Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp.

Extended server bans

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

NOTE: Not to be confused with channel bans, see Extended bans for that

IRC Operators (administrators) can place extended server bans (GLINE/KLINE/..) and extended server ban exemptions (ELINE). While classic server bans use the user@host format, extended server bans look like Extended bans, such as ~account:Account or ~certfp:1122334455... They match a user based on properties other than user or host. Optionally it can be prefixed with % to act as a Soft ban.

In UnrealIRCd 6 we use names like ~account, in UnrealIRCd 5 we used letters like ~a.

Similar functionality exists in mask items in the configuration file (eg allow::mask, oper::mask, etc).

The following extended server ban types are available in UnrealIRCd:

Letter Name Module Explanation
~a ~account extbans/account If a user is logged in to services with this account name, then it will match.

For example ELINE ~account:SomeAccount kG 0 Trusted account will bypass KLINE and GLINE server bans if the user uses SASL to login to the account SomeAccount.
There are also two special bans: ~account:* matches all authenticated users and ~account:0 matches all unauthenticated users.

~A ~asn extbans/asn Ban (or exempt) an ASN. Requires UnrealIRCd 6.1.7 or later
As an IRCOp, you can see the AS number of users in WHOIS and when they connect, like in the connect notice [asn: XXX].
Example: GLINE ~asn:64496 0 This ISP is banned
Or as a soft ban: GLINE %~asn:64496 0 :Too much abuse from this ISP, you are required to log in with an account
~C ~country extbans/country Matches if the GEOIP module says the users IP is from this country.

For example: GLINE ~country:BD 0 :Too much spam from this country
Or a soft ban: GLINE %~country:BD 0 :Too much spam from this country, please log in with a services account

~r ~realname extbans/realname This ban will match if the realname (gecos) of a user matches the specified string. Since real names may contain spaces you can use a underscore to match a space (and underscore).

For example KLINE ~realname:*Stupid_bot_script* will ban any users that have the real name Stupid bot script.

~G ~security-group extbans/securitygroup Ban users matching the specified security group. Note that this can ban large amounts of users!

For example GLINE ~security-group:unknown-users will ban all users with a reputation score below 24 that don't use SASL to identify to Services. Note that using Connthrottle may be a better way to manage the situation.
You can also use an exclamation mark (!) to tell it not to match a security group. For example GLINE ~security-group:!tls-users 0 Please connect using SSL/TLS on port 6697 bans all users not using SSL/TLS. (The same can be achieved by setting set::plaintext-policy::user to deny, by the way)

~S ~certfp extbans/certfp When a user is using SSL/TLS with a client certificate then you can match the user by his/her certificate fingerprint (the one you see in /WHOIS).

For example: ELINE ~certfp:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef kGF 0 Trusted user with this certificate fingerprint will allow the user with this TLS certificate to bypass KLINE and GLINE server bans and spamfilter restrictions.

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Extended_server_bans&oldid=14247"