English | German | Spanish | Hungarian | French | Greek | Dutch | Russian | Turkish

UnrealIRCd
http://www.unrealircd.com
Version: 3.2.8
Last doc update: 2009-09-14

Coders: Stskeeps / codemastr / Syzop / Luke / aquanight / WolfSage
Contributors: McSkaf / Zogg / NiQuiL / assyrian / chasm / DrBin / llthangel / Griever / nighthawk
Documentation: CKnight^ / Syzop

To view this documentation you must have a compatible browser, which are listed below. Up to date docs are available at http://www.vulnscan.org/UnrealIRCd/unreal32docs.html and a FAQ at http://www.vulnscan.org/UnrealIRCd/faq/.

Compatible Browsers:

INDEX / TABLE OF CONTENTS
1. Introduction & Notes
---1.1. Notes on upgrading/mixing 3.1.x -> 3.2
---1.2. Notes on upgrading between 3.2 versions
2. Installation
3. Features
-- 3.1. Cloaking
-- 3.2. Modules
-- 3.3. Snomasks
-- 3.4. Aliases
-- 3.5. Helpop
-- 3.6. Oper access levels
-- 3.7. Oper commands
-- 3.8. SSL
-- 3.9. IPv6
-- 3.10. Zip links
-- 3.11. Dynamic DNS/IP linking support
-- 3.12. Anti-flood features
-- 3.13. Ban types
-- 3.14. Spamfilter
-- 3.15. CIDR
-- 3.16. Nick Character Sets
-- 3.17. CGI:IRC Support
-- 3.18. Time Synchronization
-- 3.19. Other features
4. Configuring your unrealircd.conf file
---4.1. Configuration file explained
---4.2. Me Block -=- (M:Line)
---4.3. Admin Block -=- (A:Line)
---4.4. Class Block -=- (Y:Line)
---4.5. Allow Block -=- (I:Line)
---4.6. Listen Block -=- (P:Line)
---4.7. Oper Block -=- (O:Line)
---4.8. DRpass Block -=-(X:Line)
---4.9. Include Directive
---4.10. Loadmodule Directive
---4.11. Log Block
---4.12. TLD Block -=- (T:Line)
---4.13. Ban Nick Block -=- (Q:Line)
---4.14. Ban User Block -=- (K:Line)
---4.15. Ban IP Block -=- (Z:Line)
---4.16. Ban Server Block -=-(q:Line)
---4.17. Ban Realname Block -=- (n:Line)
---4.18. Ban Version Block
---4.19. Ban Exception Block -=- (E:Line)
---4.20. TKL Exception Block
---4.21. Throttle Exception Block
---4.22. Deny DCC Block -=- (dccdeny.conf)
---4.23. Deny Version Block -=- (V:Line)
---4.24. Deny Link Block -=- (D:Line / d:Line)
---4.25. Deny Channel Block -=- (chrestrict.conf)
---4.26. Allow Channel Block
---4.27. Allow DCC Block
---4.28. Vhost Block -=- (vhost.conf)
---4.29. Badword Block -=- (badwords.conf)
---4.30. Uline Block -=- (U:Line)
---4.31. Link Block -=- (C/N/H:Lines)
---4.32. Alias Block
---4.33. Help Block
---4.34. Official Channels Block
---4.35. Spamfilter Block
---4.36. Cgiirc Block
---4.37. Set Block -=- (networks/unrealircd.conf)
---4.38. Files Block
5. Additional Files
6. User & Channel Modes
7. User & Oper Commands
8. Security tips/checklist
---8.1. Passwords
---8.2. Non-Ircd related vulnerabilities
---8.3. Permissions and the configfile
---8.4. User-related problems
---8.5. SSL/SSH & sniffing
---8.6. Denial of Service attacks (DoS) [or: how to protect my hub]
---8.7. Information disclosure
---8.8. Protecting against exploits
---8.9. Summary
9. Frequently Asked Questions (FAQ)
A. Regular Expressions
---A.1. Literals
---A.2. Dot Operator
---A.3. Repetition Operators
---A.4. Bracket Expressions
---A.5. Assertions
---A.6. Alternation
---A.7. Subexpressions
---A.8. Back References
---A.9. Case Sensitivity

1.0 – Introduction & Notes

This document was written for exclusive use with UnrealIRCd. Use of this document with another software package, or distribution of this document with another software package is strictly prohibited without the written permission of the UnrealIRCd Development Team. This document may be copied/printed/reproduced/published as many times as you like, provided it is for use with UnrealIRCd and it is not modified in anyway. – Copyright UnrealIRCd Development Team 2002-2006

Please read this manual before asking for help, you also REALLY want to take a look at the FAQ since over 80% of your questions/problems are answered in it. If you still need help you can ask for support at irc.unrealircd.org (port 6667) channel #unreal-support (note that we REQUIRE you to read the docs and faq and we only help with UnrealIRCd, not with services!). If you have a real bug (like a crash) then report it at http://bugs.unrealircd.org.

1.1 – Notes on upgrading/mixing 3.1.x -> 3.2

In case you are upgrading from Unreal3.1.x to Unreal3.2 you'll notice the whole config file has changed, you may find it hard at first, but once you've switched you'll find it much better!

Also don't forget to read section 3 about features, although you know already some of them which are in 3.1.x there are several new features too!

It's best not to mix/link 3.1.x with 3.2, but if you really want to, you need at least 3.1.4, but 3.1.5.1 is strongly recommended.

1.2 – Notes on upgrading between 3.2 versions

The recommended way to upgrade is:
Linux:

Windows:

Please also check .RELEASE.NOTES to see what has been changed. If you notice any changes (or bugs) between version, BE SURE TO READ THE RELEASE NOTES FIRST before reporting it as a bug!.

2.0 - Installation


Tested & Supported Operating Systems:

If you have Unreal3.2 working correctly under other operating systems, please send the details to coders@lists.unrealircd.org

Installation Instructions
Linux:

  1. gunzip -d Unreal3.2.X.tar.gz
  2. tar xvf Unreal3.2.X.tar
  3. cd Unreal3.2
  4. ./Config
  5. Answer these questions to the best of your knowledge. Generally if your not sure, the default will work just fine!
  6. make
  7. Now create your unrealircd.conf and other configuration files, see section 4.

Windows:

  1. Run the Unreal installer
  2. Now create your unrealircd.conf and other configuration files, see section 4.

3.0 - Features

Some major/nice features are explained in this section. It provides a general overview, and sometimes refers to the config file (something which you might know nothing about yet).

You can skip this section, however it's very much suggested to read it before/after installing because otherwise you will not understand concepts such as 'cloaking', 'snomasks', etc.

3.1 - Cloaking

Cloaking is a way to hide the real hostname of users, for example if your real host is d5142341.cable.wanadoo.nl, it will be shown (in join, part, whois, etc) as rox-2DCA3201.cable.wanadoo.nl. This feature is useful to prevent users flooding each other since they can't see the real host/IP.

This is controlled by usermode +x (like: /mode yournick +x), admins can also force +x to be enabled by default, or make it so users can never do -x.

A cloaked host is generated by a cloaking module (you are required to have one loaded), currently there's only 1 module included:
cloak: This is the official cloaking module since 3.2.1, it is much more secure than the old algorithm, it uses md5 internally and requires you to have 3 set::cloak-keys:: consisting of mixed lowercase (a-z), uppercase (A-Z) and digit (0-9) charachters [eg: "AopAS6WQH2Os6hfosh4SFJHs"]. See example.conf for an example.

Cloak keys MUST be the same on ALL SERVERS in a network. Also cloak keys should be kept SECRET because it's possible to decode the original host if you know the keys (which makes umode +x useless).

Hint: If you are on *NIX and have to create new cloak keys, you can run './unreal gencloak' in your shell, which will output 3 random strings that you can use.

3.2 - Modules

UnrealIRCd supports modules which is nice because:
- You can load/reload/unload them while the ircd is running (by /rehash). This allows some bugs to be fixed or new features to be added without requiring a restart!
- Other people can create (3rd party) modules with new commands, usermodes and even channelmodes.
UnrealIRCd only comes with a few modules. Take a look at www.unrealircd.com -> modules or use google to find 3rd party modules.

You need to load at least 2 modules or else you won't be able to boot!:
- the commands module: commands.so (commands.dll on windows)
- a cloaking module: usually cloak.so (cloak.dll on windows).

3.3 - Snomasks

Snomasks are server notice masks, it's a special type of usermode that controls which server notices you will receive (mostly used by opers)

It can be set by: /mode yournick +s SNOMASK, for example: /mode yournick +s +cF
To remove certain snomasks, use something like: /mode yournick +s -c
Or you can remove all snomasks by simply doing: /mode yournick -s

The current available snomasks are:
c - local connects
F - far connects (except from U-lined servers)
f - flood notices
k - kill notices [*]
e - 'eyes' notices
j - 'junk' notices
v - vhost notices
G - gline/shun notices
n - local nick change notices
N - remote nick change notices
q - deny nick (Q:line) rejection notices
s - receives server notices [*]
S - receives spamfilter notices
o - receives oper-up notices
[*: this snomask is also allowed to non-ircops]

You can control which snomasks you automatically get (set::snomask-on-connect) and which you get on oper (set::snomask-on-oper, oper::snomask)

By default, if a user simply sets mode +s, certain snomasks are set. For non-opers, snomasks +ks, and for opers, snomasks +kscfvGqo.

3.4 - Aliases

With aliases you can configure server-side alias commands. You can for example let "/ns identify blah" be forwarded to nickserv (it will be translated to: privmsg nickserv identify blah). You can even make more complex aliases such as /register can forward to ChanServ if the first parameter begins with a # and forwarded to NickServ if it doesn't.

Aliases are configured by alias blocks in the configuration file, and you can also include a file with default aliases for most commonly used services.

3.5 - Helpop

UnrealIRCd has a built-in help system accessible by /helpop. The /helpop command is completely user configurable via the help block in the configuration file. Additionally, a help.conf is included which contains some basic help for all commands.
For example /helpop chmodes gives you a overview of all channel modes UnrealIRCd has.
Remember that if you are an ircop (helpop) you will have to prefix the keyword with a '?' character, so /helpop becomes /helpop ? and /helpop chmodes becomes /helpop ?chmodes etc..

3.6 - Oper access levels

There are several oper levels in UnrealIRCd and you can add additional rights (like to use /gline) to each of them, that way you can give each oper the privileges they need.

This is controlled by the oper flags in the oper block, see the oper block for more information.

3.7 - Oper commands

UnrealIRCd has a lot of powerful oper commands which are explained in User & Oper Commands, you probably want to read those after installing :).

3.8 - SSL

SSL stands for Secure Socket Layer, with SSL you can make secure encrypted connections. It can be used to encrypt server<->server traffic, but client<->server traffic can also be encrypted. You usually use SSL to protect against sniffing and for authentication.

You need to have your IRC server compiled with SSL support. To setup an SSL port you need to set listen::options::ssl.

You cannot connect normally to a SSL port (so don't make port 6667 ssl!), you need a client or a tunnel that understands the SSL protocol.

Clients that support SSL: XChat, irssi, mIRC (6.14 and up, also requires some additional steps)

For clients which do not support SSL you can use a tunnel like stunnel, here's a stunnel.conf example (for stunnel 4.x):

   client = yes
   [irc]
   accept = 127.0.0.1:6667
   connect = irc.myserv.com:6697
If you then connect to 127.0.0.1 port 6667, your traffic will be encrypted and forwarded to irc.myserv.com port 6697 (an SSL port).

You should also validate certificates when you connect to servers and not blindly accept them (like in the stunnel example) else you are still vulnerable to "active sniffing" attacks (ssl redirects), that's however too offtopic to explain here (learn about SSL, don't ask us). [mIRC and xchat pop up a window asking you to allow/reject a certificate, so that's good].

3.9 - IPv6

UnrealIRCd supports IPv6, since beta15 it seems to be stable.
Your OS needs to have IPv6 support and you need to enable IPv6 support in UnrealIRCd during ./Config as well.

Although microsoft has an experimental IPv6 implementation for w2k/XP it is not (yet) supported by UnrealIRCd.

3.10 - Zip links

Zip links can be turned on for server<->server links, it compresses the data by using zlib. It can save 60-80% bandwidth... So it's quite useful for low-bandwidth links or links with many users, it can help a lot when you are linking since a lot of data is sent about every user/channel/etc.

To compile with zip links support, you need to answer Yes to the zlib question in ./Config and set it in link::options::zip (on both sides)

3.11 - Dynamic DNS/IP linking support

UnrealIRCd has some (new) nice features which helps dynamic IP users using dynamic DNS (like blah.dyndns.org). If you are linking two dynamic DNS hosts, then set link::options::nodnscache and link::options::nohostcheck.

