[DONE] Honeypot channel

These are old archives. They are kept for historic purposes only.

Moderators: Gottem, Supporters

Post Reply
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

[DONE] Honeypot channel

Post by CrazyCat »

Hi,

Due to the actual big spam wave on every IRC networks, I'm looking for a way to use a channel as honeypot.
The principe is simple: A channel is defined as honeypot channel (#honey) and everyone which join it is automatically glined (or gzlined). Peharps with an exception list to keep some users in it, because the channel must have users in to be detected by the spam bots.

I also think about adding a target "join" in spamfilter, but it may be more difficult to do ?

I'll create an eggdrop script to do that this weekend, but I hate having an eggdrop ircoped, so if a server module exists, it will be heaven :)

====================

[Gottem EDIT 20181104] Current information should probably be displayed in the first post and not somewhere down the thread. :>


k4be made some contributions to implement (most of) this functionality in my already existing m_listrestrict module. I added the gline-on-join-fakechan thing myself afterwards. =]

I've updated the relevant forum thread and README to include the new stuff. =]
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem »

Hah, someone else asked me for something very similar for an already existing module acting on LIST (m_listrestrict). He gave me the following example config:

Code: Select all

loadmodule "third/m_listrestrict";

listrestrict {
    connectdelay 300; // How long a client must have been online for
    needauth 0; // Besides connectdelay, also require authentication w/ services

    exceptions {
    #    all "user@*";
    #    auth "*@123.123.123.*";
    #    connect "[email protected]";
    #    connect "need@moar";
        connect "*@127.0.0.1";
        connect "*@192.168.0.*";
        connect "icrawl@*.ircs.me";
    };
    
    prelistchans {
      "#fake1", "channel topic";       <<<-- Spambot Trap Channels for example
      "#fred", "whatever";             <<<-- another Spambot Channel Trap
      "#Chat", "Our Main Channel - Only click this one!";     <<<-- The default network lobby etc
    };
};

The idea behind "prelistchans" is that they are listable BEFORE the "connectdelay" timer ends,
this would be useful to capture any spambots for example who join the wrong channel.

The "Exceptions" of course would not get the spamtrap channel list.
So if I were to do this you could use the prelistchans option to specify #honey, then bots doing /LIST will only see that channel. =] I could maybe even force #honey to appear even though there aren't any users in it. Then you could set a spamfilter for anyone trying to join that channel and g(z)line em. :D In above example they also specified the actual public main channel, so the order of entries in prelistchans would also be the order my (hacked) LIST outputs stuff in.

The only problem is though, there's currently no clean way to do this. I'd have to override the entire LIST function to output only specific channels. I could dumb it down so you can't pass any options (like /LIST *chat*, /LIST >10, etc) until connectdelay passes, but that might not be entirely what you want/need? I could also bug Syzop about implementing an additional hook but it may not be implemented due to the complexity of the requirements for this module addition.
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
Amiga00
Posts: 12
Joined: Sun Aug 05, 2018 2:51 pm

Re: [REQUEST] Honeypot channel

Post by Amiga00 »

Yes I am the guilty one who gave Gottem that config :D

I generally only ever use /LIST without parameters anyway, after all it was years(decades) before I even knew you could prefix parameters onto that command.

I had that idea originally, as I have suffered spambot attacks, and by blocking the /LIST off using that module, you find they simply timeout and quit without joining any channels, of course it is not ideal blocking the entire /LIST off but it seems to work with these dumb bots my network is getting currently.
Amiga600 @ irc.unrealircd.org #unreal-support
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [REQUEST] Honeypot channel

Post by CrazyCat »

Using the m_listrestrict module is not a bad idea, I have only netsplit crawler to exempt.
But the trap channel (with a real channel) may be simpliest to do than a fake /list result, and the way to automaticaly gline an user trying to join the (fake) channel is alway present.
btw, I don't have a lot of user, and noone use the /list command (they know where they go :D), so restricting the list command for 2 minutes seems to be a temporaly good solution
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem »

Well I suppose if nobody cares that LIST is broken for the first few minutes it would be fairly easy to implement. :> You'll know when it's done. ;]
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [REQUEST] Honeypot channel

Post by CrazyCat »

