Page 1 of 2
AntiRandom v1.0 (*NIX & win32)
Posted: Tue Jun 21, 2005 5:57 pm
by Syzop
I know quite some windows users have been waiting for a windows version of this module. Also, people have been asking me for several enhancements. I finally had some time to work (a lot) on this module the past few days, and here is the result ;).
2005-06-21 | AntiRandom v1.0 | Modules
I've released a much more improved version of
AntiRandom: configuration has been moved to the configfile (instead of editting the .c), it is now 10x faster, the way it calculates scores has been redone to give less false positives and make it detect more bots. And various other enhancements (such as except hosts). Besides the
*NIX version, there's now also a Windows version included in the latest
windows module pack.
For more information, see the README, Changes, and sample.conf (or for windows users: just only the readme that gets installed)
Posted: Tue Jun 21, 2005 6:20 pm
by Stealth
YaY!
* Stealth wonders why no one has asked him for it...
Posted: Wed Jun 22, 2005 2:16 pm
by GouroB
Hey syzop ,
thx for the upgrade version , and i am really excited to see this
And various other enhancements (such as except hosts)
, does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ? Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?
Posted: Fri Jun 24, 2005 11:47 pm
by mexx3k
great work!!
this module ROCKZ!
got a bunch of flood-bots, yesterday around lunch time ... i myself was @ lunch, another irc-op got them glined ...
after that installed antirandom.c ...
at 9:40pm ( MEZ ) another round of bots came back ... they were ALL caught! ...
today, some got through ... they joined the chan with the most user in it ( like the ones yesterday @ lunch ), but we were prepared and got them ...
just another thing:
what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
keep on!
greetz from germany,
mexx
Posted: Sat Jun 25, 2005 12:45 pm
by w00t
I think the main problem then would be you'd be seeing a lot of them (imagine a botnet with a few thousand bots connecting :/). This is the same reason why there isn't a failed connect snomask I believe.
Posted: Sat Jun 25, 2005 9:30 pm
by Syzop
mexx3k wrote:great work!!
this module ROCKZ!
thanks ;p
mexx3k wrote:what about a wallops-message? like "antirandom caught nick!~ident@host, it has been {action}" ... so there is more in the logs than just the gline ( the user himself doesn't appear ... unfortunateley)
It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.
That said, I suppose a log option would be nice.
If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
w00t wrote:[..]This is the same reason why there isn't a failed connect snomask I believe.
Right.
Posted: Sat Jun 25, 2005 9:37 pm
by Syzop
GouroB wrote: does this means i would be able to add some ip/ident/gcos in safe list which wont be detected ?
No, hosts/ips only. It doesn't do that for speed reasons (too much CPU I think). Also, if you start with that, I think you will need to add quite a lot of entries :p.
GouroB wrote:Oh one more thing if i have the previous version of antirandom module , what should i do , to set new one ?
I suggest carefully reading both the README and the sample.conf. You need to add a set::antirandom block with several items (see sample.conf for an example which is ready-to-use), and (assuming you ran ./build) then you can simply /REHASH -- no ircd restart needed.
Posted: Sun Jun 26, 2005 3:08 pm
by aquanight
Syzop wrote:No, hosts/ips only. It doesn't do that for speed reasons (too much CPU I think). Also, if you start with that, I think you will need to add quite a lot of entries :p.
If one used a *line action, couldn't one use except tkl {} for a safelist? :)
Posted: Sun Jun 26, 2005 6:22 pm
by mexx3k
Syzop wrote:It does that already, but of course if you *line and the user tries to reconnect then you won't see any further messages for that use since (s)he is *lined before antirandom is called.
well, i'm only interested in seeing the nicks, which are *lined ... neither in a gline nor zline is the nickname mentioned, just the ip ...
i'm also not interested in the reconnect-tries after the *line ...
just to recognize the "false positives" ...
That said, I suppose a log option would be nice.
may i quote w00t?
imagine a botnet with a few thousand bots connecting :/
could it also be, that the logging would slow down the ircd?