3.12 - Anti-Flood features

Throttling
Throttling is a method that allows you to limit how fast a user can disconnect and then reconnect to your server. You can config it in your set::throttle block to allow X connections in YY seconds from the same IP.
Channel modes
There are also some channel modes which can be very effective against floods. To name a few:
K = no /knock, N = no nickchanges, C = no CTCPs, M = only registered users can talk, j = join throttling (per-user basis)
As of beta18 there's also a much more advanced channelmode +f...
Channel mode f
Instead of using scripts and bots to protect against channel floods it is now build into the ircd.
An example +f mode is: *** Blah sets mode: +f [10j]:15
This means 10 joins per 15 seconds are allowed in the channel, if the limit is hit, the channel will be set +i automatically.
The following floodtypes are available:
type:name:default action:other avail. actions:comments
cCTCPsauto +Cm, M 
jjoinsauto +iR 
kknocksauto +K (counted for local clients only)
mmessages/noticesauto +mM 
nnickchangesauto +N  
ttextkickbper-user messages/notices like the old +f. Will kick or ban the user.

  Example:

*** ChanOp sets mode: +f [20j,50m,7n]:15
<ChanOp> lalala
*** Evil1 (~fdsdsfddf@Clk-17B4D84B.blah.net) has joined #test
*** Evil2 (~jcvibhcih@Clk-3472A942.xx.someispcom) has joined #test
*** Evil3 (~toijhlihs@Clk-38D374A3.aol.com) has joined #test
*** Evil4 (~eihjifihi@Clk-5387B42F.dfdfd.blablalba.be) has joined #test
-- snip XX lines --
*** Evil21 (~jiovoihew@Clk-48D826C3.e.something.org) has joined #test
-server1.test.net:#test *** Channel joinflood detected (limit is 20 per 15 seconds), putting +i
*** server1.test.net sets mode: +i
<Evil2> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil12> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil15> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil10> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
<Evil8> fsdjfdshfdkjfdkjfdsgdskjgsdjgsdsdfsfdujsflkhsfdl
-- snip XX lines --
-server1.test.net:#test *** Channel msg/noticeflood detected (limit is 50 per 15 seconds), putting +m
*** server1.test.net sets mode: +m
*** Evil1 is now known as Hmmm1
*** Evil2 is now known as Hmmm2
*** Evil3 is now known as Hmmm3
*** Evil4 is now known as Hmmm4
*** Evil5 is now known as Hmmm5
*** Evil6 is now known as Hmmm6
*** Evil7 is now known as Hmmm7
*** Evil8 is now known as Hmmm8
-server1.test.net:#test *** Channel nickflood detected (limit is 7 per 15 seconds), putting +N
*** server1.test.net sets mode: +N
In fact, it can get even more advanced/complicated:
Instead of the default action, you can for some floodtypes specify another one, for example: +f [20j#R,50m#M]:15
This will set the channel +R if the joinlimit is reached (>20 joins in 15 seconds), and will set the channel +M if the msg limit is reached (>50 messages in 15 seconds).

There's also a "remove mode after X minutes" feature: +f [20j#R5]:15 will set the channel +R if the limit is reached and will set -R after 5 minutes.
A server can have a default unsettime (set::modef-default-unsettime), so if you type +f [20j]:15 it could get transformed into +f [20j#i10]:15, it's just a default, you can still set [20j#i2]:15 or something like that, and you can also disable the remove-chanmode completely by doing a +f [20j#i0]:15 (an explicit 0).

The old +f mode (msgflood per-user) is also still available as 't', +f 10:6 is now called +f [10t]:6 and +f *20:10 is now +f [20t#b]:10. Currently the ircd will automatically convert old +f mode types to new ones. Note that there's no unsettime feature available for 't' bans ([20t#b30]:15 does not work).

What the best +f mode is heavily depends on the channel... how many users does it have? do you have a game that makes users msg a lot (eg: trivia) or do users often use popups? is it some kind of mainchannel or in auto-join? etc..
There's no perfect channelmode +f that is good for all channels, but to get you started have a look at the next example and modify it to suit your needs:
+f [30j#i10,40m#m10,7c#C15,10n#N15,30k#K10]:15
30 joins per 15 seconds, if limit is reached set channel +i for 10 minutes
40 messages per 15 seconds, if limit is reached set channel +m for 10 minutes
7 ctcps per 15 seconds, if limit is reached set channel +C for 15 minutes
10 nickchanges per 15 seconds, if limit is reached set channel +N for 15 minutes
30 knocks per 15 seconds, if limit is reached set channel +K for 10 minutes
If it's some kind of large user channel (>75 users?) you will want to increase the join sensitivity (to eg: 50) and the message limit as well (to eg: 60 or 75).
Especially the remove-mode times are a matter of taste.. you should think like.. what if no op is available to handle the situation, do I want to have the channel locked for like 15 minutes (=not nice for users) or 5 minutes (=likely the flooders will just wait 5m and flood again). It also depends on the floodtype, users unable to join (+i) or speak (+m) is worse than having them unable to change their nick (+N) or send ctcps to the channel (+C) so you might want to use different removal times.
Channel mode j
The +f mode includes a feature to prevent join floods, however this feature is "global." For example, if it is set to 5:10 and 5 different users join in 10 seconds, the flood protection is triggered. Channel mode +j is different. This mode works on a per-user basis. Rather than protecting against join floods, it is designed to protect against join-part floods (revolving door floods). The mode takes a parameter of the form X:Y where X is the number of joins and Y is the number of seconds. If a user exceeds this limit, he/she will be prevented from joining the channel.

3.13 - Ban types

Basic bantypes and cloaked hosts
UnrealIRCd supports the basic bantypes like +b nick!user@host.
Also, if a masked host of someone is 'rox-ACB17294.isp.com' and you place a ban *!*@rox-ACB17294.isp.com, then if the user sets himself -x (and his hosts becomes for example 'dial-123.isp.com) then the ban will still match. Bans are always checked against real hosts AND masked hosts.
IP bans are also available (eg: *!*@128.*) and are also always checked.

Bans on cloaked IPs require some explanation:
If a user has the IP 1.2.3.4 his cloaked host could be 341C6CEC.8FC6128B.303AEBC6.IP.
If you ban *!*@341C6CEC.8FC6128B.303AEBC6.IP you would ban *!*@1.2.3.4 (obvious...)
If you ban *!*@*.8FC6128B.303AEBC6.IP you ban *!*@1.2.3.*
If you ban *!*@*.303AEBC6.IP you ban *!*@1.2.*
This information might be helpful to you when deciding how broad a ban should be.

Extended bantypes
Extended bans look like ~[!]<type>:<stuff>. Currently the following types are available:
type:nameexplanation:
~qquietPeople matching these bans can join but are unable to speak, unless they have +v or higher. Ex: ~q:*!*@blah.blah.com
~nnickchangePeople matching these bans cannot change nicks, unless they have +v or higher. Ex: ~n:*!*@*.aol.com
~c[prefix]channelIf the user is in this channel then (s)he is unable to join. A prefix can also be specified (+/%/@/&/~) which means that it will only match if the user has that rights or higher on the specified channel. Ex: +b ~c:#lamers, +e ~c:@#trusted
~rrealnameIf the realname of a user matches this then (s)he is unable to join.
Ex: ~r:*Stupid_bot_script*
NOTE: an underscore ('_') matches both a space (' ') and an underscore ('_'), so this ban would match 'Stupid bot script v1.4'.
These bantypes are also supported in the channel exception list (+e).
Modules can also add other extended ban types.

3.14 - Spamfilter

Spamfilter is a new system to fight spam, advertising, worms and other things. It works a bit like the badwords system but has several advantages.

Spamfilters are added via the /spamfilter command which uses the following syntax:
/spamfilter [add|del|remove|+|-] [type] [action] [tkltime] [reason] [regex]
[type] specifies the target type:
Char:Config item:Description:
cchannelChannel message
pprivatePrivate message (from user->user)
nprivate-noticePrivate notice
Nchannel-noticeChannel notice
PpartPart reason
qquitQuit reason
ddccDCC filename
aawayAway message
ttopicSetting a topic
uuserUser ban, will be matched against nick!user@host:realname
You can specify multiple targets, like: cpNn
[action] specifies the action to be taken (only 1 action can be specified)
killkills the user
tempshunshuns the current session of the user (if [s]he reconnects the shun is gone)
shunputs a shun on the host
klineputs a kline on the host
glineputs a gline on the host
zlineputs a zline on the host
gzlineputs a gzline (global zline) on the host
blockblock the message only
dccblockmark the user so (s)he's unable to send any DCCs
viruschanpart all channels, join set::spamfilter::virus-help-channel, disables all commands except PONG, ADMIN, and msg/notices to set::spamfilter::virus-help-channel
[tkltime] The duration of the *line/shun added by the filter, use '-' to use the default or to skip (eg: if action = 'block')
[reason] Block/*line/shun reason.. you CANNOT use spaces in this, but underscores ('_') will be translated into spaces at runtime. And double underscore ('__') gets an underscore ('_'). Again, use '-' to use the default reason.
[regex] this is the actual regex or 'bad word' where we should block on and perform the action at

Here's an example: /spamfilter add pc gline - - Come watch me on my webcam
If the text come watch me on my webcam is found in either a private msg or a channel msg then the message will be blocked and a gline will be added immediately.
Another example: /spamfilter add pc block - - come to irc\..+\..+
This is a regex that will match on Hi, come to irc.blah.net etc....
And an example with specified time/reason:
/spamfilter add p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam
If come watch me on my webcam is found in a private msg then the user is glined for 3 hours with the reason Please go to www.viruscan.xx/nicepage/virus=blah.

Spamfilters added with /spamfilter are network-wide. They work regardless of whether the user/channel has mode +G set, only opers and ulines (services) are exempted from filtering.

You can also add spamfilters in the config file but these will be local spamfilters (not network-wide, though you could use remote includes for this). The syntax of these spamfilter { } blocks are explained here
Example:

spamfilter {
	regex "//write \$decode\(.+\|.+load -rs";
	target { private; channel; };
	reason "Generic $decode exploit";
	action block;
};

set::spamfilter::ban-time allows you to modify the default ban time for *lines/shuns added by spamfilter (default: 1 day)
set::spamfilter::ban-reason allows you to specify a default reason (default: 'Spam/advertising')
set::spamfilter::virus-help-channel allows you to specify the channel to join for action 'viruschan' (default: #help)
set::spamfilter::virus-help-channel-deny allows you to block any normal joins to virus-help-channel (default: no)

Slow Spamfilter Detection
A spamfilter regex can slow down the IRCd considerably. This really depends on the regex you use (and how the regex engine handles it), some are very fast and UnrealIRCd can execute thousands of them per second. Others can be extremely slow, take several seconds to execute, and could freeze the IRCd.
To help against this, Unreal comes with Slow Spamfilter Detection: For each spamfilter, Unreal checks, each time it executes, how long it takes to execute. Once a certain threshold is reached the IRCd will warn or even remove the spamfilter.
Warning is configured through set::spamfilter::slowdetect-warn (default: 250ms) and automatic deletion is configured by set::spamfilter::slowdetect-fatal (default: 500ms). You can set both settings to 0 (zero) to disable slow spamfilter detection.
This feature is currently not available on Windows.

3.15 - CIDR

UnrealIRCd now has support for CIDR (Classless Interdomain Routing). CIDR allows you to ban IP ranges. IPs are allocated to ISPs using CIDR, therefore, being able to set a CIDR based ban allows you to easily ban an ISP. Unreal supports CIDR for both IPv4 and IPv6. CIDR masks may be used in the allow::ip, oper::from::userhost, ban user::mask, ban ip::mask, except ban::mask, except throttle::mask, and except tkl::mask (for gzline, gline, and shun). Additionally, CIDR can be used in /kline, /gline, /zline, /gzline, and /shun. Unreal uses the standard syntax of IP/bits, e.g., 127.0.0.0/8 (matches 127.0.0.0 - 127.255.255.255), and fe80:0:0:123::/64 (matches fe80:0:0:123:0:0:0:0 - fe80:0:0:123:ffff:ffff:ffff:ffff).

3.16 - Nick Character Sets

UnrealIRCd now has the ability to specify which charsets/languages should be allowed in nicknames. You do this in set::allowed-nickchars.
A table of all possible choices:
Name:Description:Character set/encoding:
catalanCatalan charactersiso8859-1 (latin1)
danishDanish charactersiso8859-1 (latin1)
dutchDutch charactersiso8859-1 (latin1)
frenchFrench charactersiso8859-1 (latin1)
germanGerman charactersiso8859-1 (latin1)
swiss-germanSwiss-German characters (no es-zett)iso8859-1 (latin1)
icelandicIcelandic charactersiso8859-1 (latin1)
italianItalian charactersiso8859-1 (latin1)
spanishSpanish charactersiso8859-1 (latin1)
swedishSwedish charactersiso8859-1 (latin1)
latin1catalan, danish, dutch, french, german, swiss-german, spanish, icelandic, italian, swedishiso8859-1 (latin1)
hungarianHungarian charactersiso8859-2 (latin2), windows-1250
polishPolish charactersiso8859-2 (latin2)
romanianRomanian charactersiso8859-2 (latin2), windows-1250, iso8859-16
latin2hungarian, polish, romanianiso8859-2 (latin2)
polish-w1250Polish characters, windows variant (unfortunately more common than iso)windows-1250
slovak-w1250Slovak characters, windows variantwindows-1250
czech-w1250Czech characters, windows variantwindows-1250
windows-1250polish-w1250, slovak-w1250, czech-w1250, hungarian, romanianwindows-1250
greekGreek charactersiso8859-7
turkishTurkish charactersiso8859-9
russian-w1251Russian characterswindows-1251
belarussian-w1251Belarussian characterswindows-1251
ukrainian-w1251Ukrainian characterswindows-1251
windows-1251russian-w1251, belarussian-w1251, ukrainian-w1251windows-1251
hebrewHebrew charactersiso8859-8-I/windows-1255
chinese-simpSimplified ChineseMultibyte: GBK/GB2312
chinese-tradTradditional ChineseMultibyte: GBK
chinese-jaJapanese Hiragana/PinyinMultibyte: GBK
chinesechinese-*Multibyte: GBK
gbkchinese-*Multibyte: GBK

NOTE 1: Please note that some combinations can cause problems. For example, combining latin* and chinese-* can not be properly handled by the IRCd and Unreal will print an error. Mixing of other charsets might cause display problems, so Unreal will print out a warning if you try to mix latin1/latin2/greek/other incompatible groups.

