pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-12 17:14:46 +02:00
Code Activity
Files
8bafd332868df7da16ed8a9e44a580f1faa33110
unrealircd/doc/conf/examples/example.conf
T
Bram Matthys 8bafd33286 Update example.conf with the new set::connthrottle::ipv6-unknown-users-limit 
functionality.
[skip ci]
2026-05-06 10:28:32 +02:00

715 lines
22 KiB
Plaintext
Raw Blame History

/* Configuration file for UnrealIRCd 6
*
* Simply copy this file to your conf/ directory and call it 'unrealircd.conf'
*
* If you are in a hurry then you can CTRL+F for: CHANGE THIS
* The items that must be changed are indicated with those two words.
* However, we actually recommend going through the file line by line
* and edit it where needed, so you can see all the basic items and
* what they are set to.
*
* BEFORE YOU PROCEED:
* Important: all lines, except { and } end with an ;
* This is very important, if you miss a ; somewhere then the
* configuration file parser will complain and the file will not
* be processed correctly!
* If this is your first experience with an UnrealIRCd configuration
* file then we really recommend you to read a little about the syntax,
* this only takes a few minutes and will help you a lot:
* https://www.unrealircd.org/docs/Configuration#Configuration_file_syntax
*
* UnrealIRCd 6 documentation (very extensive!):
* https://www.unrealircd.org/docs/UnrealIRCd_6_documentation
*
* Frequently Asked Questions:
* https://www.unrealircd.org/docs/FAQ
*/
/* This is a comment, all text here is ignored (comment type #1) */
// This is also a comment, this line is ignored (comment type #2)
# This is also a comment, again this line is ignored (comment type #3)
/* UnrealIRCd makes heavy use of modules. Modules allow you to completely
* customize the featureset you wish to enable in UnrealIRCd.
* See: https://www.unrealircd.org/docs/Modules
*
* By using the include below we instruct the IRCd to read the file
* 'modules.default.conf' which will load more than 150 modules
* shipped with UnrealIRCd. In other words: this will simply load
* all the available features in UnrealIRCd.
* If you are setting up UnrealIRCd for the first time we suggest you
* use this. Then, when everything is up and running you can come
* back later to customize the list (if you wish).
*/
include "modules.default.conf";
/* Now let's include some other files as well:
* - help/help.conf for our on-IRC /HELPOP system
* - badwords.conf for channel and user mode +G
* - spamfilter.conf as an example for spamfilter usage
* (commented out)
* - operclass.default.conf contains some good operclasses which
* you can use in your oper blocks.
*/
include "help/help.conf";
include "badwords.conf";
//include "spamfilter.conf";
include "operclass.default.conf";
include "snomasks.default.conf";
/* Load the default cloaking module (2021 onwards): */
loadmodule "cloak_sha256";
/* Or load the old module from UnrealIRCd 3.2/4/5 instead: */
//loadmodule "cloak_md5";
// CHANGE THIS (the 'name' and the 'info'):
/* This is the me { } block which basically says who we are.
* It defines our server name, some information line and an unique "sid".
* The server id (sid) must start with a digit followed by two digits or
* letters. The sid must be unique for your IRC network (each server should
* have it's own sid). It is common to use 001 for the first server.
*/
me {
name "irc.example.org";
info "ExampleNET Server";
sid "001";
}
// CHANGE THIS:
/* The admin { } block defines what users will see if they type /ADMIN.
* It normally contains information on how to contact the administrator.
*/
admin {
"Bob Smith";
"bob";
"email@example.org";
}
/* Clients and servers are put in class { } blocks, we define them here.
* Class blocks consist of the following items:
* - pingfreq: how often to ping a user / server (in seconds)
* - connfreq: how often we try to connect to this server (in seconds)
* - sendq: the maximum queue size for a connection
* - recvq: maximum receive queue from a connection (flood control)
*/
/* Client class with good defaults */
class clients
{
pingfreq 90;
maxclients 1000;
sendq 200k;
recvq 8000;
}
/* Special class for IRCOps with higher limits */
class opers
{
pingfreq 90;
maxclients 50;
sendq 1M;
recvq 8000;
}
/* Server class with good defaults */
class servers
{
pingfreq 60;
connfreq 15; /* try to connect every 15 seconds */
maxclients 10; /* max servers */
sendq 20M;
}
/* Allow blocks define which clients may connect to this server.
* This allows you to add a server password or restrict the server to
* specific IPs only. You also configure the maximum connections
* allowed per IP here.
