[imc-denmark] Fwd: [Ircd] Announcement of the IRCd working group
Simon Shine
simon at shine.eu.org
Fri Aug 24 02:18:50 PDT 2007
----- Forwarded message from Alster <alster at indymedia.org> -----
X-Original-To: simon at sickboy.freeworld.dk
Delivered-To: simon at sickboy.freeworld.dk
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
sickboy.freeworld.dk
X-Spam-Level:
X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00
autolearn=unavailable version=3.1.1
X-Original-To: ircd at lists.indymedia.org
Delivered-To: ircd at sarai.indymedia.org
Date: Wed, 22 Aug 2007 02:18:26 +0200
From: Alster <alster at indymedia.org>
User-Agent: Mozilla/5.0 (X11; U; Linux) Thunderbird
To: IMC Comunications <imc-communication at lists.indymedia.org>
X-Enigmail-Version: 0.94.4.0
OpenPGP: id=05059C17;
url=http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
Cc: IMC IRCd Coordination <ircd at lists.indymedia.org>
X-Mailman-Id: 0822-nq
X-Archived-At: http://lists.indymedia.org/mailman/mmid/ircd/2007-0822-nq
Subject: [Ircd] Announcement of the IRCd working group
X-BeenThere: ircd at lists.indymedia.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: IMC IRCd Coordination <ircd at lists.indymedia.org>
List-Id: IMC IRCd Coordination <ircd.lists.indymedia.org>
List-Unsubscribe: <http://lists.indymedia.org/mailman/listinfo/ircd>,
<mailto:ircd-request at lists.indymedia.org?subject=unsubscribe>
List-Archive: <http://lists.indymedia.org/pipermail/ircd>
List-Post: <mailto:ircd at lists.indymedia.org>
List-Help: <mailto:ircd-request at lists.indymedia.org?subject=help>
List-Subscribe: <http://lists.indymedia.org/mailman/listinfo/ircd>,
<mailto:ircd-request at lists.indymedia.org?subject=subscribe>
Errors-To: ircd-bounces at lists.indymedia.org
Announcement of the IRCd working group
CONTENTS:
o Hello!
o Why the IRC server-side software changed
o SSL encryption is moving to port 6697
o Hostmasks have changed
o WHOIS output has changed
o SSL-only channel mode
o Lost registrations, altered settings
o ChanServ in channels
o Further information
***** Hello! *****
Hello,
as some of you have surely realized, there has recently been a change to
the Indymedia IRC server at irc.indymedia.org (and accessible through
https://chat.indymedia.org). This change was carried out by the IRCd
working group.
In fact, a lot of changes have been made. Most importantly, we have
changed the IRC server and services software from Hybrid and HybServ
(which we both used to have), to InspIRCd and Atheme Services (which we
both have now).
More information on all of this is provided in this email. Please get in
touch if you need more or have any questions.
- the IRCd working group
***** Why the IRC server-side software changed. *****
You may be wondering why these changes were made - here's a summary:
- the previous software was no longer developed, mantained or supported
- the previous software was vulnerable to known security issues
- the previous method of providing SSL encrypted access to the IRC
server was a not-so-clean hack
- the previous method of providing SSL encrypted access to the IRC
server had the backdraw that we could not disconnect users abusing the
server
- the new software is much more, or actually _is_, mantainable
- the new software is well documented (and supported, too, I was told)
- the new software provides a modular structure allowing third parties
to write extensions for it without modifying the core
The new solution we feel should be acceptable to sustain the IRC system
for at least several more years.
When we converted from the old to the new system, we made a few changes
that we would like to address:
***** SSL encryption is moving to port 6697. *****
With the old server software, users wishing to use SSL encrypted chat
connections needed to connect to port 994. Due to technical
restrictions, we had to move this to port 6697. The documentation we
provide on docs.indymedia.org has been updated to reflect this point.
For further information, see
http://docs.indymedia.org/view/Sysadmin/SecureIRC.
Please configure your IRC clients accordingly. We will deactivate port
994 on September 1.
Another note on SSL: The SSL certificate in use on guerin.indymedia.org,
one of the currently two IRC servers which form the Indymedia IRC
network, is self-signed, which means that some IRC client may not
consider it a legitimate certificate. And, while it still provides full
encryption, we will replace this certificate by a CACert issues
certificate along the next weeks.
Until then, please make your IRC client 'accept invalid SSL
certificates' for irc.indymedia.org, or _temporarily_ set it up to only
connect to che.indymedia.org which already uses a legitimate CACert
issues SSL certificate. For help importing the CACert root certificate
into your operating systems' or IRC clients' issuer certificate storage,
please consult the SecureIRC documentation (see above) and the
documentation provided by the developers of your IRC client.
***** Hostmasks have changed. *****
As mentioned above, with the old software, it was not (or really not
easily) possible to stop abusers connecting through SSL encrypted
connections (on port 994) because the way we had encryption support
implemented made it impossible to identify the abusers and thus to
disconnect them.
Also, with the old software, people not using 'secure' SSL encrypted
connections had their IP addresses visible to other users completely
unobfuscated or just slightly changed but easily reversable (unless they
were using additional ways for anonymization). Thanks to the new
software and the options it provides we are now able to obfuscate
everyones' (both SSL and non-SSL users') hostnames and IP addresses.