NOTE 2: Casemapping (if a certain lowercase character belongs to an upper one) is done according to US-ASCII, this means that o" and O" are not recognized as 'the same character' and hence someone can have a nick with B"ar and someone else BA"r at the same time. This is a limitation of the current system and IRCd standards that cannot be solved anytime soon. People should be aware of this limitation. Note that this limitation has always also been applied to channels, in which nearly all characters were always permitted and US-ASCII casemapping was always performed.

NOTE 3: The basic nick characters (a-z A-Z 0-9 [ \ ] ^ _ - { | }) are always allowed/included.

Example 1, for people of western europe:
set { allowed-nickchars { latin1; }; };
Example 2, if you have mainly chinese users and want to allow "normal" chinese characters:
set { allowed-nickchars { chinese-simp; chinese-trad; }; };

3.17 - CGI:IRC Support

UnrealIRCd has support for CGI:IRC host spoofing, which means you can mark specific CGI:IRC gateways as "trusted" which will cause the IRCd to show the users' real host/ip everywhere on IRC, instead of the host/ip of the CGI:IRC-gateway.

See the cgiirc block for information on how to configure this.

3.18 - Time Synchronization

Having correct time is extremely important for IRC servers. Without correct time, channels can desynch, innocent users can be killed, channels might not show up properly in /LIST, in short: huge trouble will arrise.

UnrealIRCd has some build-in time synchronization support. Although not optimal (time can still be off a few seconds), it should get rid of most time differences. If you can, you are still recommended to run time synchronization software such as ntpd on *NIX or the time synchronization service on Windows (in that case, you can turn off Unreal's time synchronization, more on that later).

What UnrealIRCd does (by default) is do a one-shot timesync attempt when booting. It sends (by default) a request to multiple time servers and when it gets the first (fastest) reply, it will adjust the internal ircd clock (NOT the system clock). If, for some reason, Unreal does not get a reply from the timeserver within 3 seconds, the IRCd will continue to boot regardlessly (should rarely happen).

Time synchronization is configured (and can be turned off) through the set::timesynch block, see the set documentation for more information.

3.19 - Other features

UnrealIRCd has a lot of features so not everything is covered here... You'll find that out by yourself.

4.0 - Configuring your unrealircd.conf

First of all, creating your first unrealircd.conf will take time (say, 15-60 minutes). Creating a good unrealircd.conf will take even more time. You should not rush to get the IRCd booted, but rather go through things step-by-step. If you have any problems, check your syntax, check this manual and check the FAQ before asking for help/reporting a bug.

4.1 Configuration File Explained

The new system uses a block-based format. Each entry, or block, in the new format has a specific format. The format works like:

<block-name> <block-value> {
	<block-directive> <directive-value>;
};

<block-name> is the type of block, such as me, or admin. <block-value> sometimes specifies a value, such as /oper login, but other times it will be a sub-type such as in ban user.

<block-directive> is an individual variable specific to the block, and <directive-value> is the Associated value. If <directive-value> contains spaces, or characters that represents a comment it must be contained in double quotes. If you want to use a quote character inside a quoted string use \" and it will be understood as a quote character.

A <block-directive> can have directives within it, if that’s the case it will have it's own set of curly braces surrounding it. Some blocks do not have directives and are specified just by <block-value>, such as include. Also note that there is no set format, meaning the whole block can appear on one line or over multiple lines. The format above is what is normally used (and what will be used in this file) because it is easy to read.

Note: the configuration file is currently case sensitive so BLOCK-NAME is not the same as block-name. There is a special notation used to talk about entries in the config file. For example, to talk about <directive-name> in the example above, you'd say <block-name>::<block-directive>, and if that directive has a sub block you want to reverence, you would add another :: and the name of the sub directive.

To talk about an unnamed directive you would do <block-name>:: which would in this case mean <block-value>, or it could be an entry in a sub block that has no name.

Three types of comments are supported:

# One line comment
// One line comment
/* Multi line
    comment */

Now that you know how it works, copy doc/example.conf to your UnrealIRCd directory (eg: /home/user/Unreal3.2) and rename it to unrealircd.conf (OR create your unrealircd.conf from scratch). It's recommended to walk step by step through all block types and settings in your conf and use this manual as a reference.

4.2 - Me Block REQUIRED (Previously known as the M:Line)

Syntax:

me {
	name <name-of-server>;
	info <server-description>;
	numeric <server-numeric>;
};

These values are pretty obvious. The name specifies the name of the server, info specifies the server's info line, numeric specifies a numeric to identify the server. This must be a value between 0 and 254 that is UNIQUE to the server meaning NO other servers on the network may have the same numeric.

Example:

me {
	name "irc.foonet.com";
	info "FooNet Server";
	numeric 1;
};

4.3 - Admin Block REQUIRED (Previously known as the A:Line)

Syntax:

admin {
	<text-line>;
	<text-line>;
};

The admin block defines the text displayed in a /admin request. You can specify as many lines as you want and they can contain whatever information you choose, but it is standard to include the admins nickname and email address at a minimum. Other information may include any other contact information you wish to give.

Example:

admin {
	"Bob Smith";
	"bob";
	"widely@used.name";
};

4.4 - Class Block REQUIRED (Previously known as the Y:Line)

Syntax:

class <name> {
	pingfreq <ping-frequency>;
	connfreq <connect-frequency>;
	maxclients <maximum-clients>;
	sendq <send-queue>;
	recvq <recv-queue>;
};

Class blocks are classes in which connections will be placed (for example from allow blocks or servers from link blocks), you generally have multiple class blocks (ex: for servers, clients, opers).

name is the descriptive name, like "clients" or "servers", this name is used for referring to this class from allow/link/oper/etc blocks

pingfreq is the number of seconds between PINGs from the server (something between 90 and 180 is recommended).

connfreq is used only for servers and is the number of seconds between connection attempts if autoconnect is enabled

maxclients specifies the maximum (total) number of clients/servers which can be in this class

sendq specifies the amount of data which can be in the send queue (very high for servers with low bandwidth, medium for clients)

recvq specifies the amount of data which can be in the receive queue and is used for flood control (this only applies to normal users, try experimenting with values 3000-8000, 8000 is the default).

Examples:

class clients {
	pingfreq 90;
	maxclients 500;
	sendq 100000;
	recvq 8000;
};

class servers {
	pingfreq 90;
	maxclients 10; /* Max servers we can have linked at a time */
	sendq 1000000;
	connfreq 100; /* How many seconds between each connection attempt */
};

4.5 - Allow Block REQUIRED (Previously known as the I:Line)

Syntax:

allow {
	ip <user@ip-connection-mask>;
	hostname <user@host-connection-mask>;
	class <connection-class>;
	password <connection-password> { <auth-type>; };
	maxperip <max-connections-per-ip>;
	redirect-server <server-to-forward-to>;
	redirect-port <port-to-forward-to>;
	options {
		<option>;
		<option>;
		...
	};
};

The allow class is where you specify who may connect to this server, you can have multiple allow blocks.

About matching
The access control works like this: ip matches OR host matches, so "hostname *@*"; and "ip *@1.2.3.4" will mean it will always match. Also the allow blocks are read upside down, so you need specific host/ip allow blocks AFTER your general *@* allow blocks. Additionally, if you want to setup a block that only matches based on IP, then set the hostname to something invalid, such as "hostname NOBODY;", this will allow the block to only match based on IP.

ip
The ip mask is in the form user@ip, user is the ident and often set at *, ip is the ipmask. Some examples: *@* (from everywhere), *@192.168.* (only from addr's starting with 192.168), etc.

host
Also a user@host hostmask, again.. user is often set at *. Some examples: *@* (everywhere), *@*.wanadoo.fr (only from wanadoo.fr).

password (optional)
Require a connect password. You can also specify an password encryption method here.

class
Specifies the class name that connections using this allow block will be placed into.

maxperip (optional, but recommended)
Allows you to specify how many connections per IP are allowed to this server (ex: maxperip 4;).

redirect-server (optional)
If the class is full, redirect users to this server (if clients supports it [mIRC 6 does]).

redirect-port (optional)
If redirect-server is specified you can set the port here, otherwise 6667 is assumed.

options block (optional)
Valid options are:
   useip always display IP instead of hostname
   noident don't use ident but use username specified by client
   ssl only match if this client is connected via SSL
   nopasscont continue matching if no password was given (so you can put clients in special classes if they supply a password).

Examples:

allow {
	ip *;
	hostname *;
	class clients;
	maxperip 5;
};

allow {
	ip *@*;
	hostname *@*.passworded.ugly.people;
	class clients;
	password "f00Ness";
	maxperip 1;
};

 

4.6 - Listen Block REQUIRED (Previously known as the P:Line)

Syntax:

listen <ip:port> {
	options {
		<option>;
		<option>;
		...
	};
};

This block allows you to specify the ports on which the IRCD will listen. If no options are required, you may specify this without any directives in the form listen <ip:port>;.

ip and port
You can set ip to * to bind to all available ips, or specify one to only bind to that ip (usually needed at shell providers). The port is the port you want to listen on. You can also set the port to a range rather than an individual value. For example, 6660-6669 would listen on ports 6660 through 6669 (inclusive). IPv6 users, see below.

Info for IPv6 users
If you have an IPv6 enabled server you need to enclose the IP in brackers. Like [::1]:6667 (listen at localhost on port 6667). If you are using IPv6 and you want to listen at a specific IPv4 addr you need to use ::ffff:ipv4ip. For example: [::ffff:203.123.67.1]:6667 which will listen at 203.123.67.1 on port 6667. Of course you can also just use *.

options block (optional)
You can specify special options for this port if you want, valid options are:
clientsonly
port is only for clients
serversonly
port is only for servers
java
CR javachat support
ssl
SSL encrypted port

Examples:

listen *:6601 {
	options {
		ssl;
		clientsonly;
	};
};

Or if there are no options:

listen *:8067;
listen 213.12.31.126:6667;
listen *:6660-6669;

4.7 - Oper Block RECOMMENDED (Previously known as the O:Line)

oper <name> {
	from {
		userhost <hostmask>;
		userhost <hostmask>;
	};
	password <password> { <auth-type>; };
	class <class-name>;
	flags <flags>;
	flags {
		<flag>;
		<flag>;
		...
	};
	swhois <whois info>;
	snomask <snomask>;
	modes <modes>;
	maxlogins <num>;
};

The oper block allows you to assign IRC Operators for your server. The oper:: specifies the login name for the /oper. The oper::from::userhost is a user@host mask that the user must match, you can specify more than one hostmask by creating more than one oper::from::userhost. The oper::password is the password the user must specify, oper::password:: allows you to specify an authentication method for this password, valid auth-types are crypt, md5, and sha1, ripemd-160. If you want to use a plain-text password leave this sub-block out.

Please note that BOTH the login name and password are case sensitive

The oper::class directive specifies the name of a preexisting (appears before this in the config file) class name that the oper block will use.

The oper::flags directive has two formats. If you wish to use the old style oper flags i.e., OAa, you use the flags <flags> method, if you want to use the new style,i.e., services-admin, then you use the flags { <flag>; } method. Below is a list of all the flags (in both formats) and what they do.

