AntiRandom v1.0 (*NIX & win32)
AntiRandom v1.0 (*NIX & win32)
I know quite some windows users have been waiting for a windows version of this module. Also, people have been asking me for several enhancements. I finally had some time to work (a lot) on this module the past few days, and here is the result ;).
2005-06-21 | AntiRandom v1.0 | Modules
I've released a much more improved version of AntiRandom: configuration has been moved to the configfile (instead of editting the .c), it is now 10x faster, the way it calculates scores has been redone to give less false positives and make it detect more bots. And various other enhancements (such as except hosts). Besides the *NIX version, there's now also a Windows version included in the latest windows module pack.
For more information, see the README, Changes, and sample.conf (or for windows users: just only the readme that gets installed)
2005-06-21 | AntiRandom v1.0 | Modules
I've released a much more improved version of AntiRandom: configuration has been moved to the configfile (instead of editting the .c), it is now 10x faster, the way it calculates scores has been redone to give less false positives and make it detect more bots. And various other enhancements (such as except hosts). Besides the *NIX version, there's now also a Windows version included in the latest windows module pack.
For more information, see the README, Changes, and sample.conf (or for windows users: just only the readme that gets installed)
Hey syzop ,
thx for the upgrade version , and i am really excited to see this
thx for the upgrade version , and i am really excited to see this
, does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ? Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?And various other enhancements (such as except hosts)
-=GouroB=-
https://www.shunno.info
Your complete web Solution
Irc.BanglaCafe.com
LargesT Chat server in BanglaDesH
https://www.shunno.info
Your complete web Solution
Irc.BanglaCafe.com
LargesT Chat server in BanglaDesH
great work!!
this module ROCKZ!
got a bunch of flood-bots, yesterday around lunch time ... i myself was @ lunch, another irc-op got them glined ...
after that installed antirandom.c ...
at 9:40pm ( MEZ ) another round of bots came back ... they were ALL caught! ...
today, some got through ... they joined the chan with the most user in it ( like the ones yesterday @ lunch ), but we were prepared and got them ...
just another thing:
what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
keep on!
greetz from germany,
mexx
this module ROCKZ!
got a bunch of flood-bots, yesterday around lunch time ... i myself was @ lunch, another irc-op got them glined ...
after that installed antirandom.c ...
at 9:40pm ( MEZ ) another round of bots came back ... they were ALL caught! ...
today, some got through ... they joined the chan with the most user in it ( like the ones yesterday @ lunch ), but we were prepared and got them ...
just another thing:
what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
keep on!
greetz from germany,
mexx
I think the main problem then would be you'd be seeing a lot of them (imagine a botnet with a few thousand bots connecting :/). This is the same reason why there isn't a failed connect snomask I believe.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
thanks ;pmexx3k wrote:great work!!
this module ROCKZ!
It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.mexx3k wrote:what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
That said, I suppose a log option would be nice.
If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
Right.w00t wrote:[..]This is the same reason why there isn't a failed connect snomask I believe.
No, hosts/ips only. It doesn't do that for speed reasons (too much CPU I think). Also, if you start with that, I think you will need to add quite a lot of entries :p.GouroB wrote: does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ?
I suggest carefully reading both the README and the sample.conf. You need to add a set::antirandom block with several items (see sample.conf for an example which is ready-to-use), and (assuming you ran ./build) then you can simply /REHASH -- no ircd restart needed.GouroB wrote:Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?
well, i'm only interested in seeing the nicks, which are *lined ... neither in a gline nor zline is the nickname mentioned, just the ip ...Syzop wrote:It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.
i'm also not interested in the reconnect-tries after the *line ...
just to recognize the "false positives" ...
may i quote w00t?That said, I suppose a log option would be nice.
could it also be, that the logging would slow down the ircd?imagine a botnet with a few thousand bots connecting :/
yeah ... right ... and connectserv from neostats will flood the #services with "look, someone got killed"-msgs ...If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
Like I said, it already does *JUST THAT*.'m also not interested in the reconnect-tries after the *line ...
just to recognize the "false positives" ...
Code: Select all
[22:28:41] -maintest.test.net- *** Notice -- [antirandom] denied access to user with score 30: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!syzop@localhost:x x
Code: Select all
/* SHOW-FAILEDCONNECTS:
* This will send out a notice whenever a randomly looking user has been catched
* during connecting. Obviously this can be pretty noisy.
* Especially recommended to enable during the first few days you use this module.
*/
show-failedconnects yes;
(you are refering to logging *line connection denieds here..)may i quote w00t? :PThat said, I suppose a log option would be nice.could it also be, that the logging would slow down the ircd?imagine a botnet with a few thousand bots connecting :/
What w00t says is *exactly* why I have turned this feature request down several times...
