AntiRandom v1.0 (*NIX & win32)

These are old archives. They are kept for historic purposes only.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

AntiRandom v1.0 (*NIX & win32)

Post by Syzop »

I know quite some windows users have been waiting for a windows version of this module. Also, people have been asking me for several enhancements. I finally had some time to work (a lot) on this module the past few days, and here is the result ;).


2005-06-21 | AntiRandom v1.0 | Modules

I've released a much more improved version of AntiRandom: configuration has been moved to the configfile (instead of editting the .c), it is now 10x faster, the way it calculates scores has been redone to give less false positives and make it detect more bots. And various other enhancements (such as except hosts). Besides the *NIX version, there's now also a Windows version included in the latest windows module pack.

For more information, see the README, Changes, and sample.conf (or for windows users: just only the readme that gets installed)
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

YaY!

* Stealth wonders why no one has asked him for it...
GouroB
Posts: 182
Joined: Thu Oct 28, 2004 7:42 pm
Location: London
Contact:

Post by GouroB »

Hey syzop ,
thx for the upgrade version , and i am really excited to see this
And various other enhancements (such as except hosts)
, does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ? Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?
-=GouroB=-
https://www.shunno.info
Your complete web Solution
Irc.BanglaCafe.com
LargesT Chat server in BanglaDesH
mexx3k
Posts: 17
Joined: Sun Apr 10, 2005 8:54 pm
Location: Chaoz-IRC
Contact:

Post by mexx3k »

great work!!


this module ROCKZ!


got a bunch of flood-bots, yesterday around lunch time ... i myself was @ lunch, another irc-op got them glined ...

after that installed antirandom.c ...

at 9:40pm ( MEZ ) another round of bots came back ... they were ALL caught! ...

today, some got through ... they joined the chan with the most user in it ( like the ones yesterday @ lunch ), but we were prepared and got them ...


just another thing:

what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)


keep on!


greetz from germany,
mexx
w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t »

I think the main problem then would be you'd be seeing a lot of them (imagine a botnet with a few thousand bots connecting :/). This is the same reason why there isn't a failed connect snomask I believe.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

mexx3k wrote:great work!!

this module ROCKZ!
thanks ;p
mexx3k wrote:what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.
That said, I suppose a log option would be nice.
If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
w00t wrote:[..]This is the same reason why there isn't a failed connect snomask I believe.
Right.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

GouroB wrote: does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ?
No, hosts/ips only. It doesn't do that for speed reasons (too much CPU I think). Also, if you start with that, I think you will need to add quite a lot of entries :p.
GouroB wrote:Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?
I suggest carefully reading both the README and the sample.conf. You need to add a set::antirandom block with several items (see sample.conf for an example which is ready-to-use), and (assuming you ran ./build) then you can simply /REHASH -- no ircd restart needed.
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Syzop wrote:No, hosts/ips only. It doesn't do that for speed reasons (too much CPU I think). Also, if you start with that, I think you will need to add quite a lot of entries :p.
If one used a *line action, couldn't one use except tkl {} for a safelist? :)
mexx3k
Posts: 17
Joined: Sun Apr 10, 2005 8:54 pm
Location: Chaoz-IRC
Contact:

Post by mexx3k »

Syzop wrote:It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.
well, i'm only interested in seeing the nicks, which are *lined ... neither in a gline nor zline is the nickname mentioned, just the ip ...

i'm also not interested in the reconnect-tries after the *line ...

just to recognize the "false positives" ...
That said, I suppose a log option would be nice.
may i quote w00t? :P
imagine a botnet with a few thousand bots connecting :/
could it also be, that the logging would slow down the ircd?
If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
yeah ... right ... and connectserv from neostats will flood the #services with "look, someone got killed"-msgs ... :P ;)
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

'm also not interested in the reconnect-tries after the *line ...

just to recognize the "false positives" ...
Like I said, it already does *JUST THAT*.

Code: Select all

[22:28:41] -maintest.test.net- *** Notice -- [antirandom] denied access to user with score 30: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!syzop@localhost:x x
As mentioned in the sample.conf:

Code: Select all

 /* SHOW-FAILEDCONNECTS:
  * This will send out a notice whenever a randomly looking user has been catched
  * during connecting. Obviously this can be pretty noisy.
  * Especially recommended to enable during the first few days you use this module.
  */
 show-failedconnects yes;
And I meant that writing similar info like that to the logfile might be a useful option.
That said, I suppose a log option would be nice.
may i quote w00t? :P
imagine a botnet with a few thousand bots connecting :/
could it also be, that the logging would slow down the ircd?
(you are refering to logging *line connection denieds here..)

What w00t says is *exactly* why I have turned this feature request down several times...
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

If you want to see failed connects, you can get AngryWolf's chansno module. Howerver, if you have a large network with a large list of K/G lines, or are being attacked by a botnet, clone floos, etc, then wanting to see failed connects is NOT a good idea.

@Syzop: A snomask for seeing failed connects can be useful in some cases, and at lease a snomask can be easily undone.
Stormdancing
Posts: 14
Joined: Mon Sep 27, 2004 3:29 pm

Post by Stormdancing »

I have installed AntiRandom on my 3.2 servers.
I have it set to 4

I don't understand why it's not catching these.

Client connecting on port 6667: [HB3]dfizuz ([email protected])
Client connecting on port 6667: USA|645602593 (~[email protected])
or these
* [HB3]dhlpuu H? ~[email protected] :0 [HB3]dhlpuu
* [HB3]dinldu H? ~[email protected] :0 [HB3]dinldu
* [HB3]cnohxf H? ~[email protected] :0 [HB3]cnohxf
* NZM-861162 H? ~[email protected] :0 NZM-861162
* NZM-109173 H? ~[email protected] :0 NZM-109173

While it is catching these.

Notice -- [antirandom] denied access to user with score 12: bleh-lofwlz!~[email protected]:bleh-lofwlz

[antirandom] denied access to user with score 16: [email protected]:bleh-wukqsl

Can anyone help?
After note:
Changed threshold to 3 and still getting these same bots connecting.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Was a bug, just fixed it.

You can grab version 1.1 here.

I'll announce it at a later time, along with putting an updated version in the *NIX and win32 module packs.

Let me know if this fix introduced any problems (or if it worked ok, of course ;p).
Stormdancing
Posts: 14
Joined: Mon Sep 27, 2004 3:29 pm

Post by Stormdancing »

Ok, thought I was losing it.
I installed 1.1 and will watch and see.
So far it looks like it's getting them
I still have it set on 3 and no users getting killed, of course I don't have 10,000's of users either :)
Thank you
Dana
Stormdancing
Posts: 14
Joined: Mon Sep 27, 2004 3:29 pm

Post by Stormdancing »

While it is catching many more of the previously posted randoms, this pattern still seems to still be getting through.

* [HB3]scibay H? ~[email protected] :0 [HB3]scibay
* [HB3]ufwsez H? ~[email protected] :0 [HB3]ufwsez
* [HB3]kjaxkn H? ~[email protected] :0 [HB3]kjaxkn
* [HB3]qykrei H? ~[email protected] :0 [HB3]qykrei
* [HB3]nwiqwp H? ~[email protected] :0 [HB3]nwiqwp
* bleh-qjusrybe H ~[email protected] :0 bleh-qjusrybe
* [HB3]mgekcm H? ~[email protected] :0 [HB3]mgekcm
* [HB3]obtauc H? ~[email protected] :0 [HB3]obtauc
Post Reply