The spam wave seems to be stopped, but I used m_listrestrict a few days and it worked fine. I had to put a delay of 180s because the bots wait for 2 minutes before spamming -I guess it was a delay to be sure they get the full list on big networks- and noone complain about that :)
Amiga00
Posts: 12
Joined: Sun Aug 05, 2018 2:51 pm

Re: [REQUEST] Honeypot channel

Post by Amiga00 »

Well to stop spambots, I used List Restrict to only Registered Users, which stopped them joining any channels.
I also used the UnrealIRCd Spamfilter System to filter out the crap they posted.
and additionally, since 90% of them were coming from a certain country, I even made a Country Mode Blocker in my PHP Bot.

Doing all that stopped the spambots instantly :D
Amiga600 @ irc.unrealircd.org #unreal-support
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem »

CrazyCat wrote: Thu Aug 09, 2018 7:08 am The spam wave seems to be stopped
They'll come back. ;]
Amiga00 wrote: Thu Aug 09, 2018 9:46 am Well to stop spambots, I used List Restrict to only Registered Users, which stopped them joining any channels.
I also used the UnrealIRCd Spamfilter System to filter out the crap they posted.
and additionally, since 90% of them were coming from a certain country, I even made a Country Mode Blocker in my PHP Bot.

Doing all that stopped the spambots instantly :D
I simply set like 4 spamfilters and nobody complained about any spam after that. :>
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [REQUEST] Honeypot channel

Post by CrazyCat »

Gottem wrote: Sun Aug 05, 2018 2:27 pm The only problem is though, there's currently no clean way to do this. I'd have to override the entire LIST function to output only specific channels. I could dumb it down so you can't pass any options (like /LIST *chat*, /LIST >10, etc) until connectdelay passes, but that might not be entirely what you want/need? I could also bug Syzop about implementing an additional hook but it may not be implemented due to the complexity of the requirements for this module addition.
Can't you add a simpliest system, using a real channel (only one set as exception in the config), doing something like this:

Code: Select all

	// Sanity check + delay check =]
	if(!except_connect && muhDelay > 0 && sptr->local && TStime() - sptr->local->firsttime < muhDelay) {
		if (parc == 1) { parc++; parv[1] = "#exception"; } else { parv[1] = "#exception"; }
		//sendnotice(sptr, "You have to be connected for at least %d seconds before being able to /%s", muhDelay, OVR_LIST);
		//return 0;
	}

	// Need identified check ;];;]
	if(!except_auth && needAuth && !IsLoggedIn(sptr)) {
		sendnotice(sptr, "You have to be identified with services before being able to /%s", OVR_LIST);
		return 0;
	}

	return CallCmdoverride(ovr, cptr, sptr, parc, parv); // Run original function yo
This works, just have to make the trap channel as a config value. And it must exists, we don't fake the /list command, we just add a parameter
k4be
UnrealIRCd coder
Posts: 49
Joined: Sun Jan 09, 2005 12:19 pm
Location: Poland

Re: [DONE] Honeypot channel

Post by k4be »

I have just implemented it (haven't noticed this topic until now).
Patch

[SNIP]

Seems to work, but certainly needs more testing.
Please note that it will not do anything with the real channels. These are to be handled separately (i used a services module for that).

====================

[Gottem EDIT 20181104] Current information should probably be displayed in the first post and not somewhere down the thread. :> As such I've removed the example config block originally in this post because it doesn't match the actual code anymore. I've kept the patch link because it shows your contributions. =]
Gottem
UnrealIRCd coder
Posts: 192
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [DONE] Honeypot channel

Post by Gottem »

I've merged and reviewed/tested your contributions and we should be good to go. =] I made a few adjustments to the coding style, fixed some bugs (cep instead of cep2, except_auth + authisenough still checked for connectdelay) and did a few optimisations. I also removed the outdated information from your post and added everything to the OP.
If you like my modules, pls consider donating (credit card or iDEAL, use the custom job fee option in my shop) ;];]
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [DONE] Honeypot channel

Post by CrazyCat »

Good job guys ! I'll try it right now :)
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [DONE] Honeypot channel

Post by CrazyCat »

I've tried it, it works, I kept :)
Post Reply