* See also: https://www.unrealircd.org/docs/Allow_block
*/
/* Allow everyone in, but only 3 connections per IP */
allow {
mask *;
class clients;
maxperip 3;
}
/* Example of a special allow block on a specific IP:
* Requires users on that IP to connect with a password. If the password
* is correct then it permits 20 connections on that IP.
*/
// allow {
// mask 192.0.2.1;
// class clients;
// password "somesecretpasswd";
// maxperip 20;
// }
/* Oper blocks define your IRC Operators.
* IRC Operators are people who have "extra rights" compared to others,
* for example they may /KILL other people, initiate server linking,
* /JOIN channels even though they are banned, etc.
*
* For more information about becoming an IRCOp and how to do admin
* tasks, see: https://www.unrealircd.org/docs/IRCOp_guide
*
* For details regarding the oper { } block itself, see
* https://www.unrealircd.org/docs/Oper_block
*/
/* Here is an example oper block for 'bobsmith'
* YOU MUST CHANGE THIS!! (the oper name and the password)
*/
oper bobsmith {
class opers;
mask *@*;
/* Technically you can put oper passwords in plaintext in the conf but
* this is HIGHLY DISCOURAGED. Instead you should generate a password hash:
* On *NIX, run: ./unrealircd mkpasswd
* On Windows, run: "C:\Program Files\UnrealIRCd 6\bin\unrealircdctl" mkpasswd
* .. and then paste the result below:
*/
password "$argon2id..etc..";
/* See https://www.unrealircd.org/docs/Authentication_types for
* more information, including even better authentication types
* such as 'certfp', and how to generate hashes on Windows.
*/
/* Oper permissions are defined in an 'operclass' block.
* See https://www.unrealircd.org/docs/Operclass_block
* UnrealIRCd ships with a number of default blocks, see
* the article for a full list. We choose 'netadmin' here.
*/
operclass netadmin;
swhois "is a Network Administrator";
vhost netadmin.example.org;
}
/* Listen blocks define the ports where the server should listen on.
* In other words: the ports that clients and servers may use to
* connect to this server.
*
* Syntax:
* listen {
* ip <ip>;
* port <port>;
* options {
* <options....>;
* }
* }
*/
/* Standard IRC port 6667:
* Insecure plaintext (NOT for production servers)
* This listen block is here only for quick testing.
* Delete or comment out this listen block on production servers
* and use TLS on port 6697 instead.
*/
listen {
ip *;
port 6667;
}
/* Standard IRC SSL/TLS port 6697 */
listen {
ip *;
port 6697;
options { tls; }
}
/* Special SSL/TLS servers-only port for linking */
listen {
ip *;
port 6900;
options { tls; serversonly; }
}
/* NOTE: If you are on an IRCd shell with multiple IP's and you use
* the above listen { } blocks then you will likely get an
* 'Address already in use' error and the ircd won't start.
* This means you MUST bind to a specific IP instead of '*' like:
* listen { ip 1.2.3.4; port 6667; }
* Of course, replace the IP with the IP that was assigned to you.
*/
/*
* Link blocks allow you to link multiple servers together to form a network.
* See https://www.unrealircd.org/docs/Tutorial:_Linking_servers
*/
//link hub.example.org
//{
// incoming {
// mask *@something;
// }
//
// outgoing {
// bind-ip *; /* or explicitly an IP */
// hostname hub.example.org;
// port 6900;
// options { tls; }
// }
//
// /* We use the SPKI fingerprint of the other server for authentication.
// * Open a shell on the OTHER SERVER and run the command to get the fingerprint:
// * On *NIX, run: ./unrealircd spkifp
// * On Windows, run: "C:\Program Files\UnrealIRCd 6\bin\unrealircdctl" spkifp
// */
// password "AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUV=" { spkifp; }
//
// class servers;
//}
/* The link block for services is usually much simpler.
* For more information about what Services are,
* see https://www.unrealircd.org/docs/Services
*/
//link services.example.org
//{
// incoming {
// mask 127.0.0.1;
// }
//
// password "changemeplease";
//
// class servers;
//}
/* U-lines give other servers (even) more power/commands.
* If you use services you MUST add them here. You must add the
* services server name in ulines { } in the config file on
* every UnrealIRCd server on your network.
* IMPORTANT: Never put the name of an UnrealIRCd server here,
* it's only for Services!
*/
//ulines {
// services.example.org;
//}
/* Here you can add a password for the IRCOp-only /DIE and /RESTART commands.
* This is mainly meant to provide a little protection against accidental
* restarts and server kills.
