain.tld/myleaf2.conf";
	};
	allowunknown 0;
	zlinetime 60;
	sslverify 0;
};
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [DONE] Config tamper protection

Post by Gottem »

I've updated the code to use custom so-called C:Lines instead of Z:Lines. This also means I renamed zlinetime to clinetime.

It also comes with a new oper command /cline, which you can use to list and remove C:Lines. /cline * and /cline -myleaf.domain.tld will both remove the C:Line on myleaf.domain.tld (i.e. it supports wildcard masks). You can't use it to prevent servers from connecting, just jupe it if that's what you need. Also, simply do /cline ? or /cline help to view the built-in help.

I'm using C:Lines because (G)Z:Lines may result in ZNC providers who run an IRCd on the same box to get zlined entirely. If I didn't use any *:Line at all it would result it running the cURL-related checks every time (with a whole bunch of snotices to go with it), and I don't like spam. =] Also, there's no expiration notice on C:Lines; if you see another denied notice you can safely assume it expired (according to clinetime). They're also not really timed, they just expire on the next run. ;] They also get cleared if you rehash.

To allow opers to list/remove C:Lines, give them the cline privilege:

Code: Select all

operclass myclass {
	parent netadmin-with-override;
	privileges {
		cline;
	};
};
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
Post Reply