mirror of
https://github.com/pissnet/pissircd.git
synced 2024-06-05 07:48:44 +01:00
235 lines
8.5 KiB
Text
235 lines
8.5 KiB
Text
/* This file will load all optional modules. These are features that
|
|
* not everyone will use or are considered experimental.
|
|
* You can include this file from your unrealircd.conf like this:
|
|
* include "modules.optional.conf";
|
|
* OR... and this is probably a better idea... you can copy-paste it
|
|
* to another file where you do your own customizations.
|
|
*
|
|
* DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!!
|
|
* If you want to customize, make a copy of this file (for example
|
|
* name it modules.custom.conf) and edit it.
|
|
* Then include that file from your unrealircd.conf instead of this one.
|
|
*/
|
|
|
|
/*** Commands ***/
|
|
|
|
// This add the /IRCOPS command: A more visual way for users
|
|
// to see which IRCOps are online.
|
|
loadmodule "ircops";
|
|
|
|
// This adds the /STAFF command: This command simply displays
|
|
// a text file that you can configure here:
|
|
loadmodule "staff";
|
|
@if module-loaded("staff")
|
|
set { staff-file "network.staff"; }
|
|
@endif
|
|
|
|
|
|
/*** Channel modes ***/
|
|
|
|
// The following module ('nocodes') is not a true channel mode.
|
|
// It simply enhances the existing channel mode +S/+c to include
|
|
// stripping/blocking of bold, underline and italic text.
|
|
loadmodule "nocodes";
|
|
|
|
|
|
/*** Other ***/
|
|
|
|
// The hideserver module will hide /MAP and /LINKS to regular users.
|
|
// It does not truly enhance security as server names can still be
|
|
// seen at other places.
|
|
// Comment out the following line to enable this:
|
|
// loadmodule "hideserver";
|
|
|
|
// The antirandom module will kill or *line users that have a nick,
|
|
// ident and/or realname that is considered "random".
|
|
// This helps to combat simple botnets/drones.
|
|
// Note that failure to set the right settings may ban innocent users.
|
|
// This is especially true if you are on a non-English network where
|
|
// the module may consider a sequence of characters "random" even though
|
|
// it is a perfectly pronounceable word in your language.
|
|
loadmodule "antirandom";
|
|
@if module-loaded("antirandom")
|
|
set {
|
|
antirandom {
|
|
/* THRESHOLD:
|
|
* This is pretty much the most important setting of all.
|
|
* For every randomly looking ident the user gets a certain amount of
|
|
* 'points', if this value reaches 'threshold' then the appropriate
|
|
* action is taken (killed, *lined, see later on).
|
|
* lower = more randomly looking users will be catched (but also more
|
|
* innocent users)
|
|
* higher = less chance of innocent users getting killed, but also less
|
|
* chance on bots getting catched.
|
|
* <2: DON'T!!
|
|
* 4: Works good, probably a few more innocent kills but if you got
|
|
* quite a bot problem then this might be a useful setting.
|
|
* 5: Works well with few innocent kills, probably good to begin with.
|
|
* 6: If you want to be a tad more careful
|
|
* >6: For the paranoid. Module can still be quite effective, though :)
|
|
*/
|
|
threshold 7;
|
|
|
|
/* BAN-ACTION:
|
|
* Action to take whenever the user is catched as random, options:
|
|
* warn, kill, gline, gzline, kline, zline, shun, tempshun
|
|
*/
|
|
ban-action kill;
|
|
|
|
/* BAN-TIME:
|
|
* Time to ban the user (irrelevant for tempshun/kill).
|
|
* Something between 1 hour and 2 days is recommended.
|
|
* If you set it higher than 3 or 4 days then you get quite a risk
|
|
* of catching innocent users due to dynamic IP, not to mention
|
|
* your *line list gets filled up... so choose it wisely.
|
|
*/
|
|
ban-time 4h;
|
|
|
|
/* BAN-REASON:
|
|
* The ban (or kill) reason to use.
|
|
* You might want to put in an entry to a FAQ or an email address
|
|
* where users can mail if they have been catched and don't know what to do.
|
|
* NOTE: One of the various reasons that ""innocent users"" are catched is
|
|
* if they just randomly type in info for their nick, ident, or realname.
|
|
*/
|
|
ban-reason "You look like a bot. Be sure to fill in your nick/ident/realname properly.";
|
|
|
|
/* CONVERT-TO-LOWERCASE:
|
|
* Convert nicks, idents, and realnames to lowercase before doing random checks?
|
|
* This has not been tested extensively for false positives, but might be (very)
|
|
* helpful to catch GnStA5FYhiTH51TUkf style random nicks as random.
|
|
* Enabled by default.
|
|
*/
|
|
convert-to-lowercase yes;
|
|
|
|
/* SHOW-FAILEDCONNECTS:
|
|
* This will send out a notice whenever a randomly looking user has been catched
|
|
* during connecting. Obviously this can be pretty noisy.
|
|
* Especially recommended to enable during the first few days you use this module.
|
|
*/
|
|
show-failedconnects yes;
|
|
|
|
/* EXCEPT-HOSTS:
|
|
* Hostmasks on this list are matched against the IP and hostname of the connecting
|
|
* user. If it matches then we do not check if the nick/ident/realname is random.