*/
drpass {
restart "restart";
die "die";
}
/* The log block defines what should be logged and to what file.
* See also https://www.unrealircd.org/docs/Log_block
*/
/* This is a good default, it logs everything except
* debug stuff and join/part/kick.
*/
log {
source {
all;
!debug;
!join.LOCAL_CLIENT_JOIN;
!join.REMOTE_CLIENT_JOIN;
!part.LOCAL_CLIENT_PART;
!part.REMOTE_CLIENT_PART;
!kick.LOCAL_CLIENT_KICK;
!kick.REMOTE_CLIENT_KICK;
}
destination {
file "ircd.log" { maxsize 100M; }
}
}
/* In addition to regular logging, also add a JSON log file.
* This includes lots of information about every event so is great
* for auditing purposes and is machine readable. It is, however
* less readable for humans.
*/
log {
source {
all;
!debug;
!join.LOCAL_CLIENT_JOIN;
!join.REMOTE_CLIENT_JOIN;
!part.LOCAL_CLIENT_PART;
!part.REMOTE_CLIENT_PART;
!kick.LOCAL_CLIENT_KICK;
!kick.REMOTE_CLIENT_KICK;
}
destination {
file "ircd.json.log" { maxsize 250M; type json; }
}
}
/* With "aliases" you can create an alias like /SOMETHING to send a message to
* some user or bot. They are usually used for services.
*
* We have a number of pre-set alias files, check out the alias/ directory.
* As an example, here we include all aliases used for anope services.
*/
include "aliases/anope.conf";
/* Ban nick names so they cannot be used by regular users */
// ban nick {
// mask "*C*h*a*n*S*e*r*v*";
// reason "Reserved for Services";
// }
/* Ban ip.
* Note that you normally use /KLINE, /GLINE and /ZLINE for this.
*/
// ban ip {
// mask 195.86.232.81;
// reason "Hate you";
// }
/* Ban server - if we see this server linked to someone then we delink */
// ban server {
// mask eris.berkeley.edu;
// reason "Get out of here.";
// }
/* Ban user - just as an example, you normally use /KLINE or /GLINE for this */
// ban user {
// mask *tirc@*.saturn.bbn.com;
// reason "Idiot";
// }
/* Ban realname allows you to ban clients based on their 'real name'
* or 'gecos' field.
*/
// ban realname {
// mask "Swat Team";
// reason "mIRKFORCE";
// }
// ban realname {
// mask "sub7server";
// reason "sub7";
// }
/* Ban and TKL exceptions. Allows you to exempt users / machines from
* KLINE, GLINE, etc.
* If you are an IRCOp with a static IP (and no untrusted persons on that IP)
* then we suggest you add yourself here. That way you can always get in
* even if you accidentally place a *LINE ban on yourself.
*/
/* except ban with type 'all' protects you from GLINE, GZLINE, QLINE, SHUN */
// except ban {
// mask *@192.0.2.1;
// type all;
// }
/* This allows IRCCloud connections in without maxperip restrictions
* and also exempt them from connect-flood throttling.
*/
except ban {
mask *.irccloud.com;
type { maxperip; connect-flood; }
}
/* With deny dcc blocks you can ban filenames for DCC */
// deny dcc {
// filename "*sub7*";
// reason "Possible Sub7 Virus";
// }
/* deny channel allows you to ban a channel (mask) entirely */
// deny channel {
// channel "*warez*";
// reason "Warez is illegal";
// class "clients";
// }
/* VHosts (Virtual Hosts) allow users to acquire a different host.
* See https://www.unrealircd.org/docs/Vhost_block
*/
/* Example vhost which you can use. On IRC type: /VHOST test test
*/
// vhost {
// vhost i.hate.microsefrs.com;
// mask *@*;
// login "test";
// password "test";
// }
/* Blacklist blocks will query an external DNS Blacklist service
* whenever a user connects, to see if the IP address is known
* to cause drone attacks, is a known hacked machine, etc.
* Documentation: https://www.unrealircd.org/docs/Blacklist_block
* Or just have a look at the blocks below.
*/
/* DroneBL, probably the most popular blacklist used by IRC Servers.
* See https://dronebl.org/ for their documentation and the
* meaning of the reply types. At time of writing we use types:
* 3: IRC Drone, 5: Bottler, 6: Unknown spambot or drone,
* 7: DDoS Drone, 8: SOCKS Proxy, 9: HTTP Proxy, 10: ProxyChain,
* 11: Web Page Proxy, 12: Open DNS Resolver, 13: Brute force attackers,
* 14: Open Wingate Proxy, 15: Compromised router / gateway,
* 16: Autorooting worms.
