[m_rinsec] restrict insecure non-tls users

Need a module converted from 3.2.x to UnrealIRCd 4? Or looking for a certain module? Ask here.

Moderators: Gottem, Supporters

Post Reply
i
Posts: 1
Joined: Fri Dec 14, 2018 7:47 pm

[m_rinsec] restrict insecure non-tls users

Post by i » Fri Dec 14, 2018 8:43 pm

This module is really helpful in terms of network security, it jails unsecured/non-tls users in specified channel (so you can help them to configure their clients for TLS usage) and restrict them from messages (they are only can send messages to the jail channel)/commands/aliases usage, they are also can't leave that channel and can't join any other channels on the network, this will protect your network channels from leaking/etc.. without the need of +z mode, but just do not abuse with it, as it is really powerful.
Download Link

Example configuration:

Code: Select all

loadmodule "modules/third/m_rinsec_u4";
set {
	rinsec {
		# allow this ips/hosts/etc to bypass any restrictions
		except-hosts {
			"127.0.0.0/8";
		};
		# channel to jail users
		channel "#insecure";
		# notify client on-connect (show available TLS ports/enabled procotols)
		show-notify "yes";
		# restrict commands
		restrict-cmds "yes";
		# list of allowed commands
		allowed-cmds "PING,PONG,MODE,QUIT,PROTOCTL,CAP";
	};
};

Syzop
UnrealIRCd head coder
Posts: 1857
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [m_rinsec] restrict insecure non-tls users

Post by Syzop » Fri Dec 21, 2018 7:25 am

Haven't used it myself, but this module sounds quite useful if you want to move your network to 100% SSL/TLS.

This is what I would do:
  1. Make sure you have SSL/TLS correctly configured on the server, like using "real" SSL/TLS certificates that are valid for your server name(s).
  2. Set up a Strict Transport Security policy https://www.unrealircd.org/docs/Set_blo ... sts-policy (with a short duration, to be safe)
  3. This will make sure STS-capable clients will automatically be redirected to an SSL/TLS port. No need to do anything for these users.
  4. All other clients, the clients that are not STS-capable, can be joined to a channel by this module. This allows staff to manually help/instruct those users to enable SSL/TLS in their client.

Post Reply