1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-10 10:43:12 +02:00
Commit Graph

193 Commits

Author SHA1 Message Date
Bram Matthys 48d3673a02 Only do slow spamfilter detection for regexes, not for 'simple' */?
Since it is pointless and this saves some CPU :)
2023-12-22 15:43:11 +01:00
Bram Matthys 96b18946ca Include oper name on /SPAMREPORT (for central spamreport) 2023-12-01 07:58:01 +01:00
Bram Matthys 25d1bdfbf5 Make central spamfilters show in STATS spamfilter as "-centralspamfilter-"
rather than "-config-". Suggested by Lord255.
[skip ci]
2023-10-06 08:29:19 +02:00
Bram Matthys 45002eeb6f Fix STATS output for config-based spamfilters with reasons with spaces.
For config-based spamfilters, the reason was not escaped, meaning that
spaces and underscores did not work as expected.
For example, in "STATS spamfilter" the spaces were displayed as-is
which means that the numeric output was not really parsable.

Apparently this bug exists since UnrealIRCd 5 already...
2023-10-06 07:36:26 +02:00
Bram Matthys 43240e4557 Don't allow central spamfilter without 'reason' 2023-10-06 07:00:44 +02:00
Bram Matthys 97630b4717 Allow setting reputation in https://www.unrealircd.org/docs/Actions via
action { set REPUTATION--; } and similar.

Also enhancement to reputation S2S traffic, to support decreasing:
  *
+ * Since UnrealIRCd 6.0.2+ there is now also asterisk-score-asterisk:
+ * :server REPUTATION 1.2.3.4 *2*
+ * The leading asterisk means no reply will be sent back, ever, and the
+ * trailing asterisk will mean it is a "FORCED SET", which means that
+ * servers should set the reputation to that value, even if it is lower.
+ * This way reputation can be reduced and the reducation can be synced
+ * across servers, which was not possible before 6.0.2.
+ *

So if you are actually decreasing reputation, you need all servers on
6.0.2 or higher for it to work properly, otherwise the other servers
don't decrease it, and next connect the highest wins again, etc.
2023-09-17 09:39:55 +02:00
Bram Matthys 50753b4678 Make central spamfilters require an 'id', and ignore for non-central.
At least for now...
2023-07-21 12:26:02 +02:00
Bram Matthys cd19198e3b Spamfilter fixes: prevent actions that are currently config-only from
being added by other servers and being able to spread to areas of
which the code is currently not ready for ('set', 'report', 'stop').
2023-07-20 14:50:40 +02:00
Bram Matthys 937236126f Add new spamfilter type 'raw' which matches against a raw command/protocol line.
SPAMFILTER add -simple R block - Hi_there! LIST*

Though it is more useful in complex spamfilter rules in the conf, presumably.
2023-07-16 19:47:43 +02:00
Bram Matthys b272b6700a Add security-group::rule support, see https://www.unrealircd.org/docs/Crule 2023-07-16 12:09:01 +02:00
Bram Matthys 59c6c99ba3 spamfilter::rule: add destination('#xyz') support (supports wildcards) 2023-07-16 11:29:53 +02:00
Bram Matthys b325f88795 crule/spamfilter: pass text in crule context, not used yet, but could
be useful in some future crule function.
[skip ci]
2023-07-16 10:46:39 +02:00
Bram Matthys a153a2cce3 Change definition of parse_ban_action_config(), was too easy to leak memory.
Often you have default values for the config, and then a subsequent config
parsing run would overwrite the return value (= memory leak), merging/appending
would make no sense either, so it would force a free in all code before
calling us, well... let's just deal with it ourselves instead then ;)
2023-07-14 08:08:47 +02:00
Bram Matthys 4c3d2a6d6d Fix write bug in tkldb and add spamfilter::action stop.
The spamfilter::action stop ill prevent processing other spamfilters.
This would normally be a bit unusual, and potentially dangerous when you
do exclude things this way, but can be useful in some circumstances.

Stopping only affects the same type of spamfilters (general or central
spamfilters), so they don't interfere.

