|
|
| Author |
Message |
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
 Posted: Nov 04, 2004 10:51pm Post subject: shadowircd 3.4 released with trigger-based ACL |
 |
|
Typically, I am not one to announce anything that I have worked on, but I figured with those bloody fyle trojans all over IRC now, that at least the concept if not the ircd itself would be useful.
I have added a system in the latest version of ShadowIRCd (at the time of this writing: 3.4.2) known as the SIMBAN system. SIMBAN is an acronym for "Server Information/Message Ban".
Simbans are defined in reverse order (i.e. bans followed by exemptions). The syntax is similar to a BSD packetfilter configuration file.
For instance, to automatically ban clients which send out those bloody messages, one would use a rule like this:
| Code: | | autoban privmsg matching :*webcam*http://*:*/*.mpg |
Or, if you want to just block a $decode virus,
| Code: | | reject privmsg matching :*$decode(*)* |
The nice thing about the simban system is that the system is fully transparent, and offers many ways to filter annoyances such as spam, either silently or by banning. It can also ban drones which collect in channels... a rule to do that would be:
| Code: | | autoban channel <drone channel> |
You can also use the matching flag here, for instance if you had multiple drone channels with a prefix of #drone- then you would use this rule:
| Code: | | autoban channel matching #drone-* |
You should note that the reject target when used here disconnects the client, instead of stopping them from joining the channel.
If you want to reject CGI:IRC, you can use this very simple rule:
| Code: | | reject gecos matching :[*] * |
Same for nicks,
| Code: | | reject nick matching Lamest* |
Anyway, that's all for now, thought you might be interested... if you are, you can find out more about the ShadowIRCd project at www.shadowircd.net =) (there is a full example config included with the shadow distribution) |
|
| Back to top |
|
 |
aquanight
Lurker
Joined: 14 Jun 2004
Posts: 118
Location: Boise, ID
|
| Posted: Nov 05, 2004 12:05am Post subject: |
|
|
| I think that could be made a lot more powerful by using regex instead of simple wildcards. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
| Posted: Nov 05, 2004 12:08am Post subject: |
|
|
| Actually, that is on my personal todo for 3.4.3, but that probably wont be out for a while. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Nov 05, 2004 2:01am Post subject: |
|
|
| I wonder how much of a performance hit this is when you have significant numbers of users. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
| Posted: Nov 05, 2004 8:13am Post subject: |
|
|
| magpie wrote: | | I wonder how much of a performance hit this is when you have significant numbers of users. |
Not much, really, and with further optimization, the impact could be lowered even more. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Nov 05, 2004 10:22am Post subject: |
|
|
| Well, I can see it increasing server load somewhat. The server I'm currently opered on parses approximately 200 PRIVMSGs per second (this is a 31 day average). Obviously this figure may be significantly higher during peak periods. Matches are pretty slow (regex even worse), so I can't see this being feasible for nets of a reasonable size. |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1122
|
| Posted: Nov 05, 2004 10:43am Post subject: |
|
|
| magpie wrote: | | Well, I can see it increasing server load somewhat. The server I'm currently opered on parses approximately 200 PRIVMSGs per second (this is a 31 day average). Obviously this figure may be significantly higher during peak periods. Matches are pretty slow (regex even worse), so I can't see this being feasible for nets of a reasonable size. |
Out of the thousands of IRC nets today only 5 or 6 have hit 100k+ users let alone 170k+ so the chances of an IRCd getting to handle such a load on a production net is highly unlikely.
So matches or regex would work for 95%+ of the other nets. If your example and or test were conducted on say a 1k or even a 5k net, then it would be a substantial concern since "reasonable size" is not a literal measurement. |
|
| Back to top |
|
|
EqualSlashed_Brian
Lurker
Joined: 29 Aug 2004
Posts: 222
Location: IRC
|
| Posted: Nov 05, 2004 10:57am Post subject: |
|
|
| Sounds like UnrealIRCd's spam filter, but less functional. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Nov 05, 2004 11:32am Post subject: |
|
|
| katsklaw wrote: | Out of the thousands of IRC nets today only 5 or 6 have hit 100k+ users let alone 170k+ so the chances of an IRCd getting to handle such a load on a production net is highly unlikely.