Old Flag
New Flag
Description
o
local
Makes you a local operator
O
global
Makes you a global operator
C
coadmin
Makes you a coadmin
A
admin
Makes you a admin
a
services-admin
Makes you a services admin
N
netadmin
Makes you a Network Admin
r
can_rehash
Oper may use /rehash
D
can_die
Oper may use /die
R
can_restart
Oper may use /restart
h
helpop
Oper receives umode +h (helpop)
w
can_wallops
Oper can send /wallops
g
can_globops
Oper can send /globops
c
can_localroute
Can connect servers locally
L
can_globalroute
Can connect servers globally
k
can_localkill
Can /kill local users
K
can_globalkill
Can /kill global users
b
can_kline
Can use /kline
B
can_unkline
Can use /kline -u@h
n
can_localnotice
Can send local server notices
G
can_globalnotice
Can send global server notices
z
can_zline
Can use /zline
t
can_gkline
Can use /gline, /shun and /spamfilter
Z
can_gzline
Can use /gzline
W
get_umodew
Sets umode +W when u oper
H
get_host
Sets your host to an oper host
v
can_override
Can use OperOverride
q
can_setq
Can use usermode +q
X
can_addline
Can use /addline
d
can_dccdeny
Can use /dccdeny and /undccdeny

Certain flags give you other flags by default:

local global admin/coadmin services-admin netadmin
can_rehash can_rehash can_rehash can_rehash can_rehash
helpop helpop helpop helpop helpop
can_globops can_globops can_globops can_globops can_globops
can_wallops can_wallops can_wallops can_wallops can_wallops
can_localroute can_localroute can_localroute can_localroute can_localroute
can_localkill can_localkill can_localkill can_localkill can_localkill
can_kline can_kline can_kline can_kline can_kline
can_unkline can_unkline can_unkline can_unkline can_unkline
can_localnotice can_localnotice can_localnotice can_localnotice can_localnotice
  can_globalroute can_globalroute can_globalroute can_globalroute
  can_globalkill can_globalkill can_globalkill can_globalkill
  can_globalnotice can_globalnotice can_globalnotice can_globalnotice
    global global global
    can_dccdeny can_dccdeny can_dccdeny
      can_setq can_setq
        admin
        services-admin

The oper::swhois directive allows you to add an extra line to an opers whois information. [optional]

The oper::snomask directive allows you to preset an oper's server notice mask on oper up. For a list of available SNOMASKs, see Section 3.3 [optional]

The oper::modes directive allows you to preset an oper's modes on oper up. [optional]

The oper::maxlogins allows you to restrict the number of concurrent oper logins from this host, for example if you set it to 1 then only 1 person can be oper'ed via this block at any time. [optional]

Example:

oper bobsmith {
	class clients;
	from {
		userhost bob@smithco.com;
		userhost boblaptop@somedialupisp.com;
	};
	password "f00";
	flags {
		netadmin;
		can_gkline;
		can_gzline;
		can_zline;
		can_restart;
		can_die;
		global;
	};
	swhois "Example of a whois mask";
	snomask frebWqFv;
};

Some little info about OperOverride:
OperOverride are things like: joining a +ikl channel and going through bans (you need to /invite yourself first however), op'ing yourself in a channel, etc.
The can_override operflag was added as an attempt to stop oper abuse. No oper is able to override by default, you would have to give them the can_override flag explicitly.

4.8 - DRpass Block RECOMMENDED (Previously known as the X:Line)

Syntax:

drpass {
	restart <restart-password> { <auth-type>; };
	die <die-password> { <auth-type>; };
};

This block sets the /restart and /die passwords with drpass::restart and drpass::die respectively. The drpass::restart:: and drpass::die:: allow you to specify the type of authentication used by this item. The currently supported authentication types are crypt, md5, and sha1, ripemd-160.

Example:

drpass {
	restart "I-love-to-restart";
	die "die-you-stupid";
};

4.9 - Include Directive

Syntax:
include <file-name>;

This directive specifies a filename to be loaded as a separate configuration file. This file may contain any type of config block and can even include other files. Wildcards are supported in the file name to allow you to load multiple files at once.

example 1: a network file

include mynetwork.network;

That would be the statement to use if you wanted to use a separate network file. Separate network files are no longer required; all the network settings can be inserted directly into the unrealircd.conf. Or you can put an include statement them to load the file.

example 2: aliases

include aliases/ircservices.conf

Another example is to use it for including alias blocks, UnrealIRCd comes with some files which (should) contain the right aliases for most services:

4.10 - LoadModule Directive REQUIRED

Syntax:
loadmodule <file-name>;

See here why modules are nice/useful.

Modules that come standard with Unreal3.2:

commands.so / commands.dll - All the / commands (well not all yet, but will eventually be all) REQUIRED
cloak.so / cloak.dll - Cloaking module REQUIRED (or any other cloaking module)

So you want to be sure to have these loaded:

loadmodule "src/modules/commands.so";
loadmodule "src/modules/cloak.so";

or on windows:

loadmodule "modules/commands.dll";
loadmodule "modules/cloak.dll";

4.11 - Log Block RECOMMENDED

Syntax:

log <file-name> {
	maxsize <max-file-size>;
	flags {
		<flag>;
		<flag>;
		...
	};
};

The log block allows you to assign different log files for different purposes. The log:: contains the name of the log file. log::maxsize is an optional directive that allows you to specify a size that the log file will be wiped and restarted. You can enter this string using MB for megabytes, KB, for kilobytes, GB, for gigabytes. The log::flags specifies which types of information will be in this log. See the list of available flags below.

You may also have multiple log blocks, to log different things to different log files.

Available Flags:
errorsself explanatory
killslogs /kill notices
tkllogs info on *lines, shuns and spamfilters (adding/removing/expire)
connectslogs user connects/disconnects
server-connectslogs server connects/squits
klinelogs /kline usage
operlogs oper attempts (both failed and successful)
sadmin-commandslogs /sa* (samode, sajoin, sapart, etc.) usage
chg-commandslogs /chg* (chghost, chgname, chgident, etc.) usage
oper-overridelogs operoverride usage
spamfilterlogs spamfilter matches

Example:

log ircd.log {
	maxsize 5MB;
	flags {
		errors;
		kills;
		oper;
		kline;
		tkl;
	};
};

4.12 - TLD Block OPTIONAL (Previously known as the T:Line)

Syntax:

tld {
	mask <hostmask>;
	motd <motd-file>;
	rules <rules-file>;
	shortmotd <shortmotd-file>;
	opermotd <opermotd-file>;
	botmotd <botmotd-file>;
	channel <channel-name>;
	options {
		ssl;
	};
};

The tld block allows you to specify a motd, rules, and channel for a user based on their host. This is useful if you want different motds for different languages. The tld::mask is a user@host mask that the user's username and hostname must match. The tld::motd, tld::shortmotd, tld::opermotd, tld::botmotd, and tld::rules specify the motd, shortmotd, opermotd, botmotd, and rules file, respectively, to be displayed to this hostmask. The tld::shortmotd, tld::opermotd, and tld::botmotd are optional. tld::channel is optional as well, it allows you to specify a channel that this user will be forced to join on connect. If this exists it will override the default auto join channel. The tld::options block allows you to define additional requirements, currently only tld::options::ssl which only displays the file for SSL users, and tld::options::remote which only displays the file for remote users, exists.

TLD entries are matched upside down

Example:

tld {
	mask *@*.fr;
	motd "ircd.motd.fr";
	rules "ircd.rules.fr";
};

4.13 - Ban Nick Block OPTIONAL (Previously known as the Q:Line)

Syntax:

ban nick {
mask <nickname>; reason <reason-for-ban>; };

The ban nick block allows you to disable use of a nickname on the server. The ban::mask allows wildcard masks to match multiple nicks, and ban::reason allows you to specify the reason for which this ban is placed. Most commonly these blocks are used to ban usage of the nicknames commonly used for network services.

Example:

ban nick {
	mask "*C*h*a*n*S*e*r*v*";
	reason "Reserved for Services";
};

4.14 - Ban User Block OPTIONAL (Previously known as the K:Line)

Syntax:

ban user {
	mask <hostmask>;
	reason <reason-for-ban>;
};

This block allows you to ban a user@host mask from connecting to the server. The ban::mask is a wildcard string of a user@host to ban, and ban::reason is the reason for a ban being placed. Note, this is only a local ban and therefore the user may connect to other servers on the network.

Example:

ban user {
	mask *tirc@*.saturn.bbn.com;
	reason "Idiot";
};

4.15 - Ban IP Block OPTIONAL (Previously known as the Z:Line)

Syntax:

ban ip {
	mask <ipmask>;
	reason <reason-for-ban>;
};

The ban ip block bans an IP from accessing the server. This includes both users and servers attempting to link. The ban::mask parameter is an IP which may contain wildcard characters, and ban::reason is the reason why this ban is being placed. Since this ban affects servers it should be used very carefully.

Example:

ban ip {
	mask 192.168.1.*;
	reason "Get a real ip u lamer!";
};

4.16 - Ban Server Block OPTIONAL (Previously known as the q:Line)

Syntax:

ban server {
	mask <server-name>;
	reason <reason-for-ban>;
};

This block disables a server's ability to connect to the network. If the server links directly to your server, the link is denied. If the server links to a remote server, the local server will disconnect from the network. The ban::mask field specifies a wildcard mask to match against the server attempting to connect's name, and ban::reason specifies the reason for which this ban has been placed.

Example:

ban server {
	mask broken.server.my.network.com;
	reason "Its broken!";
};

4.17 - Ban RealName Block OPTIONAL (Previously known as the n:Line)

Syntax:

ban realname {
	mask <realname-mask>;
	reason <reason-for-ban>;
};

The ban realname block allows you to ban a client based on the GECOS (realname) field. This is useful to stop clone floods because often clone bots use the same realname. The ban::mask specifies the realname which should be banned. The mask may contain wildcards. The ban::reason specifies the reason why this ban is being placed.

Example:

ban realname {
	mask "Bob*";
	reason "Bob sucks!";
};

4.18 - Ban Version Block OPTIONAL

Syntax:

ban version {
	mask <version-mask>;
	reason <reason-for-ban>;
	action [kill|tempshun|shun|kline|zline|gline|gzline];
};

The ban version block allows you to ban a client based on the IRC client software they use. This makes use of the clients CTCP version reply. Therefore if a client does not send out a CTCP version, the ban will not work. This feature is intended to allow you to block malicious scripts. The ban::mask specifies the version which should be banned. The mask may contain wildcards. The ban::reason specifies the reason why this ban is being placed. You can also specify ban::action, kill is the default, tempshun will shun the specific user connection only and would work very effective against zombies/bots at dynamic IPs because it won't affect innocent users. shun/kline/zline/gline/gzline will place a ban of that type on the ip (*@IPADDR), the duration of these bans can be configured with set::ban-version-tkl-time and defaults to 1 day.

Example:

ban version {
	mask "*SomeLameScript*";
	reason "SomeLameScript contains backdoors";
};
ban version {
	mask "*w00tZombie*";
	reason "I hate those hundreds of zombies";
	action zline;
};

4.19 - Ban Exceptions Block OPTIONAL (Previously known as the E:Line)

Syntax:

except ban {
	mask <hostmask>;
};

The except ban block allows you to specify a user@host that will override a ban placed on a broader host. This is useful when you want an ISP banned, but still want specific users to be able to connect. The except::mask directive specifies the user@host mask of the client who will be allowed to connect.

Example:

except ban {
	mask myident@my.isp.com;
};

4.20 - TKL Exceptions Block OPTIONAL

Syntax:

except tkl {
	mask <hostmask>;
	type <type>;
	type { 
		<type>;
		<type>;
		...
	};
};

The except tkl block allows you to specify a user@host that will override a tkl ban placed on a broader host. This is useful when you want an ISP banned, but still want specific users to be able to connect. The except::mask directive specifies the user@host mask of the client who will be allowed to connect. The except::type specifies which type of ban this should override. Valid types are gline, gzline, qline, gqline, and shun, which make an exception from Glines, Global Zlines, Qlines, Global Qlines, and shuns. If the type {} format is used, multiple types may be specified.

Example:

except tkl {
	mask myident@my.isp.com;
	type gline;
};

4.21 - Throttle Exceptions Block OPTIONAL

Syntax:

except throttle {
	mask <ipmask>;
};

The except throttle block allows you to specify an IP mask that will override the throttling system. This only works if you have chosen to enable throttling. The except::mask specifies an IP mask that will not be banned because of throttling.

Example

except throttle {
	mask 192.168.1.*;
};

4.22 - Deny DCC Block OPTIONAL (Previously known as dccdeny.conf)

Syntax:

deny dcc {
	filename <file-to-block>;
	reason <reason-for-ban>;
	soft [yes|no];
};

The deny dcc block allows you to specify a filename which will not be allowed to be sent via DCC over the server. This is very useful in helping stop distribution of trojans and viruses.

The deny::filename parameter specifies a wildcard mask of the filename to reject sends of, and deny::reason specifies the reason why this file is blocked.

There's also a deny::soft option, if set to 'yes' the dcc is blocked unless the user explicitly allows it via /DCCALLOW +nickname-trying-to-send. See dccallow.conf for a good example configuration for dccallow.

Example

deny dcc {
	filename virus.exe;
	reason "This is a GD Virus";
};

deny dcc {
	filename "*.exe";
	reason "Executable content";
	soft yes;
};

4.23 - Deny Version Block OPTIONAL (Previously known as the V:Line)

Syntax:

deny version {
	mask <server-name>;
	version <version-number>;
	flags <compile-flags>;
};

This block allows you to deny a server from linking based on the version of Unreal it is running and what compile time options it has. The format for this block is somewhat complex but isn't too hard to figure out. The deny::mask directive specifies a wildcard mask of the server name this applies to. The deny::version specifies the protocol number of the version this refers to.

For example, 3.0 is 2301, 3.1.1/3.1.2 is 2302, 3.2 is 2303. The first character of this parameter can be one of the following >, <, =, !. This character tells the IRCd how to interpret the version. If the first character is a > then all version greater than the specified version are denied, if it is a < all versions lower are denied, if it is an = only that version is denied, and if it is a ! then all versions except the specified are denied. The deny::flags directive allows you to specify what compile time flags the server may or may not have. The flags are arranged one after the other with no separation between, if a character is prefixed by a ! then it means the server may not have this flag compiled into it, if it does not have a ! prefix, then it means the server must have this flag compiled.

