On Thu, Apr 28, 2011 at 7:07 PM, Jean-Philippe Ouellet <jean-phili...@ouellet.biz> wrote: > Dear Misc, This is somewhat off topic, but it's been on my mind for quite > some time, and someone just brought up irc, so I thought I'd ask. > > I've been looking to set up an irc server for some time now. It would be > mostly for personal use and I don't plan on having more than a handful of > concurrent users nor connecting said server to any IRC network. My primary > criteria are: > B - Good security track record > B - Runs on OpenBSD (port or package) > B - Clean code (Preferably C) > B - Supports encrypted connections
I use SILC some times... I think OpenBSD devs also use it. > > I've read some atrocious IRCd source, I believe I even read one (an old > version of hybrid?) where all configuration had to be done at compile time > with #define statements instead of using a configuration file. I would > prefer C over C++ (hence I'm not too fond of inspIRCd (also because they > recently had an exploit in one of their default modules)). > > As I cannot trust the integrity of others' connections, I wish for > connections to be encrypted in some form or another. Multiple irc servers > support encryption via SSL, such a feature would be desirable. I would like > to have channels guaranteed to be private, where private is defined by > exclusively comprised of explicitly allowed users, (allowed by me, in some > configuration file,) who must have authenticated via PASS or something to > ensure that they are not impostors, and either be using *encrypted* > connections from *unspecified*, changing, origins (as in the case of my > phone, laptop, and friends' computers) or *unencrypted* connections from > *known*, fixed, origins (as in the case of my bots). > > *IF THE ABOVE IS NOT POSSIBLE*, I want to prevent anyone from connecting to > my server except for myself, my friends, and my bots. Normally I would > accomplish this via PF, however in this case I cannot because I don't have a > list of IPs to allow. I frequently use IRC via my phone whose IP very often > changes and is in a range much bigger than I'd like to allow. The problem of > my phone could be solved by using a bouncer, however such a service would > also need to be locked down, thus bringing me back to block 0. My friends > also use varying (unpredictable) locations, and whitelisting each one on an > as-needed basis would be infeasible. One potential solution I have sought is > preventing users from doing anything until a proper NICK/USER/PASS has been > provided, with all accounts created by myself and told to the intended user > in a secure/prearranged manner, and patching my bots to authenticate as such > would be rather trivial. > > Features of the IRCd are not as important to me as its security. Sure, > nickserv & chanserv & friends would be nice, but I'm more concerned about > keeping outsiders/snoopers out of private channels and keeping my/friends > connections secure, and less concerned about preventing chat flooding, > opless channels, etc. > > So far I have looked into: > B * ngIRCd - so far my favorite > B * UnrealIRCd B } > B * IRCD-Hybrid } - all forks from the same giant nightmare > B * Ratbox IRCd } > B * inspIRCd - written in C++, and doesn't have a great track-record > but I am completely open to anything. > > Many thanks, > Jean-Philippe