The tkldb write DB bug had to do with that it was processing
central spamfilters, which should be skipped just like config
based spamfilters were already skipped.
2023-07-11 14:32:11 +02:00
Bram Matthys 32701e6f99 Central spamfilter: don't stop processing on 1 bad spamfilter block. 2023-07-11 13:34:28 +02:00
Bram Matthys 018efd8366 Fix crash in spamfilter { } block handling due to unitialized variable 2023-07-11 12:15:01 +02:00
Bram Matthys f333aa0c09 New option set::spamfilter::show-message-content-on-hit:
you can now configure to hide the message content in spamfilter hit
messages. Generally it is very useful to see if a spamfilter hit is
correct or not, so the default is 'always', but it also has privacy
implications so there is now this option to disable it.

Suggested by alice, quite a while ago.

https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit

Also as mentioned there:
UnrealIRCd has the following spying countermeasure (for many years) to help
that spamfilters are not abused for spying. When a spamfilter hit happens
that has an action like gline or blocking, it is visible to the user that an
action was taken. There is also the action 'warn', which means: take no
action and only warn IRCOps, that one would be easy to use as a spy tool, so
when this happens and message content was revealed, numeric 659
(RPL_SPAMCMDFWD) is sent to the client to indicate that the message is
allowed through but IRCOps were informed.
With this new set::spamfilter::show-message-content-on-hit feature, when
the message content was hidden due to this setting (eg due to 'never' or
'channel-only'), the warn message will not be sent as there is no need to
inform the user in such a case.
2023-07-11 12:11:26 +02:00
Bram Matthys 4df6ed7f9a Get rid of duplicate "spamfilter hit" code. 2023-07-11 11:42:06 +02:00
Bram Matthys f277880fb3 Add set::central-spamfilter::limit-ban-action and ::limit-ban-time
to limit actions to limit-ban-action as the highest, and limit
ban times to limit-ban-time the highest, see
https://www.unrealircd.org/docs/Central_Spamfilter

This also changes highest_spamfilter_action() to highest_ban_action().
2023-07-11 10:17:51 +02:00
Bram Matthys 15b9255b0e Add spamfilter::except as an alternative for spamfilter::rule and upd rls notes 2023-07-10 12:12:25 +02:00
Bram Matthys c18c79e88b Add spamfilter hits and hits for exempted users.
* This means we always run spamfilters, even if users are exempts
* This way we can gather hits for exempted users on individual
  spamfilter entries, and possibly detect false positives
  (which relies on the assumption that those users are innocent)
* The hit counters are shown in in RPL_STATSSPAMF and also
  exposed via the JSON-RCP API.
* This commit also adds set::central-spamfilter::except but more
  on that later since i still want to set a default for that in
  a future commit.
* This also changes take_action() to take flags and adds the
  option TAKE_ACTION_SIMULATE_USER_ACTION which i intended to
  use but didn't in the end... not sure if i should keep it :D
2023-07-10 11:30:51 +02:00
Bram Matthys d25fdeb950 Some more BanAction fixes/improvements:
* stats S one thingy (multi-actions)
* STATS spamfilter (multi-actions)
* warn w/user target ('u') if using multi-actions
* moving some code
2023-07-09 16:27:40 +02:00
Bram Matthys a68fa03ab5 Fix some small memory leaks on REHASH and fix compile warning w/gcc. 2023-07-09 13:39:00 +02:00
Bram Matthys 2b14ee3de5 Prepare for future spamfilter::match -> spamfilter::match-string
[skip ci]
2023-07-08 20:14:25 +02:00
Bram Matthys 5d65e4a400 Rename place_host_ban() to take_action() since it is not only about banning... 2023-07-08 19:54:40 +02:00
Bram Matthys 8f4a19978a Deal properly with multi actions in spamfilter (untested) 2023-07-08 19:48:15 +02:00
Bram Matthys 64f57ae243 Add spamfilter::action report (work in progress) 2023-07-08 19:24:15 +02:00
Bram Matthys 01dd042089 Add support for spamfilter::id (currently not used or displayed anywhere)
For config-file only atm.
2023-07-08 12:34:21 +02:00
Bram Matthys 1006292681 Initial work on central spamfilter with auto refreshing URL / rules 2023-07-07 18:43:29 +02:00
Bram Matthys d998846c64 Support setting tags via spamfilter { } blocks 2023-07-06 18:25:43 +02:00
Bram Matthys 6bbcdfd1b3 Add spamfilter::rule (preconditions), add context to crule parser,
and add the first functions: online_time() and reputation().

