[DONE] Config tamper protection
Posted: Wed Nov 16, 2016 9:44 pm
Mostly written for the challenge, I'm sure someone will get some use out of this. It's quite complex and requires custom build flags, so this may or may not be hard to follow fam. These modules allow the hub of a network to verify the leaves' configs, so you could have random people link with you without having to worry about them changing your configuration. The hub itself is considered trusted as it's the heart of your network and as such should only be managed by you (or someone you know well etc). You could also (optionally) verify the leaf-exclusive mod itself to prevent them from changing the source.
First off, these modules assume you're using a few sort-of-best practices:
Hub:
For UnrealIRCd versions below 4.0.10:
For >= 4.0.10:
Leaf:
Obviously, replace <Unreal homedir> with the actual homedir. Also change <Unreal source dir> to the top dir of the source. Both need to be absolute paths. <Unreal install dir> is where you actually installed it to.
Example: /home/unreal, /home/unreal/build/unrealircd-4.0.7 and /home/unreal/unrealircd, respectively). =]
===
When you got both modules to compile, it's time to start configuring. The leaf mod doesn't require any, so fire up an editor and get to your hub config. Add something that looks like this:
If m_confprot encounters an error of any kind, it will GZ:Line the leaf's IP for the specified time of which opers will be notified.
Also, if for some reason you don't have a network common config (e.g. you copypaste it to the leaf configs), you are allowed to leave it out. If you want to verify the leaf module itself, you can also add an entry like this:
There are some additional settings you may wanna tweak (these go outside the confprot block):
Any server that's not in the list will be allowed/denied right away, as specified with the directive confprot_allowunknown. The default is to deny, except ulines for obvious raisins. =] If set to 1, the module will still run through the checks as much as it can so you can still see when shit goes down (basically a dry run).
===
Wew lads, hope that's clear enough. =]
Git links:
m_confprot (hub-only)
m_md5fjert (leaf-only)
First off, these modules assume you're using a few sort-of-best practices:
- You're only working with remote includes
- Split network and hub/leaf configs (so unrealircd.conf contains just 2 include "httpx://..." lines) -- network comes before hub/leaf
- Includes aren't nested more than once (top ones go in unrealircd.conf, those may contain only includes that don't include anything themselves)
Hub:
For UnrealIRCd versions below 4.0.10:
Code: Select all
export EXLIBS="-L<Unreal homedir>/curl/lib -lcurl -L<Unreal source dir>/extras/c-ares/lib /extras/c-ares/lib/libcares.a"
Code: Select all
export EXLIBS="-L<Unreal install dir>/lib -lcurl -L<Unreal install dir>/lib <Unreal install dir>/lib/libcares.so";
Code: Select all
export EXLIBS='-DFJERT=\"${INCLUDEDIR}\"'
Example: /home/unreal, /home/unreal/build/unrealircd-4.0.7 and /home/unreal/unrealircd, respectively). =]
===
When you got both modules to compile, it's time to start configuring. The leaf mod doesn't require any, so fire up an editor and get to your hub config. Add something that looks like this:
Code: Select all
confprot {
NETWORK "https://includes.domain.tld/network.conf";
myleaf.domain.tld "https://includes.domain.tld/myleaf.conf";
myleaf2.domain.tld "https://includes.domain.tld/myleaf2.conf";
....
};
Also, if for some reason you don't have a network common config (e.g. you copypaste it to the leaf configs), you are allowed to leave it out. If you want to verify the leaf module itself, you can also add an entry like this:
Code: Select all
FJERT "https://includes.domain.tld/m_md5fjert.c";
- confprot_allowunknown <0/1> -- allow links to happen despite errors, default = 0
- confprot_zlinetime <timestr> -- format is like 60, 1h5m, etc; default = 60 (seconds)
- confprot_sslverify <0/1> -- verify SSL cert for the FJERT entry, default = 1
Any server that's not in the list will be allowed/denied right away, as specified with the directive confprot_allowunknown. The default is to deny, except ulines for obvious raisins. =] If set to 1, the module will still run through the checks as much as it can so you can still see when shit goes down (basically a dry run).
===
Wew lads, hope that's clear enough. =]
Git links:
m_confprot (hub-only)
m_md5fjert (leaf-only)