*/
blacklist dronebl {
dns {
name dnsbl.dronebl.org;
type record;
reply { 3; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; }
}
action gline;
ban-time 24h;
reason "Proxy/Drone detected. Check https://dronebl.org/lookup?ip=$ip for details.";
}
/* EFnetRBL, see https://rbl.efnetrbl.org/ for documentation
* and the meaning of the reply types.
* At time of writing: 1 is open proxy, 4 is TOR, 5 is drones/flooding.
*
* NOTE: If you want to permit TOR proxies on your server, then
* you need to remove the '4;' below in the reply section.
*/
blacklist efnetrbl {
dns {
name rbl.efnetrbl.org;
type record;
reply { 1; 4; 5; }
}
action gline;
ban-time 24h;
reason "Proxy/Drone/TOR detected. Check https://rbl.efnetrbl.org/?i=$ip for details.";
}
/* You can include other configuration files */
/* include "klines.conf"; */
/* Network configuration */
set {
// CHANGE THIS, ALL 4 ITEMS:
network-name "ExampleNET";
default-server "irc.example.org";
services-server "services.example.org";
stats-server "stats.example.org";
/* Normal defaults */
help-channel "#Help";
cloak-prefix "Clk";
prefix-quit "Quit";
/* Cloak keys should be the same at all servers on the network.
* They are used for generating masked hosts and should be kept secret.
* YOU MUST CHANGE THIS!
* The keys should be 3 random strings of 80 characters each (or more).
* and must consist of lowcase (a-z), upcase (A-Z) and digits (0-9).
* On *NIX, you can run './unrealircd gencloak' in your shell to let
* UnrealIRCd generate 3 random strings for you.
* On Windows, you can run "C:\Program Files\UnrealIRCd 6\bin\unrealircdctl" gencloak
*/
cloak-keys {
"Oozahho1raezoh0iMee4ohvegaifahv5xaepeitaich9tahdiquaid0geecipahdauVaij3zieph4ahi";
"and another one";
"and another one";
}
}
/* Server specific configuration */
set {
// FINALLY, YOU MUST CHANGE THIS NEXT ITEM:
kline-address 'set.this.to.email.address'; /* e-mail or URL shown when a user is banned */
modes-on-connect "+ixw"; /* when users connect, they will get these user modes */
modes-on-oper "+xws"; /* when someone becomes IRCOp they'll get these modes */
modes-on-join "+nt"; /* default channel modes when a new channel is created */
oper-auto-join "#opers"; /* IRCOps are auto-joined to this channel */
options {
hide-ulines; /* hide U-lines in /MAP and /LINKS */
show-connect-info; /* show "looking up your hostname" messages on connect */
}
maxchannelsperuser 10; /* maximum number of channels a user may /JOIN */
/* The minimum time a user must be connected before being allowed to
* use a QUIT message. This will hopefully help stop spam.
*/
anti-spam-quit-message-time 10s;
/* Or simply set a static quit, meaning any /QUIT reason is ignored */
/* static-quit "Client quit"; */
/* static-part does the same for /PART */
/* static-part yes; */
/* Flood protection */
anti-flood {
/* There are lots of settings for this and most have good defaults.
* See https://www.unrealircd.org/docs/Anti-flood_settings
*/
channel {
/* For channel-specific anti-flood settings, see
* https://www.unrealircd.org/docs/Channel_anti-flood_settings
* In UnrealIRCd 6.2.0+ the default is profile "normal".
* Chanops can override this via "MODE #channel +F relaxed"
* or "+F off". If you are afraid of too many false positives
* then you could set this to "relaxed" instead. Note that
* doing so would reduce protection for everyone. Another
* option is to set it here to "off" to disable this default
* channel protection entirely (not recommended).
*/
default-profile normal;
}
}
/* Settings for spam filter */
spamfilter {
ban-time 1d; /* default duration of a *LINE ban set by spamfilter */
ban-reason "Spam/Advertising"; /* default reason */
virus-help-channel "#help"; /* channel to use for 'viruschan' action */
/* except "#help"; channel to exempt from Spamfilter */
}
/* Restrict certain commands.