If you really want to see those attempts (on irc), then don't use *line but just use the 'kill' action.
yeah ... right ... and connectserv from neostats will flood the #services with "look, someone got killed"-msgs ...
Posted: Sun Jun 26, 2005 8:31 pm
by Syzop
'm also not interested in the reconnect-tries after the *line ...
just to recognize the "false positives" ...
Like I said, it already does *JUST THAT*.
Code: Select all
[22:28:41] -maintest.test.net- *** Notice -- [antirandom] denied access to user with score 30: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!syzop@localhost:x x
As mentioned in the sample.conf:
Code: Select all
/* SHOW-FAILEDCONNECTS:
* This will send out a notice whenever a randomly looking user has been catched
* during connecting. Obviously this can be pretty noisy.
* Especially recommended to enable during the first few days you use this module.
*/
show-failedconnects yes;
And I meant that writing similar info like that to the logfile might be a useful option.
That said, I suppose a log option would be nice.
may i quote w00t? :P
imagine a botnet with a few thousand bots connecting :/
could it also be, that the logging would slow down the ircd?
(you are refering to logging *line connection denieds here..)
What w00t says is *exactly* why I have turned this feature request down several times...
Posted: Sun Jun 26, 2005 10:29 pm
by Stealth
If you want to see failed connects, you can get AngryWolf's chansno module. Howerver, if you have a large network with a large list of K/G lines, or are being attacked by a botnet, clone floos, etc, then wanting to see failed connects is NOT a good idea.
@Syzop: A snomask for seeing failed connects can be useful in some cases, and at lease a snomask can be easily undone.
Posted: Fri Jul 22, 2005 12:00 am
by Stormdancing
I have installed AntiRandom on my 3.2 servers.
I have it set to 4
I don't understand why it's not catching these.
Client connecting on port 6667: [HB3]dfizuz (
[email protected])
Client connecting on port 6667: USA|645602593 (~
[email protected])
or these
* [HB3]dhlpuu H? ~
[email protected] :0 [HB3]dhlpuu
* [HB3]dinldu H? ~
[email protected] :0 [HB3]dinldu
* [HB3]cnohxf H? ~
[email protected] :0 [HB3]cnohxf
* NZM-861162 H? ~
[email protected] :0 NZM-861162
* NZM-109173 H? ~
[email protected] :0 NZM-109173
While it is catching these.
Notice -- [antirandom] denied access to user with score 12: bleh-lofwlz!~
[email protected]:bleh-lofwlz
[antirandom] denied access to user with score 16:
[email protected]:bleh-wukqsl
Can anyone help?
After note:
Changed threshold to 3 and still getting these same bots connecting.
Posted: Fri Jul 22, 2005 1:07 am
by Syzop
Was a bug, just fixed it.
You can
grab version 1.1 here.
I'll announce it at a later time, along with putting an updated version in the *NIX and win32 module packs.
Let me know if this fix introduced any problems (or if it worked ok, of course ;p).
Posted: Fri Jul 22, 2005 1:34 am
by Stormdancing
Ok, thought I was losing it.
I installed 1.1 and will watch and see.
So far it looks like it's getting them
I still have it set on 3 and no users getting killed, of course I don't have 10,000's of users either
Thank you
Dana
Posted: Fri Jul 22, 2005 12:10 pm
by Stormdancing
While it is catching many more of the previously posted randoms, this pattern still seems to still be getting through.
* [HB3]scibay H? ~
[email protected] :0 [HB3]scibay
* [HB3]ufwsez H? ~
[email protected] :0 [HB3]ufwsez
* [HB3]kjaxkn H? ~
[email protected] :0 [HB3]kjaxkn
* [HB3]qykrei H? ~
[email protected] :0 [HB3]qykrei
* [HB3]nwiqwp H? ~
[email protected] :0 [HB3]nwiqwp
* bleh-qjusrybe H ~
[email protected] :0 bleh-qjusrybe
* [HB3]mgekcm H? ~
[email protected] :0 [HB3]mgekcm
* [HB3]obtauc H? ~
[email protected] :0 [HB3]obtauc