The more interesting stuff will follow later...
2023-07-06 16:14:26 +02:00
Bram Matthys 656ea105da First go at multi actions... 2023-07-06 11:51:55 +02:00
Bram Matthys fd7a715e17 Don't use slow socket closing (w/TLS handshake) for (G)ZLINE.
The whole point of (G)ZLINEs is that it rejects instantly upon
accept, that's what makes them different from KLINE/GLINE.

Commit 89075e532a made it
accidentally use the slow path for this as well.
2023-06-07 15:14:00 +02:00
Bram Matthys 9b9434e442 Delay throttling check until IP is resolved or failed to resolve.
This so you can use throttling exceptions (eg in ELINE) on hostnames.

That is, the above is during normal circumstances. Similar to previous
commit we will turn this feature of during high connection rates.
That is a TODO item.
2023-05-18 11:51:22 +02:00
Bram Matthys 8aa004271f Ban exempt 127.0.0.1 instead of whole 127.*
* We now only exempt `127.0.0.1` and `::1` by default (hardcoded in the source).
  Previously we exempted whole `127.*` but that gets in the way if you want
  to allow Tor with a
  [require authentication](https://www.unrealircd.org/docs/Require_authentication_block)
  block or soft-ban. Now you can just tell Tor to bind to `127.0.0.2`
  so its not affected by the default exemption.

Reported on IRC and by PeGaSuS in
https://bugs.unrealircd.org/view.php?id=6258
2023-04-14 07:34:53 +02:00
Bram Matthys 4b4562516c Another attempt at UTF8-aware spamfilter.
This was previously tried at 19-apr-2020 in bc70882bd3
in UnrealIRCd 5.0.5. Sadly it had to be reverted immediately with a quick 5.0.5.1
release, all because of a PCRE2 100% CPU usage. Since then that bug has been fixed,
plus another bug. I'm now readding it "as an option" that is marked experimental.
Hopefully people test it out and can report back if it works well and then we can
make it the default someday.

This makes it a runtime setting so makes it much easier to switch back/forth if
there are any issues without recompiling anything. Had to use a bit more code now
though to handle the recompiling of spamfilters if the setting is changed.

Original issue was https://bugs.unrealircd.org/view.php?id=5187

* [Spamfilter](https://www.unrealircd.org/docs/Spamfilter) can be made UTF8-aware.
  * This is experimental, to enable: `set { spamfilter { utf8 yes; } }``
  * Case insensitive matches will then work better. For example, with extended
    Latin, a spamfilter on `ę` then also matches `Ę`.
  * Other PCRE2 features such as [\p](https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5)
    can then be used. For example you can then set a spamfilter with the regex
    `\p{Arabic}` to block all Arabic script.
    Please do use these new tools with care. Blocking an entire language
    or script is quite a drastic measure.
  * As a consequence of this we require PCRE2 10.36 or newer. If your system
    PCRE2 is older than this will mean the UnrealIRCd-shipped-library version
    will be compiled and `./Config` may take a little longer than usual.
2023-03-22 09:00:31 +01:00
Bram Matthys 0244c31742 Split of some code from cmd_eline() into server_ban_exception_parse_mask(),
similar to how *LINE commands use server_ban_parse_mask().
Now used by ELINE and for JSON-RPC later...
2023-01-08 14:56:56 +01:00
Bram Matthys eab827688d Fix RPC spamfilter.* (and tkl.*?) not going through fully net-wide
due to bogus sender.
[skip ci]
2022-12-21 10:06:23 +01:00
alice b3f0165773 Adjust tkl too broad ban detection to avoid banning too-wide IPv6 masks.
This adjusts the test to disallow a ban on *@*:*:*:*:*, to bring it into line with similar behaviour for IPv4.
2022-11-14 07:23:55 +00:00
Bram Matthys dc55c3ec9f Add CALL_CMD_FUNC(cmd_func_name) and use it.
This is only for calls within the same module, as otherwise you
should use do_cmd().