So matches or regex would work for 95%+ of the other nets. If your example and or test were conducted on say a 1k or even a 5k net, then it would be a substantial concern since "reasonable size" is not a literal measurement. |
I should just clarify that those PRIVMSGs were from the server's own users, rather than the network. I understand your point, I don't really know the user-loads per server on smaller networks, but I could imagine some may well have thousands on a single server. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
| Posted: Nov 05, 2004 1:07pm Post subject: |
|
|
| EqualSlashed_Brian wrote: | | Sounds like UnrealIRCd's spam filter, but less functional. |
1) The goal is not to replicate Unreal's spam filter.
2) The goal is to eliminate drones, not allow the ircd to be a tool for censorship.
There have been extensions added in CVS which add more control, but the simban system is not intended to be used for some stupid netadmin's IRC agenda. I have seen the spamfilter abused on networks to the effect that it *denies* a user's ability to discuss anything about other irc networks they are on or whatever. Unreal's spamfilter may look nice on the outside, but the way it works allows very abusive modules to be written and more importantly, stupid netadmins to censor their user's communications in an unwelcomed and *invasive* manner.
When you start an IRC network, you start it for the users, not your own personal gratification. Due to this *well* observed fact, Shadow does not contain "features" which can be used to censor personal communications, log them, or block them from being transmitted. Sure, you can filter spam with SIMBANS, that was one of the intentions for implementing the system, however, the simban system is not intended to be anything *like* the Unreal spamfilter system, nor should it be considered to be similar to it.
Again, if you had read the post more clearly, it is a trigger based ACL system. That is all, nothing more. |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Nov 05, 2004 2:27pm Post subject: |
|
|
| Quote: | There have been extensions added in CVS which add more control, but the simban system is not intended to be used for some stupid netadmin's IRC agenda. I have seen the spamfilter abused on networks to the effect that it *denies* a user's ability to discuss anything about other irc networks they are on or whatever. Unreal's spamfilter may look nice on the outside, but the way it works allows very abusive modules to be written and more importantly, stupid netadmins to censor their user's communications in an unwelcomed and *invasive* manner.
|
1.) I take offense to the fact that anyone who wants censorship is "stupid." If I had little 8 year old children, I sure as hell would not want them to see 80% of the stuff they can find on IRC, and I don't think because someone agrees with me it makes them "stupid," rather, I'd say it makes them a "responsible parent" and a "moral person."
2.) Yes, spamfilter can be abused. You know what else can? EVERY oper command! Are you intending to remove /kill? Because I've seen that abused a thousand times more often than I've seen spamfilter abused.
3.) How exactly does your system prevent abuse? Lets see, you say, autoban privmsg matching :*webcam*http://*:*/*.mpg
bans anyone who says that. Ok, so:
autoban privmsg matching :*irc.*
That bans anyone who mentions the address of an IRC server. Isn't that *exactly* the kind of abuse you are claiming Unreal's spamfilter can do? Except yours is worse. Unreal gives the option of just blocking the line of text. Yours bans the guy.
4.) The spamfilter system is NOT modulized so modules can not add "abusive" features to it. But in any case, that is a ridiculous statement. ShadowIRCd can be modified to log every single message a user sends. All I need to do is basically add 5 lines of code. Now does this mean ShadowIRCds PRIVMSG handling code is abusive? No. It simply means I can modify it to make it abusive. The fact that someone can go and modify Unreal's code and make it abusive has no reflection on whether Unreal is abusive. I can take a Hello World program and modify it in such a way that it controls a nuclear missile detonation sequence, does that mean a Hello World program is abusive?
5.) Censorship is unwelcomed... ok. Lets say this, I, a complete stranger, walk into your house, uninvited no less, and walk up to your wife/girlfriend/whatever and say "Wow, you sure look like a slut! I'm guessing you used to be a prostitute, but you quit because you're so damn ugly that you couldn't find a single customer, right?" Now what are you going to do at this point. Are you going to say, "He's just exercising his freedom of speech" or, are you going to punch me in the face and throw me out of your house. I'm guessing the latter. Connecting to an IRC server is no different. When you connect to MY IRC server, just as when you enter MY house, you follow my rules. You are no longer in a public sphere, you are in a private space and as such, the owner dictates the rules. So if censorship is "unwelcomed" well, then that means you're unwelcome! By the way, being banned is also "unwelcomed" and very "invasive" so perhaps you should remove any and all methods that allow a user to be banned. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
| Posted: Nov 05, 2004 4:22pm Post subject: |
|
|
| codemastr wrote: |
1.) I take offense to the fact that anyone who wants censorship is "stupid." If I had little 8 year old children, I sure as hell would not want them to see 80% of the stuff they can find on IRC, and I don't think because someone agrees with me it makes them "stupid," rather, I'd say it makes them a "responsible parent" and a "moral person."
