IRC Defender - http://ircdefender.sourceforge.net/

Developed for irc.chatspike.net and the irc community

Lead Developer: Brain Contributors: WhiteWolf, openglx, reed and others Module Developers: ol, typobox43, Azhrarn Website Design: Craig

If you like this software, please drop us an email at brain@chatspike.net so that we can get a rough idea of how many users are using this program :-)

Supported software

To use this program, your irc software must be listed in the table below. Support for other styles of ircd may be added on request however we may ask you for assistance in providing access to the said software so that we may develop a solution.

    +-------------------------------------+-------------+
    | irc server                          | Link module |
    +-------------------------------------+-------------+
    | UnrealIRCd 3.1.1 -> 3.2             | unreal      |
    | Bahamut 1.8.x                       | bahamut     |
    | UltimateIRCd 3.x                    | ultimate    |
    | Bahamut 1.4.x (unstable)            | ultimate    |
    | Hybrid 7.x                          | hybrid      |
    | P10 (IRCu, beware ircd, etc.)       | p10         |
    | UnrealIRCd client mode (deprecated) | client      |
    | TR-IRCD                             | trircd      |
    | ptlink                              | ptlink6     |
    | ircd 2.10 (RFC 2813)                | ircd210     |
    | InspIRCd Beta 6 to 1.0.7            | inspircd10  |
    | InspIRCd 1.1.0 Beta 2 onwards       | inspircd11  |
    +-------------------------------------+-------------+

Thanks to WhiteWolf for submitting the TR-IRCD module used in ircdefender, and thanks to openglx for his ptlink6 module, both of which are available for your use due to their hard work and support of this project. Also a Big thanks to laXity of irc.bongster.de for his support and access to an UltimateIRCd test server which was used to develop the bahamut/ultimate support module, and a big thanks also to beware who and reed who gave advice and code for the P10 link protocol (also thanks for writing such an easy-to-follow spec for what is a complex protocol!).

Shared Blocks And U:Lines

If you link to an InspIRCd server, you must define a <uline> tag for your defender server, for example:

<uline server="defender.mynetwork.net">

If you link to a hybrid server, you will most likely need to create a shared {} block (equivalent to a U-line), for your server, for example:

shared { name = "defender.mynetwork.net"; };

This will allow the defender server to set global k-lines (which will be used whenever defender wishes to ban a host) Be sure to disable command rate limiting for the defender server, or the "status" command (see below) will be practically useless! Adding a can_flood in the auth {} block or increasing the limits should have the desired effect.

If you link to a p10-compatible server such as ircu, you must add u:lines to all your servers, for example:

U:defender.mynetwork.com:Defender:*

This will serve two purposes, firstly it allows your defender to perform modehacks (e.g. for the flood module etc) and global kills, and secondly it doubles as a Q:line, forbidding normal users from using the nick 'Defender'.

On an ircd2.10 server, glines and globops are emulated by irc defender, and restarts of the service will reset all emulated glines.

The server numeric

Certain server types feature what is known as a 'server numeric'. These are normally allocated to you by the network administration of the network you link your server to. Depending on the module you select you will have to define a line in your conf as follows:

numeric=<your allocated server numeric>

At present, only three of the four modules in this distribution make use of numerics, and the formats are as follows:

+-------------------+---------------------------------+---------------+ | module type | numeric format | example | +-------------------+---------------------------------+---------------+ | unreal | integer number, 1..255 | 156 | | p10 | two alphanumeric characters | QZ B5 f4 hE | | trircd | integer number, 1..255 | 28 | +-------------------+---------------------------------+---------------+

Starting the program

See the example config file for details of configuration. Start the program with "perl defender.pl"

The program will background, and auto join the channel you have defined where the commands given below are accepted. Please be sure to secure your channel (e.g. set +O on it) so that normal users may not access these commands!

Deciding what modules to use

The program is modular, therefore you must select the modules you wish to use before proceeding with running the program. There are two special types of module, protocol and log modules, which are special in the regard that you must ALWAYS have at least one of each loaded and running. The protocol module provides the interface to the irc network and the logging module provides the interface to writing logs by redirecting stdout to handlers or files.

Once you have defined these two files in your config you are able to pick other modules, see the config for an example. These modules perform the actual scanning operations on users as they connect or interact with the service.

Rehashing/Changing modules on the fly

While the program is running, you may edit its config file then do a remote rehash (e.g. via /rehash defender.*) to cause its configuration files to be re-read. When you do this any modules you have removed from the configuration will be unloaded, and any you have added will be freshly loaded. Any that remain unchanged will be re-initialised as though the bot was just reloaded by hand. It your server software does not support remote rehashing, then you may do this instead on the bot's control channel:

botnick rehash

which will have the same effect as a /rehash on servers which support it.

Load order

As with most modular programs, the load order of your modules is important. Each module in defender has a set of dependencies, and a set of features it provides, so that modules can safely depend on each other in a stable and reliable way. It is up to you to ensure your modules are loaded in the right order not to cause conflicts and are not loaded multiple times. For example, if module A depends on module B, you must ensure that B appears before A in your modules= line in the config. Modules are loaded in order entered into the config file, from left to right.

Listing loaded modules

To list all loaded modules, and show the program uptime, simply type:

status

on it's control channel.

If you wish for (very) verbose output you may type:

status all

if you want the program to report verbose information for one module only you may do this by typing:

status [module-name]

where module-name is the name of a module which is loaded.

Included modules

The following modules are included in the base distribution:

fyle

This module scans for anatoly/fyle drones, e.g. bots with nicks such as `|{{] which join and part large channels in search of people to spam infection urls to. It will ban them by heuristics, giving virus like gecos, nick and ident combinations a heavier weighting. The paranoia= score in the config indicates how sensitive this should be, you are STRONGLY recommended to leave it at the default of 7.

Supported commands: fyle scan [nick] [ident] [gecos]

Note that to make this module work you will require the words.txt file from the project page at http://www.sourceforge.net/projects/ircdefender/

killchan

The killchan module will deny users access to specified channels. To use the killchan module, use the following commands on the control channel:

killchan add [channel] [reason] killchan list killchan del [channel]

When a non-oper joins a blacklisted channel, they will be temporarily G-Lined (the default is for 30 minutes). If an oper joins the forbidden channel they will just be warned that the channel is blacklisted, so they dont accidentally tell any non-opers to join.

TIP: It is a GOOD idea to put a killchan on your defender control channel, if your ircd only supports the most basic of channel security features such as +i, +s and +k. This way, if a normal user splitrides into the control channel, gets invited by an oper by accident (or on purpose!) or obtains the key, the killchan setting will G-Line them as soon as they join, while still letting opers gain access to the pseudoclient. This will also protect the channel whenever defender is running even if for example services, GNUWorld or whatever enforces the channel security on your control channel is unavailable due to DoS or netsplit, so that while ever there is a pseudoclient to issue commands to, it will ALWAYS be inaccessible to non-opers.

message

This simple module replies with a server notice if the bot is messaged, asking users to refer to your support channel for help.

fizzer

This module eliminates fizzer drones. It has no configuration options or commands.

re_notice

This module allows you to send a notice to all users on your network which match a given regular expression pattern. For example, you could send a message to all AOL users, or to all users in finland, or to all users with broken idents (or even all users whose ident contains a number, the possibilities are huge!) The module supports one command:

re_notice [regexp] [message]

The regexp is n