4.24 - Deny Link Block OPTIONAL (Previously known as the D/d:Line)

Syntax:

deny link {
	mask <server-name>;
	rule <crule-expression>;
	type <type-of-denial>;
};

This block allows you to use specific rules to deny a server from linking. The deny::mask specifies a wildcard mask of the server name to apply this rule to. The deny::rule directive is very complex. A crule expression allows you to control the link in great detail, and it is set up like a programming expression. Four operators are supported, connected(<servermask>), returns true if a server matching servermask is connected, directcon(<servermask>), returns true if the server matching servermask is directly connected to this server, via(<viamask>,<servermask>), returns true if a server matching servermask is connected by a server matching viamask, and directop(), which returns true if the operator issuing a /connect is directly connected to this server. These operators can be combined using && (and) and || (or), items may also be enclosed in parenthesis to allow grouping. In addition, an operator preceded with a ! checks if the operator returned false. If the entire expression evaluates to true, then the link is denied. The deny::type allows two different values, auto (only applies to autoconnects, /connect will still work), and all (applies to all connection attempts).

4.25 - Deny Channel Block OPTIONAL (Previously known as chrestrict.conf)

Syntax:

deny channel {
	channel "<channel-mask>";
	reason <reason-for-ban>;
	redirect "<channel-name>";
	warn [on|off];
};

The deny channel block allows you to disallow users from joining specific channels. The deny::channel directive specifies a wildcard mask of channels the users may not join, and the deny::reason specifies the reason why the channel may not be joined. Additionally, you may specify a deny::redirect. If this is specified, when a user tries to join a channel that matches deny::channel, he/she will be redirected to deny::redirect. And there's also deny::warn which (if set to on) will send an opernotice (to EYES snomask) if the user tries to join.

Example

deny channel {
	channel "#unrealsucks";
	reason "No it don't!";
};

deny channel {
	channel "#*teen*sex*";
	reason "You == dead";
	warn on;
};

deny channel {
	channel "#operhelp";
	reason "Our network help channel is #help, not #operhelp";
	redirect "#help";
};

4.26 - Allow Channel Block OPTIONAL

Syntax:

allow channel {
	channel "<channel-mask>";
};

The allow channel block allows you to specify specific channels that users may join. The allow::channel directive specifies the wildcard mask of the channels which may be joined.

Example:

allow channel {
	channel "#something";
};

4.27 - Allow DCC Block OPTIONAL

Syntax:

allow dcc {
	filename "<filename-mask>";
	soft [yes|no];
};

The allow dcc blocks allows you to specify exceptions over deny dcc blocks, wildcards are permitted. If allow dcc::soft is set to 'yes' it applies to 'soft dcc bans' list, if set to 'no' it applies to the normal ('hard') dcc bans.

Example:

allow dcc {
	filename "*.jpg"; /* Images are usually safe */
	soft yes;
};

4.28 - Vhost Block OPTIONAL (Previously known as vhosts.conf)

Syntax:

vhost {
	vhost <vhost>;
	from {
		userhost <hostmask>;
		userhost <hostmask>;
		...
	};
	login <login-name>;
	password <password> { <auth-type>; };
	swhois "<swhois info>";
};

The vhost block allows you to specify a login/password that can be used with the /vhost command to obtain a fake hostname. The vhost::vhost parameter can be either a user@host or just a host that the user will receive upon successful /vhost. The vhost::from::userhost contains a user@host that the user must match to be eligible for the vhost. You may specify more than one hostmask. The vhost::login in the login name the user must enter and vhost::password is the password that must be entered. The vhost::password:: allows you to specify the type of authentication used by this item. The currently supported authentication types are crypt, md5, and sha1, ripemd-160. Lastly vhost::swhois allows you to add an extra line to a users whois, exactly as it does in the Oper Block oper::swhois.

Example:

vhost {
	vhost my.own.personal.vhost.com;
	from {
		userhost my@isp.com;
		userhost myother@isp.com;
	};
	login mynick;
	password mypassword;
	swhois "Im Special";
};

4.29 - Badword Block OPTIONAL (Previously known as badwords.*.conf)

Syntax:

badword <type> {
	word <text-to-match>;
	replace <replace-with>;
	action <replace|block>;
};

The badword block allows you to manipulate the list used for user and channel mode +G to strip "badwords". The badword:: specifies the type, valid types are channel, message, quit, and all. channel is for the channel +G list, message is for the user +G list, quit is for quit message censoring, and all adds it to all three lists. The badword::word can be a simple word or a regular expression we should search for. The badword::replace is what we should replace this match with. If badword::replace is left out, the word is replaced with <censored>. The badword::action defines what action should be taken if this badword is found. If you specify replace, then the badword is replaced, if you specify block, then the entire message is blocked. If you do not specify a badword::action, replace is assumed.

Example:

badword channel {
	word shit;
	replace shoot;
};

4.30 - ULines Block OPTIONAL (Previously known as the U:Line)

Syntax:

ulines {
	<server-name>;
	<server-name>;
	...
};

The ulines block lets you define certain servers as having extra abilities. This should only be used for servers such as services and stats. This should not be set for a normal server. Each entry is the name of the server which will receive the extra abilities.

Example

ulines {
	services.mynetwork.com;
	stats.mynetwork.com;
};

4.31 - Link Block OPTIONAL (Previously known as C/N/H:Lines)

Syntax:

link <server-name> {
	username <usermask>;
	hostname <ipmask>;
	bind-ip <ip-to-bind-to>;
	port <port-to-connect-on>;
	password-connect <password-to-connect-with>;
	password-receive <password-to-receive> { <auth-type>; };
	hub <hub-mask>;
	leaf <leaf-mask>;
	leafdepth <depth>;
	class <class-name>;
	ciphers <ssl-ciphers>;
	options {
		<option>;
		<option>;
		...
	};
};

This is the block you need for linking servers, please take your time to read all this because this one of the hardest things to do and users often make errors ;P

First of all server-name is the name of your remote server, the name the remote server has in his me { } block, like hub.blah.com (not the IP and can be different than hostname).

username
You can specify this if you use ident for authentication, normally you will set this to "*".

hostname
The remote host or IP of the remote server. This is used for both connecting AND for authentication/verification on the incoming side. Some examples:
1.2.3.4 normal IP
hub.blah.com host: only for outgoing, cannot accept _incoming_ connections unless link::options::nohostcheck is present
* cannot connect TO but will allow a server connection (with correct password) from everywhere
::ffff:1.2.3.4 for linking ipv6 to ipv4.

bind-ip (optional)
Can be used to bind to a specific IP (ex: 192.168.0.1) from where we should connect from, almost never used.

port
Port to connect to (at which the remote server is listening).

password-connect
The password used for connecting to the remote server, must be plain-text.

password-receive
The password used for validating incoming links, can be encrypted (valid methods are crypt, md5, sha1, ripemd-160). You can leave the auth-type parameter out to just use plain-text. Often this password is the same as your password-connect.

hub vs leaf
A hub has multiple servers linked to it, a leaf has only one link... to you. A server is a leaf unless it has a hub directive. It is also a leaf if the leaf directive is *, or leafdepth is 1.

hub (optional)
The value is a mask of what servers this hub may connect (ex: *.my.net).

leaf (optional)
The value is a mask of what servers this hub may not connect. Saying * here would be the same as not having a hub directive.

leafdepth (optional)
The value specifies the depth (number of hops) this server may have beneath it. For example, 1 means the server can't have any links under it (a leaf), 2 means it can link servers but those servers can't link anything under them (that is, this hub can only link leaves). A value of 0 means no limit, and is the default.

class
The class this server is put into, often a separate server class is used for this.

compression-level (optional)
Specifies the compression level (1-9) for this link. Only used if link::options::zip is set.

ciphers (optional)
Specifies the SSL ciphers to use for this link. To obtain a list of available ciphers, use the `openssl ciphers` command. Ciphers should be specified as a : separated list.

options block
One or more options used for connecting to the server. Sometimes not needed.
ssl if you are connecting to a SSL port.
autoconnect server will try to autoconnect, time specified in your class::connfreq (it's best to enable this only from one side, like leaf->hub)
zip if you want compressed links, needs to be compiled in + set at both ends
nodnscache don't cache IP for outgoing server connection, use this if it's an often changing host (like dyndns.org)
nohostcheck don't validate the remote host (link::hostname), use this if it's an often changing host (like dyndns.org)
quarantine opers on this server cannot get GLOBAL oper privileges (they will get killed), used for test links and such

Example:

link hub.mynet.com {
	username *;
	hostname 1.2.3.4;
	bind-ip *;
	port 7029;
	hub *;
	password-connect "LiNk";
	password-receive "LiNk";
	class servers;
	options {
		autoconnect;
		ssl;
		zip;
	};
};

4.32 - Alias Block OPTIONAL

Syntax [standard alias]:

alias <name> {
	target <nick-to-forward-to>;
	type <type-of-alias>;
	spamfilter <yes|no>;
};

(Note: also see here about the standard alias files UnrealIRCd has)

The alias block [standard alias] allows you to forward a command to a user, for example /chanserv sends a message to the user chanserv. The alias:: specifies the name of the command that will be the alias (eg: chanserv), alias::target is the nickname or channel it will forward to, if the alias:: is the same as the target, it will forward to, alias::target can be left out. The alias::type specifies the type of alias, valid types are services (the user is on the services server), stats (the user is on the stats server), normal (the user is a normal user on any server), and channel (the target is a channel name). If alias::spamfilter (optional) is set to 'yes', then the spamfilters will be checked (default is 'no').
The alias block also has another purpose which is explained below.

Syntax [command alias]:

alias <name> {
	/* For aliases to be sent to users/channels */
	format <regex-expression> {
		target <nick-to-forward-to>;
		type <type-of-alias>;
		parameters <parameter-string>;
	};
	/* For 'real aliases' */
	format <regex-expression> {
		command <command>;
		type real;
		parameters <parameter-string>;
	};
	/* Etc... You can have as many format blocks as you wish.. */
	format <regex-expression> {
		...
	};
	type command;
	spamfilter <yes|no>;
};

When the alias block is used in this format, it allows you a much broader range of usage. For example you can create aliases such as /identify. The alias:: is the same as above, the name of the alias command. The alias::format specifies a regular expression that compares against the text sent to the alias command, when matched the sub-entries of that alias::format will be used, you may have multiple alias::format's to make the command do different things depending on the text sent to it. The alias::format::target is the target to forward this alias to, however in case of a "real alias" alias::format::command is used instead. The alias::format::type specifies the type of the alias that the message should be forwarded to, besides the types mentioned previously in "Syntax [standard alias]", we also allow the type "real" here, for "real aliases". The alias::format::parameters is what will be sent as the parameters to this alias. To specify one of the parameters given to the command alias specify % followed by a number, for example, %1 is the first parameter. To specify all parameters from a given parameter to the end do % followed by the number and a -, for example %2- returns all parameters from the second till the last. Additionally, you may specify %n which will be replaced by the nickname of the user who executed the command.

For examples of using the alias block in the command format, consult doc/example.conf.

4.33 - Help Block OPTIONAL

Syntax:

help <name> {
	<text-line>;
	<text-line>;
	...
};

(Note: normally you just include help.conf)

The help block allows you to create entries for use in /helpop. The help:: is the value that must be passed to /helpop as a parameter, if the help:: is left out, then it will be used when no parameter is passed to /helpop. The entries for the help block are the text that will be displayed to the user when requesting the /helpop.

4.34 - Official Channels Block OPTIONAL

Syntax:

official-channels {
	"#channel" { topic "The default topic"; };
};

Official channels are shown in /list even if no users are in the channel. The topic is optional and is only shown in /list if it has 0 users.

Example:

official-channels {
	"#Help" { topic "The official help channel, if nobody is present type /helpop helpme"; };
	"#Home";
	"#Main" { topic "The main channel"; };
};

4.35 - Spamfilter Block OPTIONAL

The spamfilter block allows you to add local spamfilters (not network-wide).
See Features - Spamfilter for more information about spamfilters.

Syntax:

spamfilter {
	regex <word>;
	target { <target(s)> };
	action <action>;
	reason <reason>;
	ban-time <time>;
};

regex is the regex to be matched.
target specifies the targets, see here for a list of possible types (eg: 'channel').
action specifies the action to be taken, see here for a list of possible actions (eg: 'gline').
reason optional: specifies the ban or block reason, else the default is used.
ban-time optional: specifies the duration of a *line ban or shun, else the default is used (1 day).

Examples:

spamfilter {
	regex "Come watch me on my webcam";
	target { private; channel; };
	action gline;
	reason "You are infected, please go to www.antivirus.xx/blah/virus=GrrTrojan";
	ban-time 6h;
};

spamfilter {
	regex "come to irc\..+\..+";
	target { private; channel; };
	action gline;
	action gline;
	reason "No spamming allowed";
};

4.36 - Cgiirc Block OPTIONAL

The cgiirc block allows you to configure host spoofing for CGI:IRC gateways you trust (more info).

Syntax:

cgiirc {
	type <webirc|old>;
	username <mask>; /* optional */
	hostname <mask>;
	password <password>; /* only for type webirc */
};

type is either 'webirc' or 'old'.
username is matched against the ident (if present). If not specified, "*" is assumed.
hostname is the hostmask to match against.
password is the webirc password, only used for type 'webirc'.