|
So now it's moral to support censorship? Do you just believe everything you hear? Or is it that you just say this in order to defend your software? Because those are two very different things. Clarify. Also, please be sure to explain your "morals" because if you way morals over ethics, you cheating your userbase and yourself.
| codemastr wrote: |
2.) Yes, spamfilter can be abused. You know what else can? EVERY oper command! Are you intending to remove /kill? Because I've seen that abused a thousand times more often than I've seen spamfilter abused.
|
Actually, kill can be removed from Shadow entirely, as any other command. Even the core ones. All you have to do is remove the module. I know of a few networks in Japan which have done just that.
| codemastr wrote: |
3.) How exactly does your system prevent abuse? Lets see, you say, autoban privmsg matching :*webcam*http://*:*/*.mpg
bans anyone who says that. Ok, so:
autoban privmsg matching :*irc.*
That bans anyone who mentions the address of an IRC server. Isn't that *exactly* the kind of abuse you are claiming Unreal's spamfilter can do? Except yours is worse. Unreal gives the option of just blocking the line of text. Yours bans the guy.
|
Using this line:
| Code: | | reject privmsg matching :*irc.* |
would block the message instead.
| codemastr wrote: |
4.) The spamfilter system is NOT modulized so modules can not add "abusive" features to it. But in any case, that is a ridiculous statement. ShadowIRCd can be modified to log every single message a user sends. All I need to do is basically add 5 lines of code. Now does this mean ShadowIRCds PRIVMSG handling code is abusive? No. It simply means I can modify it to make it abusive. The fact that someone can go and modify Unreal's code and make it abusive has no reflection on whether Unreal is abusive. I can take a Hello World program and modify it in such a way that it controls a nuclear missile detonation sequence, does that mean a Hello World program is abusive?
|
Then do you mind explaining how angrywolf's spy module works? Many of us would like to know.
At the time of this writing, there is no way you can intercept messages in ShadowIRCd, either via Shadow itself or any module. There is a proof of concept module in contrib/ that worked provided you were using a Shadow 2.4 API. It was not written by the Shadow team, and we certaintly did not ever help the author out by providing the necessary hooks and callbacks for the module.
| codemastr wrote: |
5.) Censorship is unwelcomed... ok. Lets say this, I, a complete stranger, walk into your house, uninvited no less, and walk up to your wife/girlfriend/whatever and say "Wow, you sure look like a slut! I'm guessing you used to be a prostitute, but you quit because you're so damn ugly that you couldn't find a single customer, right?" Now what are you going to do at this point. Are you going to say, "He's just exercising his freedom of speech" or, are you going to punch me in the face and throw me out of your house. I'm guessing the latter. Connecting to an IRC server is no different. When you connect to MY IRC server, just as when you enter MY house, you follow my rules. You are no longer in a public sphere, you are in a private space and as such, the owner dictates the rules. So if censorship is "unwelcomed" well, then that means you're unwelcome! By the way, being banned is also "unwelcomed" and very "invasive" so perhaps you should remove any and all methods that allow a user to be banned. |
1) Why must you compare IRC to real life? They are two different things.
2) Also, that's what kline/gline is for, not a spamfilter. The ban system in Shadow can also be removed via the following shell command:
| Code: |
% rm $PREFIX/modules/autoload/kline.so
|
Or on IRC via:
| Code: |
/modunload kline.so
|
3) Not even Unreal's spamfilter can prevent sexual harassment from occuring, so what does that have to with the topic on hand? |
|
| Back to top |
|
|
zeke
Idler
Joined: 04 Oct 2003
Posts: 325
|
| Posted: Nov 05, 2004 5:48pm Post subject: |
|
|
oh yay....Unreal vs. Xircd again....