* See https://www.unrealircd.org/docs/Set_block#set::restrict-commands
*/
restrict-commands {
list {
except {
connect-time 60; /* after 60 seconds you can use LIST */
identified yes; /* or immediately, if you are identified to services */
reputation-score 24; /* or if you have a reputation score of 24 or more */
}
}
invite {
except {
connect-time 120;
identified yes;
reputation-score 24;
}
}
/* In addition to the ability to restrict any command,
* such as shown above. There are also 4 special types
* that you can restrict. These are "private-message",
* "private-notice", "channel-message" and "channel-notice".
* They are commented out (disabled) in this example:
*/
//private-message {
// except { connect-time 10; }
//}
//private-notice {
// except { connect-time 10; }
//}
}
}
/*
* The following will configure connection throttling of "unknown users".
*
* When UnrealIRCd detects a high number of users connecting from IP addresses
* that have not been seen before, then connections from new IP's are rejected
* above the set rate. For example at 10:60 only 10 users per minute can connect
* that have not been seen before. Known IP addresses can always get in,
* regardless of the set rate. Same for users who login using SASL.
*
* See also https://www.unrealircd.org/docs/Connthrottle for details.
* Or just keep reading the default configuration settings below:
*/
set {
connthrottle {
/* First we configure which users are exempt from the
* restrictions. These users are always allowed in!
* By default these are users on IP addresses that have
* a score of 24 or higher. A score of 24 means that the
* IP was connected to this network for at least 2 hours
* in the past month (or minimum 1 hour if registered).
* We also allow users who are identified to services via
* SASL to bypass the restrictions.
*/
except {
reputation-score 24;
identified yes;
/* for more options, see
* https://www.unrealircd.org/docs/Mask_item
*/
}
/* New users are all users that do not belong in the
* known-users group. They are considered "new" and in
* case of a high number of such new users connecting
* they are subject to connection rate limiting.
* By default the rate is 20 new local users per minute
* and 30 new global users per minute.
*/
new-users {
local-throttle 20:60;
global-throttle 30:60;
}
/* For IPv6 users, on top of 'maxperip' (which limits
* connections per /64), connthrottle also limits how
* many unknown users can be online from wider IPv6
* prefixes (/56, /48, /32). This is an additional
* security measure, separate from the rate-throttle
* above. People in the security-group "known-users"
* bypass this, as well as set::connthrottle::except.
* The defaults below should fit most networks unchanged.
* Uncomment to tune. Set a cidr-xx item to max 0;
* to disable it.
*/
//ipv6-unknown-users-limit {
// cidr-56 { max 8; }
// cidr-48 { max 32; }
// cidr-32 { max 256; }
//}
/* This configures when this module will NOT be active.
* The default settings will disable the module when:
* - The reputation module has been running for less than
* a week. If running less than 1 week then there is
* insufficient data to consider who is a "known user".
* - The server has just been booted up (first 3 minutes).
*/
disabled-when {
reputation-gathering 1w;
start-delay 3m;
}
}
}
/* CHANNEL HISTORY:
* UnrealIRCd has channel mode +H which can be used by users to read back
* channel history, such as from before they joined. For general information
* on this feature, see https://www.unrealircd.org/docs/Channel_history
*
* The history limits can be configured via set::history. The defaults are
* probably already good for you, but if you are on a low-memory system
* or have thousands of channels then you may want to double check. See
* https://www.unrealircd.org/docs/Set_block#set::history for the options.
*
* In addition to that, you can have "persistent channel history", which
* means channel history is stored encrypted on disk so it is preserved
* between IRC server restarts, see
* https://www.unrealircd.org/docs/Set_block#Persistent_channel_history
* The persistent history feature is NOT enabled by default because you
* need to configure a secret { } block for it. The following is a simple
* example with passwords stored directly in the configuration file.
* To get better security, read https://www.unrealircd.org/docs/Secret_block
* on alternative ways so you don't store passwords directly in the config.
*/
//secret historydb { password "somepassword"; }
//set { history { channel { persist yes; db-secret "historydb"; } } }
/* Finally, you may wish to have a MOTD (Message of the Day), this can be
* done by creating an 'ircd.motd' text file in your conf/ directory.
* This file will be shown to your users on connect.
* For more information see https://www.unrealircd.org/docs/MOTD_and_Rules
*/
/*
* Problems or need more help?
* 1) https://www.unrealircd.org/docs/
* 2) https://www.unrealircd.org/docs/FAQ <- answers 80% of your questions!
* 3) If you are still having problems then you can get support:
* - Forums: https://forums.unrealircd.org/
* - IRC: irc.unrealircd.org (SSL on port 6697) / #unreal-support
* Note that we require you to read the documentation and FAQ first!
*/
View Git Blame Copy Permalink