In the beginning, after we had migrated to the new software, while
unique IP addresses were already obfuscated, it was still possible to
see which ISP each user uses. Due to concerns of anonimity, we have
since changed this so that, of the users' IP address, only an almost
impossibly revertable, very obfuscated, and only partial representation
is displayed instead.
For the technically interested amongst us, here's the changeset for the
changes made on the cloaking module to achive this:
http://svn.inspircd.org/index.cgi?view=rev&revision=7737
By the way, even though the users' ISPs are no longer displayed now, if
you need to ban a complete ISP, you can still do so and have it work. If
you need help with setting such a ban, you can always ask in #ircd.
***** WHOIS output has changed. *****
When running /whois on yourself, you will realize that some changes have
taken place here. An example WHOIS output looks like this now:
* [Alster] (alster at c01fe3.77cf1d.f67cb0.3b7b82): Al Ster
* [Alster] is connecting from alster at abc8768d.dsl-gw.myisp.de 207.36.21.193
* [Alster] @#listwork @#tech #communication @#de @#de-tech @#indymedia
@#ircd
* [Alster] guerin.indymedia.org :Guerin IMC IRC server
* [Alster] is an Operator on indymedia.org
* [Alster] is available for help.
* [Alster] is logged in as Alster
* [Alster] is using a secure connection
* [Alster] idle 00:57:50, online since: Tue Aug 21 21:49:57
* [Alster] End of WHOIS list.
When comparing your own WHOIS result with those you retrieve from other
users you will realize that the 'is connecting from' line is only
displayed to the users themselves. In addition, this information is also
available to the IRCd group which mantains the server (and needs this
information to be able to disconnect abusers and retrieve more
information about them to prevent further attacks). If you dislike the
fact that your IP address is available to IRC operators you are welcome
to use anonymization software such as http://tor.eff.org (in fact some
of us really recommend using this generally).
Due to the changes in hostmasking, people who use an SSL encrypted
connection have now the following show up in their WHOIS output:
* [nenolod] is using a secure connection
Additionally, the NickServ account that the person is logged into is now
mentioned if there is one:
* [nenolod] is logged in as nenolod
***** SSL-only channel mode. *****
There is now a mode to require all users to have SSL before joining a
channel. That mode can be enabled via "/mode #channel +z". This may be
useful if you want all of your channel communications to be encrypted.
To disable this mode (which is disabled by default), use "/mode #channel
-z".
Please note that users of the web chat interface at
https://chat.indymedia.org will never show up as encrypted, even though
they may actually be using an encrypted connection to the server (this
has not changed from how it used to be). Such users would be excluded
from a channel where +z is set.
Other channel modes can be reviewed at
http://www.inspircd.org/wiki/Channel_Modes
Additional channel settings can be made through the FLAGS command, when
passed to ChanServ:
/msg ChanServ help flags
***** Lost registrations, altered settings. *****
During the conversion process from the old the the new server-side
software, we made the unfortunate discovery that our previous IRC
services system was writing useless garbage to it's databases. This has
resulted in several improper conversions and several other registrations
being lost. Put differently: it's possible that the nicknames and
channels you had registered on the old system, and their various
settings you made for these, have been lost or have changed for no good
reason.
As such, you may need to reregister now or restore access. We can help
you restore your access if you cannot work it out by yourself or lack
permissions. If so, please ask in #ircd: /join #ircd
Registering with NickServ is explained in the output of "/msg NickServ
help register". For channel registrations, help is available through
"/msg ChanServ help register".
***** ChanServ in channels. *****
ChanServ now sits in channels by default, and can take commands either
prefixed with a ! or prefixed with ChanServ's name, e.g.
<nenolod> !op
* ChanServ has given operator status to nenolod.
<nenolod> ChanServ, deop
* ChanServ has removed operator status from nenolod.
If you want to disable this functionality, you can ask ChanServ to leave
via "/msg ChanServ set #channel guard off". ChanServ will continue to
behave as before.
Most commands listed in "/msg ChanServ help" can be used in the channel.
***** Further information. *****
The documentation of the "InspIRCd" IRC server we now use is available at
http://www.inspircd.org/wiki/
The documentation of the "Atheme" IRC services (NickServ, ChanServ etc.)
we now use is available at
http://www.atheme.net/Documentation_index
While this is still being worked on, the services provide extensive
online help by themselves:
/msg NickServ help
/msg ChanServ help
/msg MemoServ help
Please also read the message of the day (MOTD) which is displayed when
you connect to the server (containing the huge ((i)) logo).
For the process that lead to us determining to use the options explained
above (may also be useful for other IRC systems), you can view the IMC
wikipage on the topic:
http://docs.indymedia.org/view/Sysadmin/IrcdAlternatives
If you need any help or have questions about the new setup, please
contact us through either the ircd at lists.indymedia.org mailing list
(public archives!) or the #ircd channel on irc.indymedia.org.
_______________________________________________
ircd mailing list
ircd at lists.indymedia.org
http://lists.indymedia.org/mailman/listinfo/ircd
----- End forwarded message -----
More information about the imc-denmark
mailing list