How to configure with method 'webirc' (recommended method)
In your CGI:IRC configuration file (cgiirc.conf) you set webirc_password to a good password.
Then, in your unrealircd.conf you add a cgiirc block to allow this host and password and you set cgiirc::type to "webirc".

Example:
In your CGI:IRC configuration file (cgiirc.conf) you add:

webirc_password = LpT4xqPI5
Then, in your unrealircd.conf you add a cgiirc block:
cgiirc {
	type webirc;
	hostname "1.2.3.4";
	password "LpT4xqPI5";
};

How to configure with method 'old'
NOTE: This is not the recommended method since it has two disadvantages: this method will send the IP/host to spoof as a server password, meaning you cannot specify a server password as a CGI:IRC user. Additionally, access control is only IP-based and does not require an extra password like the 'webirc' method. In short, you probably should not be using this method unless you have a good reason to do so.

In your CGI:IRC configuration file (cgiirc.conf) you set realhost_as_password to 1.
Then, in your unrealircd.conf you add a cgiirc block to allow this host.

Example:
In your CGI:IRC configuration file (cgiirc.conf) you add:

realhost_as_password = 1
Then, in your unrealircd.conf you add a cgiirc block:
cgiirc {
	type old;
	hostname "1.2.3.4";
};

4.37 - Set Block REQUIRED (Previously known as unrealircd.conf/networks file)

The set file is what use to be our networks/unrealircd.conf and our networks file. On single server networks, rather than having 3 files you can just put all the set statements in the unrealircd.conf itself, on multi-server networks, I recommend using a seperate networks file.

Now, if your server is on a network, chances are you will all basically use the same Set settings. Therefore it makes more sense to have a network file, which is loaded with an include directive. Below you will find all of the set directives available.

In this doc we refer to settings / directives in the <block-name>::<block-directive> format. This format is NOT the format that it can be entered into the configuration file. IT MUST be converted to the format listed below. It is presented in the format it is to make discussing it simpler.

Syntax:

set {
	<entry> <value>;
	<entry> <value>;
	...
};

The set block sets options for individual server features. Each entry does something different and therefore each will be described below. Some directives have sub blocks which will also be described. There are many set statements to cover, all of the directives listed below can be included under ONE set statement. If a directive has options, they are included within the single set statement as well.
Example:

set {
	kline-address my@emailaddress.com;
	auto-join #welcome;
	options {
		hide-ulines;
	};
	hosts {
		local LocalOp.MyNet.com;
		global globalop.mynet.com;
	};
};

Now if you wanted to make the set statements separate, say you wanted to set your options in a single line.
Example:
set { options { hide-ulines; no-stealth; }; };

set::kline-address <email-address>;
The email address that K:line questions should be sent to. This value must be specified.

set::gline-address <email-address>;
The email address that G:line questions should be sent to.

set::modes-on-connect <+modes>;
The modes that will be set on a user at connection.

set::snomask-on-connect <+modes>
The snomask that will be set on a user at connection.

set::modes-on-oper <+modes>;
The modes that will be set on a user when they /oper.

set::snomask-on-oper <+modes>;
The snomask that will be set on a user when they /oper.

set::modes-on-join <+modes>;
The modes that will be set on a channel when it is first created. Not all modes can be set using this command. +qaohvbeOAzlLk can NOT be set using this command.

set::level-on-join <none|voice|halfop|op|protect|owner>;
The mode that a user will get when he's the first to join a channel. The default is 'op' (channel operator).

set::restrict-usermodes <modes>
Restrict users to set/unset the modes listed here (don't use + or -).
For example you can set +G in modes-on-connect and G in restrict-usermodes, that way you can force all users to be +G and unable to do -G.

set::restrict-channelmodes <modes>
Restrict users to set/unset the channelmodes listed here (don't use + or -).
For example you can set +G in modes-on-join and G in restrict-channelmodes, that way you can force all (new) channels to be +G and unable to do -G.
NOTE: it may still be possible to use these channelmodes through services by using MLOCK. Unfortunately we can't do much about that, you would have to ask the services coders to implement a restrict-channelmodes feature too.

set::restrict-extendedbans <types|*>
Don't allow users to use any extended bans ("*") or disallow only certain ones (eg: "qc").

set::auto-join <channels>;
The channel(s) a user will be forced to join at connection. To specify more than one channel use a comma separated list.
[Note: don't forget to add quotes, like: auto-join "#chan";]

set::oper-auto-join <channels>;
The channel(s) a user will be forced to join when they /oper. To specify more than one channel use a comma separated list.
[Note: don't forget to add quotes, like: oper-auto-join "#chan";]

set::anti-spam-quit-message-time <timevalue>;
A time value specifying the length of time a user must be connected for before a /quit message will be displayed. Used to prevent spam. A time value is a numeric string with d meaning days, h meaning hours, m meaning minutes, and s meaning seconds, for example 1d2h3m means 1 day, 2 hours, 3 minutes.

set::prefix-quit <text-to-prefix-quit>;
Sets the text that will be used to prefix a quit message. If this value is set to 0 then the standard "Quit:" is used.

set::static-quit <quit message>;
Sets a static quit message that will be sent whenever a client logs off the network. This eliminates the need for anti-spam-quit-message-time, as well as the set::prefix-quit. It will NOT replace ERRORS with the static-quit message.

set::static-part <no|yes|part message>;
A value of 'yes' strips all part comments, a value of 'no' makes part just work as usual, anything else will be used as a part comment (eg: static-part "Bye!") but this can be quite annoying, so use with care.

set::who-limit <limit>;
Sets the limit for the maximum number of matches that will be returned for a /who. If this option is left out, no limit is enforced.

set::silence-limit <limit>;
Sets the limit on the maximum SILENCE list entries. If this directive is not specified, a limit of 15 is set.

set::maxbans <limit>;
Sets the limit on the maximum amount of bans (+b) allowed per channel. The default is 60. If you change this, be sure to also take a look at maxbanlength (see next)!

set::maxbanlength <limit>;
Similar to above, but sets the maximum amount of characters for all bans added up together, so basically this puts up a limit on the (semi-)maximum amount of memory all channel bans on a channel can take. The default is 2048 (bytes). With the default set::maxbans of 60 this allows 2048:60=34 characters per ban on average.

set::oper-only-stats <stats-list>;
Specifies a list of stats flags with no separators that defines stats flags only opers can use. Leave this value out to allow users to use all flags, or specify * for users to be able to use no flags. Only short stats flags may be specified here.

set::oper-only-stats {<stats-flag>; <stats-flag>;};
Specifies a list of stats flags that can only be used by opers. This only works with long stats flags.

set::maxchannelsperuser <amount-of-channels>;
Specifies the number of channels a single user may be in at any one time.

set::maxdccallow <amount-of-entries>;
Specifies the maximum number of entries a user can have on his/her DCCALLOW list.

set::channel-command-prefix <command-prefixes>;
Specifies the prefix characters for services "in channel commands". Messages starting with any of the specified characters will still be sent even if the client is +d. The default value is "`!.".

set::allowed-nickchars { <list> };
Character sets / languages to allow in nicks, see Nick Character Sets.

set::allow-userhost-change [never|always|not-on-channels|force-rejoin]
Specifies what happens when the user@host changes (+x/-x/chghost/chgident/setident/vhost/etc).
never disables all the commands, always does always allow it even when in channels (may cause client desyncs) [default], not-on-channels means it's only allowed when the user is not on any channel, force-rejoin will force a rejoin in all channels and re-op/voice/etc if needed.

set::options::hide-ulines;
If this is present, Ulined server will be hidden in a /links requested by non-opers.

set::options::flat-map;
If this is present, all servers will appear as directly linked in /map and /links, thus you can no longer see which server is linked to which. This is a little help against (D)DoS attacks because evil people now no longer can easily see the 'weak points'.

set::options::show-opermotd;
If present the opermotd will be shown to users once they successfully /oper.

set::options::identd-check;
If present the presence of an identd server will be checked and the returned value will be used for the username. If no ident request is returned or the identd server doesn't exist, the user's specified username will be prefixed with a ~. If this value is omitted no such check is made.

set::options::show-connect-info;
If present notices showing "ident request", "hostname lookup", etc. will be displayed when a user connects.

set::options::dont-resolve;
If present hosts of incoming users are not resolved, can be useful if many of your users don't have a host to speed up connecting.
Note that since no resolving is done you also can't have host based allow blocks.

set::options::mkpasswd-for-everyone;
Makes it so the /mkpasswd can be used by anyone instead of oper-only, usage of the command by non-opers is sent to the EYES snomask.

set::options::allow-part-if-shunned;
Allow shunned user to use /part.

set::options::fail-oper-warn;
If present, a user will be notified that his/her failed /oper attempt has been logged.

set::dns::timeout <timevalue>;
A time value specifying the length of time a DNS server has to respond before a timeout. A time value is a numeric string with d meaning days, h meaning hours, m meaning minutes, and s meaning seconds, for example 1d2h3m means 1 day, 2 hours, 3 minutes. (NOT IMPLEMENTED)

set::dns::retries <number-of-retries>;
A numeric value specifying the number of times the DNS lookup will be retried if failure occurs. (NOT IMPLEMENTED)

set::dns::nameserver <name-of-dns-server>;
Specifies the hostname of the server that will be used for DNS lookups. (NOT IMPLEMENTED)

set::dns::bind-ip <ip>;
Specifies the IP to bind to for the resolver, rarely ever needed.

set::network-name <name-of-network>;
Specifies the name of the network on which this server is run. This value should be exactly the same on all servers on a network.

set::default-server <server-name>;
Defines the name of the default server to tell users to connect to if this server is full.

set::services-server <server-name>;
Specifies the name of the server that the services bots are connected to. Required, set it to something like services.yournet.com if you don't have services.

set::stats-server <server-name>;
Sets the name of the server on which the stats bot is located. If stats are not run this value may be left out.

set::help-channel <network-help-channel>;
Sets the name of the help channel for this network.

set::cloak-keys { "key1"; "key2"; "key3"; };
Sets the keys to be used to generate a +x host. This value must be the same on all servers or the servers will not link. Each of the 3 set::cloak-keys:: must be a string of 5-100 characters (10-20 is fine) consisting of mixed lowercase (a-z), uppercase (A-Z) and digits (0-9). Note that depending on which cloaking module you have loaded, other rules may apply.

set::hiddenhost-prefix <prefix-value>;
Defines the prefix that will be used on hiddenhosts (+x). This is usually three or four letters representing the network name.

set::hosts::local <locop-host-name>;
Defines the hostname that will be assigned to local opers when they set +x. You may optionally specify a username@host for this value.

set::hosts::global <globop-host-name>;
Defines the hostname that will be assigned to global operators when they set +x. You may optionally specify a username@host for this value.

set::hosts::coadmin <coadmin-host-name>;
Sets the hostname that will be assigned to co-admins when they set +x. You may optionally specify a username@host for this value.

set::hosts::admin <admin-host-name>;
Defines the hostname that will be set for admins when they set +x. You may optionally specify a username@host for this value.

set::hosts::servicesadmin <servicesadmin-host-name>;
Sets the hostname that will be given to services-admins when they set +x. You may optionally specify a username@host for this value.

set::hosts::netadmin <netadmin-host-name>;
Sets the hostname that will be given to netadmins when they set +x. You may optionally specify a username@host for this value.

set::hosts::host-on-oper-up <yes/no>;
If set to yes, the H/get_host flag will be honored and +x will be automatically set at /oper. If set to no, the user must set +x manually to receive the oper host.

set::ssl::egd <filename>;
Specifies that EGD (Entropy Gathering Daemon) support should be enabled. If you run OpenSSL 0.9.7 or higher, then /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and /etc/entropy will be searched by default so no filename is necessary, you may simply specify set::ssl::egd with no value. If you are using a version of OpenSSL prior to 0.9.7 or you want to use a EGD socket located somewhere other than the above listed locations you may specify the filename of the UNIX Domain Socket that an EGD is listening on.

set::ssl::certificate <filename>;
Specifies the filename where the server's SSL certificate is located.

set::ssl::key <filename>;
Specifies the filename where the server's SSL private key is located.

set::ssl::trusted-ca-file <filename>;
Specifies the filename where the certificates of the trusted CAs are located.

set::ssl::server-cipher-list <cipherlist>;
Specifies which ciphers to be allowed, by default we leave this up to OpenSSL. See http://www.openssl.org/docs/apps/ciphers.html on how to specify the list of ciphers.

set::ssl::renegotiate-bytes <value>;
Specifies after how many bytes an SSL session should be renegotiated (eg: 20m for 20 megabytes).

set::ssl::renegotiate-timeout <timevalue>;
Specifies after how much time an SSL session should be renegotiated (eg: 1h for 1 hour).

set::ssl::options::fail-if-no-clientcert;
Forces clients that do not have a certificate to be denied.

set::ssl::options::no-self-signed;
Disallows connections from people with self-signed certificates.

set::ssl::options::verify-certificate;
Makes Unreal determine if the SSL certificate is valid before allowing connection.

set::ssl::options::no-starttls;
Disable STARTTLS. STARTTLS allows clients to use SSL on regular (non-SSL) ports.

set::throttle::period <timevalue>
How long a user must wait before reconnecting more than set::throttle::connections times.

set::throttle::connections <amount>;
How many times a user must connect with the same host to be throttled.