|
|
* NOTE: Use the REAL host or IP here, not any cloaked hosts!
|
|
*/
|
|
except-hosts {
|
|
mask 192.168.0.0/16;
|
|
mask 127.0.0.0/8;
|
|
}
|
|
|
|
/* EXCEPT-WEBIRC:
|
|
* This will make antirandom not check connections from WEBIRC gateways.
|
|
* ( see https://www.unrealircd.org/docs/WebIRC_block )
|
|
* It seems WEBIRC connections frequently cause false positives so the
|
|
* default is 'yes'.
|
|
*/
|
|
except-webirc yes;
|
|
}
|
|
}
|
|
@endif
|
|
|
|
// This module will send a HTTP 301 redirect to any client which sends
|
|
// a HTTP request to us. This is commented out by default:
|
|
//loadmodule "webredir";
|
|
//set {
|
|
// webredir {
|
|
// url "https://...";
|
|
// }
|
|
//}
|
|
|
|
// This adds websocket support. For more information, see:
|
|
// https://www.unrealircd.org/docs/WebSocket_support
|
|
loadmodule "websocket";
|
|
|
|
// This module will detect and stop spam containing of characters of
|
|
// mixed "scripts", where (for example) some characters are in
|
|
// Latin script and other characters are in Cyrillic script.
|
|
loadmodule "antimixedutf8";
|
|
@if module-loaded("antimixedutf8")
|
|
set {
|
|
antimixedutf8 {
|
|
/* Take action at this 'score' (lower = more sensitive)
|
|
*
|
|
* A score of 2 or 3 will catch a lot but also
|
|
* catch innocent users who are not using a pure
|
|
* Latin script, such as Russian people who
|
|
* commonly use a mix of Latin and Cyrillic.
|
|
*
|
|
* A score of 8 is a safe default.
|
|
*/
|
|
score 8;
|
|
|
|
/* Action to take, see:
|
|
* https://www.unrealircd.org/docs/Actions
|
|
*/
|
|
ban-action block;
|
|
|
|
/* Block/kill/ban reason (sent to user) */
|
|
ban-reason "Mixed character spam";
|
|
|
|
/* Duration of ban (does not apply to block/kill) */
|
|
ban-time 4h; // For other types
|
|
}
|
|
}
|
|
@endif
|
|
|
|
// This module will add support for /EXTJWT command,
|
|
// used for generating authorization tokens for external services.
|
|
// The feature is based on a specification described here:
|
|
// https://github.com/ircv3/ircv3-specifications/pull/341
|
|
// Please create your configuration block based on the example below.
|
|
// Do not uncomment the example.
|
|
//
|
|
// Supported JWT methods: NONE (not recommended), HS256, HS384, HS512,
|
|
// ES256, ES384, ES512, RS256, RS384, RS512
|
|
// Method NONE does not use any cryptography to sign the token. This
|
|
// is only useful for checking whether the service works when initially
|
|
// setting it up. HS* methods use a password that must be shared with
|
|
// the verification service. ES* and RS* methods use public-private key
|
|
// pairs, so the verification service, knowing your public key, can't
|
|
// generate own valid tokens.
|
|
//
|
|
// For methods requiring a key, place it in your "conf" directory.
|
|
//
|
|
// Use following shell commands to create keys if needed:
|
|
// To generate RS256, RS384 or RS512 private key (for UnrealIRCd):
|
|
// openssl genrsa -out privkey.pem 4096
|
|
// To generate matching public key (for the external service to verify
|
|
// the token):
|
|
// openssl rsa -in privkey.pem -pubout > pubkey.pem
|
|
//
|
|
// To generate ES256, ES384 or ES512 private key (for UnrealIRCd):
|
|
// openssl ecparam -genkey -name secp521r1 -noout -out privkey.pem
|
|
// To generate matching public key (for the external service to verify
|
|
// the token):
|
|
// openssl ec -in privkey.pem -pubout -out pubkey.pem
|
|
//
|
|
// In all cases, substitute your preferred file names for "pubkey.pem"
|
|
// and "privkey.pem".
|
|
|
|
//loadmodule "extjwt";
|
|
//extjwt {
|
|
// /* The configuration below is used when no service name is
|
|
// * provided by the user command.
|
|
// */
|
|
// method "HS256"; /* described above */
|
|
// expire-after 30; /* seconds */
|
|
// secret "somepassword"; /* required for HS* methods */
|
|
// /* Optional service blocks for generating different tokens.
|
|
// * Add as many of these as you need.
|
|
// */
|
|
// service "service1" {
|
|
// method "ES512"; /* will be inherited from main if not given */
|
|
// //secret "anotherpassword"; /* required for HS* method */
|
|
// key "es512.pem"; /* required for ES* and RS* methods */
|
|
// //verify-url 'https://example.com/verify/?t=%s'; /* URL for your validation service - optional; use single quotes here! */
|
|
// expire-after 60; /* seconds, will be inherited from main if not given */
|
|
// };
|
|
// /* Another service block. */
|
|
// service "service2" {
|
|
// method "RS256";
|
|
// key "RS256.pem";
|
|
// };
|
|
//};
|