identd for some ips

[salama]

hi

I'd like to know if someone has (or if it even exists) a module that will automatically kill newly connected users, from which the server won't get identd response. I'd like to use such a module only on users which have dynamic ip providers(listed in some config file perhaps?).

[Stealth]

Something like this will probably make ALL of your clients go away. Most users with broadband connections do not know how to set up identd, and will be given dynamic IPs unless they pay for a static one. People with truly dynamic IPs would be dial-up users, and you will get an identd response from them almost all the time (because there is no port forwarding involved, the modem is connected straight to the computer).

If you want to kill people without identd anyway, you can use G:Lines:
/gline ~*@*.dynamic.ip.host 0 Identd is required for this ISP.
This will force people from the ISP's you choose to be "killed" from the server when they don't have identd.

[Matridom]

some people will also intentionaly disable ident cause of security risks. I know I do that personaly.

[Jason]

Whats wrong with Identd security wise? I use it, and have never heard of anything against it before now.

[Matridom]

Whats wrong with Identd security wise? I use it, and have never heard of anything against it before now.

It's not something against it, but more a place to gather information for other possible exploits. I was concerned in my bygone days when i tried to hide my presence on the internet totaly, Since i now run servers, it's not as critical.

To me, Ident means identification, NOT authentication. Ident is also very very easy to spoof. So i will not use it on any connection to say "This is me".

To that effect, I do not use access lists in nickserv (them with ident can verify a user)

So, i need to hand over a user/pass to nickserv whenever i connect. I've now ruled out Ident as a means of identification of anysort (it's to insecure).

With identification ruled out, what can Ident do for me.

It can provide information i do NOT want released to other people. The ident protocol will provide the ident requestee, the operating system and possibly(if not configured properly), an active username on the system as well. finaly, many routers will also forward Ident requests to all computers "carte blanch" so that means ident can be used to find a fully hidden network on a router - stealthed port vs closed/open.

I do not believe in giving out any more information then is absolutly necessairy, so in my view, ident is all risk, no reward. Oh.. wait, there is one reward, no delay on connecting to *some* IRC servers

[Jason]

Ah. On my box the username cant be spoofed, they can use their UID or their username, nothing else (I let two friends in), so it is proper identification to me. Anything NATed gets the ident Pantheon, so I dont leak info there.

I understand your concerns though.

[aquanight]

Queries are permitted only for fully specified connections. The
query contains the local/foreign port pair -- the local/foreign
address pair used to fully specify the connection is taken from the
local and foreign address of query connection. This means a user on
address A may only query the server on address B about connections
between A and B.

Basically, a proper Identd (RFC 1413) implementation should not disclose information to a host to which you have no TCP connection with (some might be intelligent and check UDP as well, but being sessionless, I don't think that's exactly easy), and hosts with which you do have TCP connections can only query information about that connection. Whether this is done in practice or not I don't know, but ideally this would be the case, but if you have any identd server that just replies based on the ports and doesn't check IPs, you have a broken identd server ;) .

Anyway, Identd really is kinda pointless for identification purposes. The most relevant use of it for IRC is to determine probability of a user being a spam or drone bot (which rarely have functional ident servers since they run on compromised systems that have next to 0 chance of having an actual IRC client or identd server installed).

Example from personal experience: one EFnet server makes you do a "pong the letters you see" (it displays some characters "graphicalized" (think something like figlet) and you have to /quote PONG :thoseletters to connect) if your client doesn't answer it's identd query.

[salama]

then...is it possible to get rid of abusive dynamic ip users and allowing the normal ones to pass?

[aquanight]

You could probably try to contact the ISP abuse department first, and if that proves fruitless, ban the ISP's subnet (if you have the whois tool you can usually whois an IP to get the ISP's IP pool).

[salama]

i've got some success with Syzop's regexcept module which allows certain registered nicks to be in ban exceptions so the user must be identified to services and also have a nick exception in a channel. sadly it probably isn't possible to do this with k-lines because the user would't have a chance to id to nickserv.

also, some more intelligent dynamic ip providers can hold the same ip for an user for some time(can be hours, days or i've seen even months) even when disconnecting and connecting to the internet periodically. too bad that there are few providers who do this

[Jason]

Anyway, Identd really is kinda pointless for identification purposes.

Multi-user machines? If you SSH to the WinSE server, and irssi, your ident will be aquanight, as opposed to w00t's w00t, or my LAN's Pantheon. Sure you could use a ~/.oidentd.conf to spoof it to your UID for privacy, but thats still going to be easy to ban, and easy to report to me if your abusive. I cant be the only person left who does this!