set::ident::connect-timeout <amount>;
Amount of seconds after which to give up connecting to the ident server (default: 10s).

set::ident::read-timeout <amount>;
Amount of seconds after which to give up waiting for a reply (default: 30s).

set::anti-flood::unknown-flood-bantime <timevalue>;
Specifies how long an unknown connection flooder is banned for.

set::anti-flood::unknown-flood-amount <amount>;
Specifies the amount of data (in KiloBytes) that the unknown connection must send in order for the user to be killed.

set::anti-flood::away-flood <count>:<period>
Away flood protection: limits /away to 'count' changes per 'period' seconds. This requires NO_FLOOD_AWAY to be enabled in config.h. Example: away-flood 5:60s; means max 5 changes per 60 seconds.

set::anti-flood::nick-flood <count>:<period>
Nickflood protection: limits nickchanges to 'count' per 'period' seconds. For example nick-flood 4:90 means 4 per 90 seconds, the default is 3 per 60.

set::default-bantime <time>
Default bantime when doing /kline, /gline, /zline, /shun, etc without time parameter (like /gline *@some.nasty.isp), the default is permanent (0). Example: default-bantime 90d;

set::modef-default-unsettime <value>
For channelmode +f you can specify a default unsettime, if you specify 10 for example then +f [5j]:15 will be transformed to [5j#i10]:15. The default is no default unsettime.

set::modef-max-unsettime <value>
The maximum amount of minutes for a mode +f unsettime (in +f [5j#i<TIME>]:15), this is a value between 0 and 255. The default is 60 (= 1 hour).

set::ban-version-tkl-time <value>
If you specify an 'action' like zline/gline/etc in ban version, then you can specify here how long the ip should be banned, the default is 86400 (1 day).

set::spamfilter::ban-time <value>
Same as above but for *lines/shuns added by spamfilter

set::spamfilter::ban-reason <reason>
Reason to be used for entries added by spamfilter

set::spamfilter::virus-help-channel <channel>
The channel to use for the 'viruschan' action in spamfilter

set::spamfilter::virus-help-channel-deny <yes|no>
If set to yes (or '1') it replies 'invite only' to any normal users that try to join the virus-help-channel. Only opers, people that match spamfilters and people that are /invite'd can join.

set::spamfilter::except <target(s)>
These targets are exempt from spam filtering (no action will be taken), can be single target or comma seperated list.. Ex: except "#help,#spamreport"

set::spamfilter::slowdetect-warn <value>
If a spamfilter takes longer than this amount of milliseconds to execute (1000ms = 1 second), then a warning notice will be sent to all opers (default: 250). See also Slow Spamfilter Detection.

set::spamfilter::slowdetect-fatal <value>
If a spamfilter takes longer than this amount of milliseconds to execute (1000ms = 1 second), then the spamfilter will be removed (default: 500). See also Slow Spamfilter Detection.

set::check-target-nick-bans <yes|no>
Whenever the user changes his/her nick, check if the NEW nick would be banned. If so, do not allow the nickchange. Default is yes.

set::timesynch::enabled <yes|no>
Enable or disable time synchronization on-boot. Default is yes.

set::timesynch::server <IP>
Server to synchronize time with. This can be up to 4 IP's seperated by comma's. The servers must support NTP protocol version 4. The default is to use 3 time servers (US, EU, AU). Requests to these servers are sent in parallel, fastest reply wins.

set::timesynch::timeout <time>
Maximum time to wait for a time server reply. This is a value between 1 and 5, more is not possible because it causes too much inaccuracy. This setting is 3 by default and there's probably no good reason to change it.

set::pingpong-warning <yes|no>
When NOSPOOF is enabled (usually on Windows), send a warning to each user to use '/quote pong ..' if they are having problems connecting? The default is no.

set::watch-away-notification <yes|no>
Allows you to enable/disable AWAY notification in WATCH. The default is yes.

4.38 - Files Block OPTIONAL

You don't need to use a TLD block to specify default locations for your MOTDs and rules files. This block controls default settings for those in addition to the pidfile and irc.tune file. Anything not specified here will default to the value documented in Additional Files.

Relative pathnames will be interpreted relative to unrealIRCD's root directory which is normally the directory containing unrealircd.conf. This block may be used to facilitate running more than one IRCd out of the same directory/root. In that case, you should at least specify multiple pidfiles and tunefiles—one for each server.

Syntax:

files {
	motd <motd file>;
	shortmotd <short motd file>;
	opermotd <oper motd file>;
	svsmotd <services motd file>;
	botmotd <bot motd file>;

	rules <rules file>;

	tunefile <tune file>;
	pidfile <pid file>;
};

Example:

files {
	motd /etc/motd;

	pidfile /var/lib/run/unrealircd.pid;
};

5 – Additional Files

In addition to the configuration files, Unreal has a few other files, such as MOTD, OperMOTD, BotMOTD, and Rules. Listed below are the names of these files and their uses.
Note that the motd files (all types) and rules files can also be specified in a tld or files block, these are just the files used by default (and for remote MOTD/RULES's).

 
ircd.motdDisplayed when a /motd is executed and (if ircd.smotd is not present) when a user connects
ircd.smotdDisplayed on connect only (short MOTD)
ircd.rulesDisplayed when a /rules is executed
oper.motdDisplayed when a /opermotd is executed or when you /oper up
bot.motdDisplayed when a /botmotd is executed

6 – User & Channel Modes

Mode
Description
Channel Modes
A
Only Administrators may join
a <nick>
Makes the user a channel admin
b <nick!user@host>
Bans the given user from the channel
c
No ANSI color can be sent to the channel
C
No CTCP's allowed in the channel
e <nick!user@host>
Exception ban – If someone matches this, they can join a channel even if they match an existing ban
f [<number><type>]:<seconds>
Channel flood protection. See section 3.12 above for an extended description.
G
Makes channel G rated. Checks for words listed in the Badword Blocks, and replaces them with the words specified
h <nick>
Gives half-op status to the user
i
Invite required
I <nick!user@host>
Invite exceptions ("invex") - if someone matches this, they can bypass +i requirements to enter the channel.
j <joins:seconds>
Throttles joins per-user to joins per seconds seconds
K
/knock is not allowed
k <key>
Sets a key needed to join
l <##>
Sets max number of users
L <Chan>
If the amount set by +l has been reached, users will be sent to this channel
M
A registered nickname (+r) is required to talk
m
Moderated channel. Only +v/o/h users may speak
N
No nick name changes permitted
n
No messages from outside channels
O
Only IRCops may join
o <nick>
Gives a user channel operator status
p
Makes channel private
q <nick>
Sets channel owner
Q
Only U:Lined servers can kick users
R
Requires a registered nickname to join
S
Strips all incoming colors
s
Makes channel secret
t
Only chanops can set topic
T
No NOTICE's allowed in the channel
u
Auditorium – Makes /names and /who #channel only show channel ops
V
/invite is not allowed
v <nick>
Gives a voice to users. (May speak in +m channels)
z
Only clients on a Secure (SSL) Connection may join

 

Mode
Description
User Modes
A
Server Admin (Set in Oper Block)
a
Services Admin (Set in Oper Block)
B
Marks you as being a Bot
C
Co-Admin (Set in Oper Block)
d
Makes it so you can not receive channel PRIVMSGs (with the exception of text prefixed with certain characters, see set::channel-command-prefix)
G
Filters out all the bad words per configuration
g
Can send & read globops and locops
H
Hide IRCop Status (IRCop Only)
h
Available for help (HelpOp) (Set in OperBlock)
i
Invisible (not shown in /who)
N
Network Administrator (Set in Oper Block)
O
Local IRC Operator (Set in Oper Block)
o
Global IRC Operator (Set in Oper Block)
p
Hides the channels you are in from /whois
q
Only U:Lines can kick you (Services Admins Only)
R
Allows you to only receive PRIVMSGs/NOTICEs from registered (+r) users
r
Identifies the nick as being registered
S
Used to protect Services Daemons
s
Can listen to server notices (see section 3.3 above for more information)
T
Prevents you from receiving CTCPs
t
Says you are using a /vhost
V
Marks you as a WebTV user
v
Receives infected DCC Send Rejection notices
W
Lets you see when people do a /whois on you (IRCops Only)
w
Can listen to wallop messages
x
Gives user a hidden hostname
z
Indicates that you are an SSL client

7 – User & Oper Commands Table

NOTE: the /helpop documentation is more up to date, use /helpop command (or /helpop ?command if you are oper) to get more information on a command.

