identd for some ips
identd for some ips
hi
I'd like to know if someone has (or if it even exists) a module that will automatically kill newly connected users, from which the server won't get identd response. I'd like to use such a module only on users which have dynamic ip providers(listed in some config file perhaps?).
I'd like to know if someone has (or if it even exists) a module that will automatically kill newly connected users, from which the server won't get identd response. I'd like to use such a module only on users which have dynamic ip providers(listed in some config file perhaps?).
-
- Head of Support
- Posts: 2085
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
Something like this will probably make ALL of your clients go away. Most users with broadband connections do not know how to set up identd, and will be given dynamic IPs unless they pay for a static one. People with truly dynamic IPs would be dial-up users, and you will get an identd response from them almost all the time (because there is no port forwarding involved, the modem is connected straight to the computer).
If you want to kill people without identd anyway, you can use G:Lines:
/gline ~*@*.dynamic.ip.host 0 Identd is required for this ISP.
This will force people from the ISP's you choose to be "killed" from the server when they don't have identd.
If you want to kill people without identd anyway, you can use G:Lines:
/gline ~*@*.dynamic.ip.host 0 Identd is required for this ISP.
This will force people from the ISP's you choose to be "killed" from the server when they don't have identd.
It's not something against it, but more a place to gather information for other possible exploits. I was concerned in my bygone days when i tried to hide my presence on the internet totaly, Since i now run servers, it's not as critical.Jason wrote:Whats wrong with Identd security wise? I use it, and have never heard of anything against it before now.
To me, Ident means identification, NOT authentication. Ident is also very very easy to spoof. So i will not use it on any connection to say "This is me".
To that effect, I do not use access lists in nickserv (them with ident can verify a user)
So, i need to hand over a user/pass to nickserv whenever i connect. I've now ruled out Ident as a means of identification of anysort (it's to insecure).
With identification ruled out, what can Ident do for me.
It can provide information i do NOT want released to other people. The ident protocol will provide the ident requestee, the operating system and possibly(if not configured properly), an active username on the system as well. finaly, many routers will also forward Ident requests to all computers "carte blanch" so that means ident can be used to find a fully hidden network on a router - stealthed port vs closed/open.
I do not believe in giving out any more information then is absolutly necessairy, so in my view, ident is all risk, no reward. Oh.. wait, there is one reward, no delay on connecting to *some* IRC servers
Never argue with an idiot. They will bring you down to their level, then beat you with experience.
Ah. On my box the username cant be spoofed, they can use their UID or their username, nothing else (I let two friends in), so it is proper identification to me. Anything NATed gets the ident Pantheon, so I dont leak info there.
I understand your concerns though.
I understand your concerns though.
Why the hell can't my signature be empty?
"Your message contains too few characters."
"Your message contains too few characters."
Basically, a proper Identd (RFC 1413) implementation should not disclose information to a host to which you have no TCP connection with (some might be intelligent and check UDP as well, but being sessionless, I don't think that's exactly easy), and hosts with which you do have TCP connections can only query information about that connection. Whether this is done in practice or not I don't know, but ideally this would be the case, but if you have any identd server that just replies based on the ports and doesn't check IPs, you have a broken identd server ;) .RFC 1413 (Identd protocol) wrote: Queries are permitted only for fully specified connections. The
query contains the local/foreign port pair -- the local/foreign
address pair used to fully specify the connection is taken from the
local and foreign address of query connection. This means a user on
address A may only query the server on address B about connections
between A and B.
Anyway, Identd really is kinda pointless for identification purposes. The most relevant use of it for IRC is to determine probability of a user being a spam or drone bot (which rarely have functional ident servers since they run on compromised systems that have next to 0 chance of having an actual IRC client or identd server installed).
Example from personal experience: one EFnet server makes you do a "pong the letters you see" (it displays some characters "graphicalized" (think something like figlet) and you have to /quote PONG :thoseletters to connect) if your client doesn't answer it's identd query.
i've got some success with Syzop's regexcept module which allows certain registered nicks to be in ban exceptions so the user must be identified to services and also have a nick exception in a channel. sadly it probably isn't possible to do this with k-lines because the user would't have a chance to id to nickserv.
also, some more intelligent dynamic ip providers can hold the same ip for an user for some time(can be hours, days or i've seen even months) even when disconnecting and connecting to the internet periodically. too bad that there are few providers who do this
also, some more intelligent dynamic ip providers can hold the same ip for an user for some time(can be hours, days or i've seen even months) even when disconnecting and connecting to the internet periodically. too bad that there are few providers who do this
aquanight wrote:Anyway, Identd really is kinda pointless for identification purposes.
Multi-user machines? If you SSH to the WinSE server, and irssi, your ident will be aquanight, as opposed to w00t's w00t, or my LAN's Pantheon. Sure you could use a ~/.oidentd.conf to spoof it to your UID for privacy, but thats still going to be easy to ban, and easy to report to me if your abusive. I cant be the only person left who does this!
Why the hell can't my signature be empty?
"Your message contains too few characters."
"Your message contains too few characters."