-
- Head of Support
- Posts: 2086
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
If you want to see failed connects, you can get AngryWolf's chansno module. Howerver, if you have a large network with a large list of K/G lines, or are being attacked by a botnet, clone floos, etc, then wanting to see failed connects is NOT a good idea.
@Syzop: A snomask for seeing failed connects can be useful in some cases, and at lease a snomask can be easily undone.
@Syzop: A snomask for seeing failed connects can be useful in some cases, and at lease a snomask can be easily undone.
-
- Posts: 14
- Joined: Mon Sep 27, 2004 3:29 pm
I have installed AntiRandom on my 3.2 servers.
I have it set to 4
I don't understand why it's not catching these.
Client connecting on port 6667: [HB3]dfizuz ([email protected])
Client connecting on port 6667: USA|645602593 (~[email protected])
or these
* [HB3]dhlpuu H? ~[email protected] :0 [HB3]dhlpuu
* [HB3]dinldu H? ~[email protected] :0 [HB3]dinldu
* [HB3]cnohxf H? ~[email protected] :0 [HB3]cnohxf
* NZM-861162 H? ~[email protected] :0 NZM-861162
* NZM-109173 H? ~[email protected] :0 NZM-109173
While it is catching these.
Notice -- [antirandom] denied access to user with score 12: bleh-lofwlz!~[email protected]:bleh-lofwlz
[antirandom] denied access to user with score 16: [email protected]:bleh-wukqsl
Can anyone help?
After note:
Changed threshold to 3 and still getting these same bots connecting.
I have it set to 4
I don't understand why it's not catching these.
Client connecting on port 6667: [HB3]dfizuz ([email protected])
Client connecting on port 6667: USA|645602593 (~[email protected])
or these
* [HB3]dhlpuu H? ~[email protected] :0 [HB3]dhlpuu
* [HB3]dinldu H? ~[email protected] :0 [HB3]dinldu
* [HB3]cnohxf H? ~[email protected] :0 [HB3]cnohxf
* NZM-861162 H? ~[email protected] :0 NZM-861162
* NZM-109173 H? ~[email protected] :0 NZM-109173
While it is catching these.
Notice -- [antirandom] denied access to user with score 12: bleh-lofwlz!~[email protected]:bleh-lofwlz
[antirandom] denied access to user with score 16: [email protected]:bleh-wukqsl
Can anyone help?
After note:
Changed threshold to 3 and still getting these same bots connecting.
Was a bug, just fixed it.
You can grab version 1.1 here.
I'll announce it at a later time, along with putting an updated version in the *NIX and win32 module packs.
Let me know if this fix introduced any problems (or if it worked ok, of course ;p).
You can grab version 1.1 here.
I'll announce it at a later time, along with putting an updated version in the *NIX and win32 module packs.
Let me know if this fix introduced any problems (or if it worked ok, of course ;p).
-
- Posts: 14
- Joined: Mon Sep 27, 2004 3:29 pm
-
- Posts: 14
- Joined: Mon Sep 27, 2004 3:29 pm
While it is catching many more of the previously posted randoms, this pattern still seems to still be getting through.
* [HB3]scibay H? ~[email protected] :0 [HB3]scibay
* [HB3]ufwsez H? ~[email protected] :0 [HB3]ufwsez
* [HB3]kjaxkn H? ~[email protected] :0 [HB3]kjaxkn
* [HB3]qykrei H? ~[email protected] :0 [HB3]qykrei
* [HB3]nwiqwp H? ~[email protected] :0 [HB3]nwiqwp
* bleh-qjusrybe H ~[email protected] :0 bleh-qjusrybe
* [HB3]mgekcm H? ~[email protected] :0 [HB3]mgekcm
* [HB3]obtauc H? ~[email protected] :0 [HB3]obtauc
* [HB3]scibay H? ~[email protected] :0 [HB3]scibay
* [HB3]ufwsez H? ~[email protected] :0 [HB3]ufwsez
* [HB3]kjaxkn H? ~[email protected] :0 [HB3]kjaxkn
* [HB3]qykrei H? ~[email protected] :0 [HB3]qykrei
* [HB3]nwiqwp H? ~[email protected] :0 [HB3]nwiqwp
* bleh-qjusrybe H ~[email protected] :0 bleh-qjusrybe
* [HB3]mgekcm H? ~[email protected] :0 [HB3]mgekcm
* [HB3]obtauc H? ~[email protected] :0 [HB3]obtauc