Benefit of this way is that it is short and you don't have to worry
about passing the right command parameters, which may change over time.
Example as used in src/modules/nick.c:
-               cmd_nick_remote(client, recv_mtags, parc, parv);
+               CALL_CMD_FUNC(cmd_nick_remote);
2022-08-28 09:04:12 +02:00
Bram Matthys c85f666fed Fix server_ban_parse_mask() returning with variables set to local storage.
More precise, for extended server bans, usermask/hostmask was set to
a local variable that was not defined as static char[]. This would lead
to corrupt data and/or crashes.

Bug introduced a few days ago with 3d9b7e4b70
2022-06-27 10:49:46 +02:00
Bram Matthys c60fdad7eb RPC: add server_ban.add
This also moves some of the adding code (sending notice, broadcasting to
other servers, etc) to a function tkl_added().

We should probably do the same for deletion and not use the tkllayer
anymore for that?
2022-06-24 19:49:32 +02:00
Bram Matthys 3d9b7e4b70 RPC: remove tkl, split this up.. starting with server_ban.
Currently available:
* server_ban.list
* server_ban.get with params: name="*@1.2.3.4", type="kline"

This also adds server_ban_parse_mask() which is now used by both GLINE/etc
and the RPC API to parse the same way and convey the same error messages.
2022-06-24 18:53:10 +02:00
Bram Matthys 60c83b4ba1 Move connect-flood and max-unknown-connections-per-ip into their own module.
These deal with set::anti-flood::everyone::connect-flood and
set::max-unknown-connections-per-ip respectively.

This adds a new hook HOOKTYPE_ACCEPT, that is mostly meant for internal
usage by UnrealIRCd. Most module coders will want to use the existing
hook HOOKTYPE_HANDSHAKE instead.

This also gets of check_banned() which is now spread over the individual
modules (eg: checking banned is done in tkl on HOOKTYPE_ACCEPT and
HOOKTYPE_IP_CHANGE).
2022-06-19 13:13:33 +00:00
Bram Matthys c9f8c42281 Fix CIDR not working in match { ip ....; } 2022-05-26 17:03:17 +02:00
Bram Matthys b28d8aecd7 Add "ip" to mask item and security-group for easy matching on IP.
So you can just use mask { ip { 127.*; 192.168.*; } } without
having to worry about hostnames like 127.example.net.
(Of course you could also have used CIDR notation)

Another benefit is that, since we are dealing with IP's only,
the matching is faster than going through the more universal
match_user() routine.
2022-05-25 08:34:22 +02:00
Bram Matthys 7ff4a3e897 Add the promised support of security group functionality in except ban { }
So now the example in the release notes actually works:
except ban {
    mask { security-group irccloud; }
    type { blacklist; connect-flood; handshake-data-flood; }
}
2022-05-25 08:01:05 +02:00
Bram Matthys fea7995a02 Fix crash when using ~security-group in except ban { }
This makes us no longer call the .is_ok() function for extbans
that are added through except ban { }. This because normally
the is_ok() function communicates to 'client', which is NULL
when it is called from the config code.
The alternative would have been to update all the extban modules
to check for a NULL client and deal with that but that would
need stupid amounts of code and it would not be of much value
as the error would not end up displaying on the console.
So, we now only on the .conv_param() function, which was already
only used for cases such as remote bans and such, and is already
known to have a NULL 'client' in TKL cases. Note that conv_param()
could still reject the ban, but it does it generally only in
the more extreme cases.

Reported by musk / PeGaSuS.
2022-05-07 08:06:05 +02:00
alicetries 2018502e74 Fix various log messages which had missing $expansions (#198) 2022-05-01 13:52:45 +02:00
Bram Matthys f3d827c577 Add HOOKTYPE_IP_CHANGE and call it when the IP address changes.
Eg for WEBIRC or other proxy.

This does not yet fix any problem, it just changes the way things are
called. More to follow.
2022-01-17 07:55:45 +01:00