View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004309 | unreal | ircd | public | 2014-05-24 01:45 | 2015-07-13 22:11 |
| Reporter | cards | Assigned To | syzop | ||
| Priority | low | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | no change required | ||
| Product Version | 3.2.10.2 | ||||
| Summary | 0004309: BAN URI | ||||
| Description | It would be great if we could ban based on the uri request, or specify the URI in the listen block, as we are having issues with people CNAME 'ing our servers for bot nets. We would like to allow only irc.ournetwork.com | ||||
| 3rd party modules | |||||
|
|
This is not possible. The only way the IRCd knows what URI a client is connecting from is if the client says so when sending the USER command. Most clients do not do this, and either use a blank space or * for the URI portion of the USER command. As such, many clients are also hard-coded to do this and will not be able to connect to your IRCd if you require them to specify the proper URI to connect to a server. Botnets work the same way. There's also nothing stopping the person running the botnets on your network from just putting the proper URI in their bots. |
|
|
That seems odd, as if you connect via ssl, it knows whether the URI requested via /server is, as if it matches the cert it and the cert is valid, it doesn't prompt, but if it doesn't match, it warns you. |
|
|
That is all on the client end. The client knows what server you're connecting to and compares that to the server name specified on the certificate. Sending the URI to the server is not required to compare the certificate to local information. You can get the certificate of any SSL server by using the following OpenSSL command from a command prompt: openssl s_client -showcerts -connect <IP>:<PORT> You will see a line that says subject= that contains CN/<domain>, which is what is being compared by your client. If that domain doesn't match the domain you're connecting to, it throws a warning. This process does not involve sending any information to the server as this happens before the connection is even fully established. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-05-24 01:45 | cards | New Issue | |
| 2014-05-24 02:23 | Stealth | Note Added: 0018142 | |
| 2014-05-24 02:23 | Stealth | Status | new => feedback |
| 2014-05-24 02:57 | cards | Note Added: 0018143 | |
| 2014-05-24 23:14 | Stealth | Note Added: 0018145 | |
| 2015-07-13 22:10 | syzop | Status | feedback => closed |
| 2015-07-13 22:11 | syzop | Assigned To | => syzop |
| 2015-07-13 22:11 | syzop | Resolution | open => no change required |
