Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more.

Require authentication block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The require authentication block allows you to specify IP/hosts of users that need to authenticate to a valid services account during connecting. This could, for example, be used to ban an ISP that is known for troublemakers, while still allowing legit users in from that IP if they have a valid account. Or, it can be used to simply require authentication for all users.

Authentication by the user is done either by using SASL (the recommended method) or via authprompt that will ask non-SASL users to authenticate interactively by typing /AUTH nickname:password.

NOTE: UnrealIRCd 6.1.7 has a bug where this feature is not working. For simple cases, you can achieve something similar with a soft kline, see #Similar functionality at the end of this article.

Syntax

require authentication {
	mask <hostmask>;
	reason <reason-for-ban>;
};

In UnrealIRCd 6.1.7 and later the mask is a Mask item, which means you can use lots of matchers and multiple items. In older UnrealIRCd versions the mask is a single user@host.

The reason is the reason for the requirement. The reason is shown when the user is trying to connect without authentication.

Note that require authentication blocks configures a local requirement. The user may still connect to other servers on the network.

Example

Simple example

require authentication {
	mask *@*.tld;
	reason "Too many abusers from this country, please authenticate";
};

Require all except

There is the Except ban block to exempt users from all bans, but you can't really use it for broad exemptions like countries, since then you would no longer be able to ban users from such a country.

In UnrealIRCd 6.0.7 and later the require authentication { } block supports mask items. Thanks to that you can use a require authentication { } block with a mask::exclude-* item, to "require authentication to all, except..":

require authentication {
	mask {
		mask *;
		exclude-country { NL; DE; FR; }
	}
	reason "Unregistered users are not allowed from your country";
}

NOTE:

  • Requiring authentication for (or banning on) countries is not particularly nice. If you allow multiple countries then the countermeasure is likely not effective at all.

Similar functionality

The same can be achieved online (on IRC) by adding a "soft kline":

/KLINE %*@*.tld Too many abusers from this country, please authenticate

The % prefix (percent symbol) will make it only ban unauthenticated users.

See also the Authentication article for all the different ways and possibilities to force authentication.