I'm siding with codemastr on this one, and not just because he wrote a large amount of Unreal.
I oper (at the time services-admin, now net) on a network which prides itself on being child-friendly. For a few months we "abused" UnrealIRCd's spamfilter to block any URL and anything that looked like a URL to the regex that we used. Over time the regex was tightened and loosened in different places to get better matching. The reason? We didn't want young users being removed by their (over protective, in your opinion nenolod?) parents because they clicked a link in chat that some random user had posted, and they ended up at some "unsuitable" site. Several times over the admin team put it to the net owner to have it removed, and he said no each time, he said "Yes, you can remove it, BUT only if you wish to monitor every channel, and every private message and notice on the network." Now, since we didn't have enough staff to do that, and we don't like the idea of intercepting private messages to that degree, we decided not to.
Is it wrong to do what we can to protect children until they are old enough to choose for themselves?
For me? Yes, for you? I don't know, its your opinion, and yours is the one that counts - in your opinion. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Nov 05, 2004 5:57pm Post subject: |
|
|
| nenolod wrote: | | So now it's moral to support censorship? Do you just believe everything you hear? Or is it that you just say this in order to defend your software? Because those are two very different things. Clarify. Also, please be sure to explain your "morals" because if you way morals over ethics, you cheating your userbase and yourself. |
If it's a private network the owners are perfectly within their rights to censor things. Don't like it? Use another net. Also, there are some things I think should be sensored - use your imagination, I'm sure you can think of things young children shouldn't be exposed to.
| nenolod wrote: | | Actually, kill can be removed from Shadow entirely, as any other command. Even the core ones. All you have to do is remove the module. I know of a few networks in Japan which have done just that. |
Ok....you missed the point though.
| nenolod wrote: | | At the time of this writing, there is no way you can intercept messages in ShadowIRCd, either via Shadow itself or any module. |
Rubbish. It can be modified to do so, which was Codemastr's point.
| nenolod wrote: | | 1) Why must you compare IRC to real life? They are two different things. |
Doesn't mean that young children using IRC shouldn't be protected. I'm not saying I condone censorship on all networks, but on ones specifically designed for a certain audience, it often has a valid use.
| nenolod wrote: | | 3) Not even Unreal's spamfilter can prevent sexual harassment from occuring, so what does that have to with the topic on hand? |
No filtering system is 100% accurate or effective. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 335
Location: A box!
|
| Posted: Nov 05, 2004 7:23pm Post subject: |
|
|
| zeke wrote: | oh yay....Unreal vs. Xircd again....
I'm siding with codemastr on this one, and not just because he wrote a large amount of Unreal.
I oper (at the time services-admin, now net) on a network which prides itself on being child-friendly. For a few months we "abused" UnrealIRCd's spamfilter to block any URL and anything that looked like a URL to the regex that we used. Over time the regex was tightened and loosened in different places to get better matching. The reason? We didn't want young users being removed by their (over protective, in your opinion nenolod?) parents because they clicked a link in chat that some random user had posted, and they ended up at some "unsuitable" site. Several times over the admin team put it to the net owner to have it removed, and he said no each time, he said "Yes, you can remove it, BUT only if you wish to monitor every channel, and every private message and notice on the network." Now, since we didn't have enough staff to do that, and we don't like the idea of intercepting private messages to that degree, we decided not to.
Is it wrong to do what we can to protect children until they are old enough to choose for themselves?
For me? Yes, for you? I don't know, its your opinion, and yours is the one that counts - in your opinion. |
1) Parents have no business introducing their kids to IRC. By doing so, the child is introduced to all sorts of predators and other garbage.
Sure, there are networks out there which are 'child-friendly', and yes, Unreal has the edge over anything else in this market. That's fine with me. I'm not trying to market shadow to these networks, and quite frankily I want nothing to do with them. Mainly because most of the features they want do not coexist with the philosophy behind the development of ShadowIRCd!
2) If a child is introduced to IRC (I don't think kids younger than 13 should be on IRC, for their own good...) they SHOULD be protected from predators, pornography and other bad things. This is *very* true. However, I do *not* think that IRC should be an environment that a younger child is in. Unreal, however, has very useful methods for constraining these problems. |
|
| Back to top |
|
|
|
|
| |
Register
Log in
