Ban or gline/kline users connecting from IPs in the list.

TimeRider · Post by **TimeRider** » Wed Jul 08, 2020 6:41 pm

Hello everyone, I have a huge list of IPs in .txt format that I would like to be blocked(gline/kline) in my Unrealircd server by eggdrop. So, basically I want a script where the eggdrop would oper up and see/scan if the user is connecting from the IPs in the list (ips.txt).

Can someone help me into this?

Thank you!

Post by **caesar** » Thu Jul 09, 2020 12:43 am

Post an example of an user connecting to the network to see the syntax.

Post by **CrazyCat** » Thu Jul 09, 2020 12:44 am

Bad idea imho.
Unrealircd can manage that directly with the ban blocks, it will be more efficient.

simo · Post by **simo** » Thu Jul 09, 2020 8:48 am

its unreal5 caesar

syntax is:

for ssl
*** Client connecting: NICK (IDENT@HOST) [IP] {clients} [secure ECDHE-RSA-AES256-GCM-SHA384]

for non ssl
*** Client connecting: NICK (IDENT@HOST) [IP] {clients}

there is another thing ive seen his list it also has cidr ranges

im not sure how that would compare against connecting IPS wich are normal IPS

he asked me to help basically he wants to decrease the ammount of vpn ips used to connect as they are mainly used for abuse

for example:

for ipv6:
2a0a:5ec0::/29

for ipv4:
2.56.16.0/22

Post by **caesar** » Thu Jul 09, 2020 9:29 am

Ah, then CrazyCat is right. Should do this on the server end via a module or something than rely on a bot that reads a text file each time someone connects.

Can't you recommend some modules simo?

simo · Post by **simo** » Thu Jul 09, 2020 12:15 pm

that was the first thing i thought of caesar but the thing is there isnt such a monitoring tool yet for vpn monitoring else of course that would be prefered as crazycat already mentioned there is only the usual dnsbl monitoring wich doesnt including vpn or not by design anyway

Post by **caesar** » Fri Jul 10, 2020 12:43 am

Well, the role of the VPN is to make the person behind it be somewhat anonymous, so on your server it could look like someone nice or some prick that's in for some trouble. Until he/she takes the first action you can't really tell who's who.

So, bottom line is that if you get too much abuse from the same VPN provider then just gline it.

Post by **CrazyCat** » Fri Jul 10, 2020 1:57 am

We had a discussion in urealircd forum concerning VPN: https://forums.unrealircd.org/viewtopic.php?f=54&t=8970

TimeRider · Post by **TimeRider** » Wed Jul 15, 2020 8:01 pm

Finally, my thread got some replies.

Thanks simo, That's the right user connecting syntax (ssl and non-ssl) for UnrealIRCD.

caesar: Actually someone has really abused my IRC server using VPNs. It's really getting in the nerves.

CrazyCat: I went through that discussion too. It was not much of help as the module requested was not made. Also, as you said, the UnrealIRCD ban blocks would be hectic to put all the ips creating the block for each. Or, is there a way to make the UnrealIRCD ban block read the list?

I really thought Eggdrop could do this task at ease as it is one of the powerful IRC bot I have seen so far.

ComputerTech · Post by **ComputerTech** » Wed Jul 15, 2020 8:38 pm

Did you try using the options of the unrealircd config ?

Not doubting you or anything, but just saying there is some handy stuff in there

Post by **CrazyCat** » Thu Jul 16, 2020 2:39 am

TimeRider wrote:Also, as you said, the UnrealIRCD ban blocks would be hectic to put all the ips creating the block for each. Or, is there a way to make the UnrealIRCD ban block read the list?

I really thought Eggdrop could do this task at ease as it is one of the powerful IRC bot I have seen so far.

If you have a file with all IPs, you can simply modify it with a good text editor (as notepad++ or pspad), or sed, to create an unrealircd comprehensive file that you'll include in your conf.
Just replace:

Code: Select all

^(.*)$

with:

Code: Select all

ban user { mask *@$1; reason "Denied IP"; };

(note that it may be $1 or \1 depending on the editor you use).

If you want to manage it with eggdrop:

Code: Select all

set fi [open "ips.txt" "r"]
set ips [read -nonewline $fi]
close $fi
foreach ip [split $ips "\n"] {
   putserv "gzline *@$ip +0 :Denied IP"
}

Post by **caesar** » Thu Jul 16, 2020 3:55 am

If your server is on Linux I would go with a different approach: firewall.

I would first create an IP set with ipset (replace blacklist with whatever you want):

Code: Select all

ipset create blacklist hash:net

tell iptables to drop any connection from any IP that is in this blacklist set:

Code: Select all

iptables -I PREROUTING -t raw -m set --match-set blacklist src,dst -j DROP

and populate the blacklist with data by telling it to flush previous (if any) data and load stuff from a text file:

Code: Select all

ipset flush blacklist
ipset restore -! < blacklist.txt

The blacklist.txt file has to be in this format:

Code: Select all

create blacklist hash:net family inet hashsize 8192 maxelem 65536
add badips x.x.x.x
add badips x.x.x.x
add badips x.x.x.x
and so on

I got something similar (repo on Github) for script kiddies that keep on trying to brute-force their way in my server via the SSH service.

If you don't want to use this and want to stick with an eggdrop then I would proly use something like:

Code: Select all

proc lookup {str} {
	set match 0
	set fh [open "blacklist.txt" "r"]
	set data [read -nonewline $fh]
	close $fh
	foreach line $data {
		if {[string equal $line $str]} {
			incr match
			break
		}
	}
	return $match
}

and trigger the glines when and if needed.

Code: Select all

bind join * join:check
proc join:check {nick uhost hand chan} {
	scan $uhost {%[^@]@%s} user host
	if {[lookup $host]} {
		# add the gline line
	}
}