| View previous topic :: View next topic |
| Author |
Message |
charles
Voice
Joined: 22 Feb 2010
Posts: 2
|
 Posted: Mon Feb 22, 2010 11:42 am Post subject: protect-telnet / global hostmask match |
 |
|
I just experienced odd behavior on my first eggdrop (1.6.19+ctcpfix+ssl) and wanted some clarification from the pros if this is intentional behavior or indeed a bug.
I want to issue certain commands to the eggdrop via php by utilizing a telnet connection.
For security purposes I want to limit the eggdrop script user as much as possible.
I.e. only allow telnet connections and no IRC connections.
And furthermore only allow telnet connections for that user coming from localhost.
I have activated the protect-telnet option but apparently eggdrop is not matching the allowed hosts on per-user basis, but immediately on connect and independently from the users the host mask was specified for.
Example:
User A has access with this hostmask: -telnet!*@*.t-dialin.net
User B has access with this hostmask: -telnet!*@*.comcast.net
User C does not have a telnet hostmask at all.
Instead of refusing all telnet login attempts for user C, someone with the hostmask of user A or B can log in via telnet as user C.
Also connections to user A and B are not limited to their own hostmasks, but to all known hostmasks, meaning a user with user Bs telnet hostmask could log in as user A and vice-versa.
Now I am wondering if this behavior is intentional or a bug and if there is any way to bypass this?
Thanks in advance for any assistance.
Regards,
charles |
|
| Back to top |
|
 |
TCL_no_TK
Owner
Joined: 25 Aug 2006
Posts: 509
Location: England, Yorkshire
|
| Posted: Tue Feb 23, 2010 8:54 am Post subject: |
|
|
| Quote: | | # This setting will drop telnet connections not matching a known host. |
There isn't any behavior change as far i can remenber. The telnet hosts are allowed to telnet regardless of who there username is with the telnet address.
If youre looking for the feature you have mentioned, you should look at | Quote: | # Define here whether or not a +o user still needs the +p flag to dcc the bot.
set require-p 0 |
And give the +p flag to people you wish to allow dcc/telnet access to.
_________________
TCL the misunderstood |
|
| Back to top |
|
|
charles
Voice
Joined: 22 Feb 2010
Posts: 2
|
| Posted: Tue Feb 23, 2010 12:41 pm Post subject: |
|
|
TCL_no_TK,
Thank you for the explanation.
I already have "set require-p 1" in my config for security purposes, but what I am looking for for my script user is a bit differently.
I wanted the user (whose credentials will be unencrypted in a php script) to have access to the bot only via telnet and only from localhost.
So even in case there would be a security leak through the php script, a potential attacker would not be able to use the stolen login information.
But as there seemingly is no way to limit a user to telnet-only access and the telnet access by hostmask on per user basis, I will probably have to think of something else.
Maybe I will abandon telnet access for regular users all together and only allow telnet from localhost and therefore for the script user - not exactly what I had wished for, but I am willing to sacrifice a bit of convenience for security  |
|
| Back to top |
|
|
TCL_no_TK
Owner
Joined: 25 Aug 2006
Posts: 509
Location: England, Yorkshire
|
| Posted: Tue Feb 23, 2010 5:10 pm Post subject: |
|
|
You *may* want to look at the "livestats" feature of the stats.mod, since this has a simlar system to what you are asking about for my very basic usage of it  Thinking that you'll no doubt be using a socket for this, i wouldn't think any protect telnet or likewise, would affect this unless you add some feature for this to be included.
_________________
TCL the misunderstood |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
