egghelp/eggheads community

protect-telnet / global hostmask match

2010-02-23T17:10:41-04:00

You *may* want to look at the "livestats" feature of the stats.mod, since this has a simlar system to what you are asking about for my very basic usage of it Thinking that you'll no doubt be using a socket for this, i wouldn't think any protect telnet or likewise, would affect this unless you add some feature for this to be included.

Statistics: Posted by TCL_no_TK — Tue Feb 23, 2010 5:10 pm

protect-telnet / global hostmask match

2010-02-23T12:41:20-04:00

TCL_no_TK,

Thank you for the explanation.
I already have "set require-p 1" in my config for security purposes, but what I am looking for for my script user is a bit differently.

I wanted the user (whose credentials will be unencrypted in a php script) to have access to the bot only via telnet and only from localhost.
So even in case there would be a security leak through the php script, a potential attacker would not be able to use the stolen login information.

But as there seemingly is no way to limit a user to telnet-only access and the telnet access by hostmask on per user basis, I will probably have to think of something else.

Maybe I will abandon telnet access for regular users all together and only allow telnet from localhost and therefore for the script user - not exactly what I had wished for, but I am willing to sacrifice a bit of convenience for security

Statistics: Posted by charles — Tue Feb 23, 2010 12:41 pm

protect-telnet / global hostmask match

2010-02-23T08:54:38-04:00

# This setting will drop telnet connections not matching a known host.

There isn't any behavior change as far i can remenber. The telnet hosts are allowed to telnet regardless of who there username is with the telnet address.

If youre looking for the feature you have mentioned, you should look at

# Define here whether or not a +o user still needs the +p flag to dcc the bot.
set require-p 0

And give the +p flag to people you wish to allow dcc/telnet access to.

Statistics: Posted by TCL_no_TK — Tue Feb 23, 2010 8:54 am

protect-telnet / global hostmask match

2010-02-22T11:42:54-04:00

I just experienced odd behavior on my first eggdrop (1.6.19+ctcpfix+ssl) and wanted some clarification from the pros if this is intentional behavior or indeed a bug.

I want to issue certain commands to the eggdrop via php by utilizing a telnet connection.
For security purposes I want to limit the eggdrop script user as much as possible.
I.e. only allow telnet connections and no IRC connections.
And furthermore only allow telnet connections for that user coming from localhost.
I have activated the protect-telnet option but apparently eggdrop is not matching the allowed hosts on per-user basis, but immediately on connect and independently from the users the host mask was specified for.

Example:
User A has access with this hostmask: -telnet!*@*.t-dialin.net
User B has access with this hostmask: -telnet!*@*.comcast.net
User C does not have a telnet hostmask at all.

Instead of refusing all telnet login attempts for user C, someone with the hostmask of user A or B can log in via telnet as user C.
Also connections to user A and B are not limited to their own hostmasks, but to all known hostmasks, meaning a user with user Bs telnet hostmask could log in as user A and vice-versa.

Now I am wondering if this behavior is intentional or a bug and if there is any way to bypass this?

Thanks in advance for any assistance.
Regards,
charles

Statistics: Posted by charles — Mon Feb 22, 2010 11:42 am