Command
Description
Who
nick <newnickname> Changes your online nick name. Alerts others to the change of your nick
All
whois <nick> Displays information of user requested. Includes Full Name, Host, Channels User is in, and Oper Status
All
who <mask> Who allows you to search for users. Masks include: nickname, #channel, hostmask (*.attbi.com)
All
whowas <nick> <maxreplies> Displays information on a nick that has logged off. The <max replies> field is optional, and limits how many records will be returned.
All
ison <nick1 nick2 nick3 ...> Allows you to check the online status of a user, or a list of users. Simple return, best used for scripts
All
join <channel1,channel2, ...> Allows you to join channels. Using the /join #channel1,#channel2,#channel3 will allow you to join more than one channel at a time. The /join 0 command makes you PART all channels. All
cycle <channel1, channel2, ...> Cycles the given channel(s). This command is equivalent to sending a PART then a JOIN command. All
motd <server> Displays the servers motd. Adding a server name allows you to view motd’s on other servers.
All
rules <server> Displays the ircd.rules of a server. Adding a server name allows you to view rules on other servers All
lusers <server> Displays current & max user loads, both global and local. Adding a server name allows you to view the statistics from other servers.
All
map Displays a network map All
quit <reason> Causes you to disconnect from the server. If you include a reason, it will be displayed on all channels as you quit All
ping <user> Sends a PING request to a user. Used for checking connection and lag. Servers issue pings on a timed basis to determine if users are still connected.
All
version <nick> Sends a CTCP Version request to the user. If configured to do so, their client will respond with the client version.
All
links Displays a list of all servers linked to the network All
Admin <server> Displays the admin info of a server. If a server name is included it will display the info of that server.
All
userhost <nick> Displays the userhost of the nick given. Generally used for scripts
All
topic <channel> <topic> Topic <channel> will display the current topic of the given channel. Topic <channel> <topic> will change the topic of the given channel.
All
invite <nick> <channel> Invites the given user to the given channel. (Must be a channel Op)
ChanOp
kick <channel, channel> <user, user> <reason> Kicks a user or users out of a channel, or channels. A reason may also be supplied.
ChanOp
away <reason> Marks you as being away. A reason may also be supplied.
All
Watch +-<nick> +-<nick>
Watch is a new notify-type system in UnrealIRCd which is both faster and uses less network resources than any old-style notify system. The server will send you a message when any nickname in your watch list logs on or off. The watch list DOES NOT REMAIN BETWEEN SESSIONS - you (or your script or client) must add the nicknames to your watch list every time you connect to an IRC server.
All
helpop ?<topic> or !<topic>
HelpOp is a new system of getting IRC Server help. You type either /HELPOP ? <help system topic> or /HELPOP ! <question> The "?" in /HELPOP means query the help system and if you get no response you can choose '!' to send it to the Help Operators online. Using neither ? nor ! will mean the command will be first queried within the help system and if no match if found , it will be forwarded to the help operators All
list <search string> If you don't include a search string, the default is to send you the entire unfiltered list of channels. Below are the options you can use, and what channels LIST will return when you use them.
>number List channels with more than <number> people.
<number List channels with less than <number> people.
C>number List channels created between now and <number> minutes ago.
C<number List channels created earlier than <number> minutes ago.
T>number List channels whose topics are older than <number> minutes (Ie., they have not changed in the last <number> minutes.
T<number List channels whose topics are newer than <number> minutes.
*mask* List channels that match *mask*
!*mask* List channels that do not match *mask*
All
Knock <channel> <message>
Allows you to ‘knock’ on an invite only channel and ask for access. Will not work if channel has one of the following modes set: +K +V. Will also not work if you are banned
All
setname Allows users to change their ‘Real Name’ without reconnecting
All
vhost <login> <password> Hides your host name by using a vhost provided by the server.
All
mode <chan/nick> <mode>
Lets you set channel and user modes. See User & Channel Modes for a list.
All
credits Lists credits for everyone that has helped create UnrealIRCd
All
license Displays the GNU License All
time <server> Displays the servers date and time. Including a server name allows you to check other servers.
All
botmotd <server>
Displays the servers bot message of the day. Including a server name allows you to check other servers All
identify <password> Sends your password to the services system to identify to your nick.
All
identify <channel> <password> Sends your password to the services system to identify as the founder of a channel.
All
dns <option> Returns information about the IRC server's DNS cache. Note, since most clients have a built-in DNS command, you will most likely need to use /raw DNS to use this. Opers may specify an l as the first parameter to the command to receive a list of entries in the DNS cache. All
userip <nick>
Returns the IP address of the user in question. All
oper <userid> <password>
Command to give a user operator status if they match an Oper Block
IRCop
wallops <message> Sends a message to all users with umode +w IRCop
globops <message> Sends a message to all global IRCops IRCop
chatops <message> Sends a message to all IRCops (local and global) IRCop
locops <message> Sends a message to all local IRCops IRCop
adchat <message> Sends a message to all Admins IRCop
nachat <message> Sends a message to all Net Admins IRCop
kill <nick> <reason> Kills a user from the network IRCop
kline [+|-]<user@host | nick> [<time to ban> <reason>] Bans the hostmask from the server it is issued on. A kline is not a global ban.
time to ban is either: a) a value in seconds, b) a time value, like '1d' is 1 day or c) '0' for permanent. Time and reason are optional, if unspecified set::default-bantime (default: 0/permanent) and 'no reason' are used.
To remove a kline use /kline -user@host
IRCop
zline [+|-]<*@ip> [<time to ban> <reason>] Bans an IP Address from the local server it is issued on (not global). See kline for more syntax info. Use /zline -*@ip to remove.
IRCop
gline [+|-]<user@host | nick> [<time to ban> <reason>]
Adds a global ban to anyone that matches. See kline for more syntax info. Use /gline -user@host to remove.
IRCop
shun [+|-]<user@host | nick> [<time to shun> <reason>]
Prevents a user from executing ANY commands and prevents them from speaking. Shuns are global (like glines). See kline for more syntax info. Use /shun -user@host to remove a shun.
IRCop
gzline [+|-]<ip> <time to ban> :<reason>
Adds a global zline. See kline for more syntax info. Use /gzline -*@ip to remove a gzline.
IRCop
rehash <server> –<flags> Rehashes the servers config file. Including a server name allows you to rehash a remote servers config file. Several flags are also available. They Include
-motd - Only rehash all MOTD and RULES files (including tld {})
-opermotd - Only rehash the OPERMOTD file
-botmotd - Only rehash the BOTMOTD file
-garbage - Force garbage collection
IRCop
restart <password> <reason>
Restarts the IRCD Process. Password is required if drpass { } is present. You may also include a reason.
IRCop
die <password>
Terminates the IRCD Process. Password is required if drpass { } is present. IRCop
lag <server>
This command is like a Sonar or Traceroute for IRC server. You type in /LAG irc.fyremoon.net and it will reply from every server it passes with time and so on. Useful for looking where lag is and optional TS future/past travels
IRCop
sethost <newhost> Lets you change your vhost to what ever you want it to be.
IRCop
setident <newident>
Lets you set your ident to what ever you want it to be
IRCop
chghost <nick> <newhost>
Lets you change the host name of a user currently on the system
IRCop
chgident <nick> <newident>
Lets you change the ident of a user currently on the system
IRCop
chgname <nick> <newname>
Lets you change the realname of a user currently on the system
IRCop
squit <server>
Disconnects a server from the network
IRCop
connect <server> <port> <server> If only one server is given, it will attempt to connect the server you are ON to the given server. If 2 servers are given, it will attempt to connect the 2 servers together. Put the leaf server as the first, and the hub server as the second.
IRCop
dccdeny <filemask> <reason>
Adds a DCCDENY for that filemask. Preventing that file from being sent.
IRCop
undccdeny <filemask>
Removes a DCCDENY IRCop
sajoin <nick> <channel>, <channel>
Forces a user to join a channel(s). Available to services & network admins only IRCop
sapart <nick> <channel>, <channel>
Forces a user to part a channel(s). Available to services & network admins only.
IRCop
samode <channel> <mode>
Allows Network & Services admins to change modes of a channel without having ChanOps.
IRCop
rping <servermask>
Will calculate in milliseconds the lag between servers
IRCop
trace <servermask|nickname>
When used on a user it will give you class and lag info. If you use it on a server it gives you class/version/link info.
IRCop
opermotd
Displays the servers OperMotd File
IRCop
addmotd :<text>
Will add the given text to the end of the Motd
IRCop
addomotd :<text>
Will add the given text to the end of the OperMotd
IRCop
sdesc <newdescription>
Allows server admins to change the description line of their server without restarting.
IRCop
addline <text>
Allows you to add lines to the unrealircd.conf
IRCop
mkpasswd <password>
Will encrypt a clear text password to add it to the unrealircd.conf
IRCop
tsctl offset +/- <time>
Adjust the IRCD’s Internal clock (Do NOT use if you do not understand EXACTLY what it does)
IRCop
tsctl time
Will give a TS Report IRCop
tsctl alltime Will give a TS Report of ALL servers IRCop
tsctl svstime <timestamp>
Sets the TS time of all servers (Do NOT use if you do not understand EXACTLY what it does)
IRCop
htm <option>
Controls settings related to high traffic mode. High Traffic Mode (HTM) basically disables certain user commands such as: list whois who etc in response to extremely high traffic on the server. Options include:
-ON Forces server into HTM
-OFF Forces server out of HTM
-NOISY Sets the server to notify users/admins when in goes in and out of HTM
-QUIET Sets the server to NOT notify when going in and out of HTM
-TO <value> Tell HTM at what incoming rate to activate HTM
IRCop
stats <option>
B - banversion - Send the ban version list
b - badword - Send the badwords list
C - link - Send the link block list
d - denylinkauto - Send the deny link (auto) block list
D - denylinkall - Send the deny link (all) block list
e - exceptthrottle - Send the except throttle block list
E - exceptban - Send the except ban and except tkl block list
f - spamfilter - Send the spamfilter list
F - denydcc - Send the deny dcc block list
G - gline - Send the gline and gzline list
  Extended flags: [+/-mrs] [mask] [reason] [setby]
    m Return glines matching/not matching the specified mask
    r Return glines with a reason matching/not matching the specified reason
    s Return glines set by/not set by clients matching the specified name
I - allow - Send the allow block list
j - officialchans - Send the offical channels list
K - kline - Send the ban user/ban ip/except ban block list
l - linkinfo - Send link information
L - linkinfoall - Send all link information
M - command - Send list of how many times each command was used
n - banrealname - Send the ban realname block list
O - oper - Send the oper block list
P - port - Send information about ports
q - sqline - Send the SQLINE list
Q - bannick - Send the ban nick block list
r - chanrestrict - Send the channel deny/allow block list
R - usage - Send usage information
S - set - Send the set block list
s - shun - Send the shun list
  Extended flags: [+/-mrs] [mask] [reason] [setby]
    m Return shuns matching/not matching the specified mask
    r Return shuns with a reason matching/not matching the specified reason
    s Return shuns set by/not set by clients matching the specified name
t - tld - Send the tld block list
T - traffic - Send traffic information
u - uptime - Send the server uptime and connection count
U - uline - Send the ulines block list
v - denyver - Send the deny version block list
V - vhost - Send the vhost block list
X - notlink - Send the list of servers that are not current linked
Y - class - Send the class block list
z - zip - Send compression information about ziplinked servers (if compiled with ziplinks support)
Z - mem - Send memory usage information
All
module
Lists all loaded modules All
close
This command will disconnect all unknown connections from the IRC server. IRCOp

8 – Security tips/checklist

If you are concerned about security (you should be!), this section will help you get an overview of the risks that are out there and their risk-level. Alternatively you can use it as a "checklist" to walk through your (network) configuration to make things more secure.

The list is ordered by by popularity/risk level/most-often-used-attack-methods:

8.1 Passwords

Choose good oper passwords, link passwords, etc:
- use mixed case and digits ("Whbviwf5") and/or something long ("blaheatsafish", "AlphaBeta555").
- DO NOT use your link/oper passwords for something else like your mail account, bot password, forums, etc...

8.2 Non-Ircd related vulnerabilities

There's a far bigger chance a box will get hacked by a non-irc(d) vulnerability than by some bug in UnrealIRCd. If you for example run http, dns, smtp and ftp servers on the same box you have a much higher risk. Also, if you are on a multi-user box (eg: you bought a shell) there's the risk of local exploits and bad permissions (see next). This risk is quite high so be careful when selecting a shell provider.

8.3 Permissions and the configfile

Always make sure your home directory and UnrealIRCd directory have correct permissions, (group/)other shouldn't have read permissions. Otherwise a local user can simply grab your configfile and look for passwords... In short: chmod -R go-rwx /path/to/Unreal3.2 if you are unsure about this.
Other things related to this: never put your UnrealIRCd inside the webroot or some other kind of shared directory. And for backups, make sure they get the correct permissions too (it happens quite frequently everything is secured fine but there's a backup.tar.gz lying around readable by everyone).

You also want to use encrypted passwords wherever possible, if you compile with OpenSSL support (which you do, since you are concerned with security, right?) then I suggest to use sha1 or ripemd160 password encryption, else use md5. Also if you still have encrypted (oper) blocks left from Unreal3.2.1 or before I suggest you to re-enrypt these (just re-run /mkpasswd), because 3.2.1 introduced some considerable anti-crack improvements (basically a 14x slowdown of active cracks, and making stored-plain-ciphertext cracks impossible).
Still, do note that this is just 'yet another layer of security', since if you have weak passwords they can still be cracked relatively easily and if someone manages to get your configfile there are usually other interesting things in it that may aid an attacker, like link::password-connect.

8.4 User-related problems

Just like most of these things, this is not UnrealIRCd-specific, but..
Always choose your opers and admins wisely. And do remember the concept of weakest-link. Even though you are careful and did everything in this doc, maybe your friend which is an oper too did something stupid. Like share his harddrive via netbios/kazaa/morpheus/.., got a trojan, used an obvious password, etc etc.. Unfortunately, it's not always in your control.
One thing you could do however is carefuly choose which privileges someone needs (oper::flags).

8.5 SSL/SSH & sniffing

Use SSL connections between servers and as an oper, this will protect you against "sniffing". Sniffing is possible if an attacker hacked a box somewhere between you and your ircd server, he can then look at ALL network traffic that passes by; watch all conversations, capture all passwords (oper logins, nickserv, etc).. For the same reason, always use ssh instead of telnet.

8.6 Denial of Service attacks (DoS) [or: how to protect my hub]

A lot of networks have experienced how much "fun" a flood or (D)DoS attack is, you can however do some things to reduce the damage caused by it. Most nets have a hub server, what some people seem to forget is that it's quite easy to protect the hub server from getting attacked.
I'll explain it here:
1. Set the name of the hub to a hostname that doesn't exist, eg 'hub.yournet.com', but
    don't add a dns record for it. This way an attacker cannot resolve the host and
    cannot flood it either. Then simply link your servers to the hub by specifying the
    IP or another non-public hostname.
    Example 1: link visibiblename.yournet.com { hostname 194.15.123.16; [etc] };.
    Example 2: link visibiblename.yournet.com { hostname thehostnamethatworks.yournet.com; [etc] };.
    On a sidenote, for the last example you must be sure your nameservers don't allow zone transfers, but that's way too off-topic ;).
2. Another important step is then to hide '/stats c' and other stats information, otherwise
    attackers can simply list your link blocks. Usually if you are this paranoid (like
    me) you can simply do: set { oper-only-stats "*"; }; to restrict all /stats usage.
    If you don't want that, at least hide "CdDlLXz". More about this in the next section.

Of course those steps are less useful if they are applied afterwards (eg: after a few months)
instead of at the beginning because the IP's might be already known to some evil guys, still.. it's worth to do.
Also note that attackers can still flood all non-hub servers, but that requires more effort
than just attacking 1 or 2 weak points (the hubs), also this way your hubs & services will stay alive :).

8.7 Information disclosure

STATS
The /stats command is very informative, you probably want to restrict it's usage as much as possible. A question you should ask yourself is "what do I want my users to see?". Most big networks choose "nothing", while others prefer their clients to be able to do '/stats g' and '/stats k'.
I suggest you to use set { oper-only-stats "*"; }; to deny all /stats for non-opers, but if you don't want that, step through the '/stats' list (gives an overview of all available options) and block everything except what you want to allow.. (if in doubt, just deny.. why should they really need to know all this?).
To give you a few examples:
- /stats o: gives you the nicks of opers (with correct case) and hostmasks.
- /stats c: gives you an idea about serverlinks and which to use as 'backup', etc..
- /stats g, /stats k: usually used for banning proxies.. so this will simply give attackers a list of proxies they can use.
- /stats E, /stats e: pretty sensitive info, especially if an attacker can use these addresses
- /stats i, /stats y: might aid an attacker in finding hosts which allow lots of connections.
- /stats P: helps him find serveronly ports
etc etc...

MAP / LINKS
Several people have asked if there was some way to disable /map or /links. Our position on this is that it's silly and gives a false sense of security, let me explain... Hiding servers that are actually used by users is useless since they already know about your servers (how else could they get on them in the first place?). For any servers that you don't want users on, see section 8.6.
Now what CAN you do? Since 3.2.1 there's an option called 'flat map' (set::options::flat-map), this will make all servers appear as 'directly linked' in /map and /links, thus normal users can no longer see which server is linked to which... This can be a nice additional layer of protection because this way a kiddie cannot easily spot any 'weak points' with /map or /links. So, use of this is recommended. Note that this is not foolproof... If any split happends someone can still see which server was linked to which, and this is also true for some other things as well.

NORMAL USERS & SNOMASKS
A feature that isn't widely known is that normal users can also set some limited snomasks, namely +s +sk. By this they can see things like rehashes, kills and various other messages.
To disable this you can use set::restrict-usermodes like this: set { restrict-usermodes "s"; };.


Of course all of this is "information hiding", so it's not "true" security. It will however make it more difficult / increase the effort needed to attack/hack.

8.8 Protecting against exploits

There are kernel patches that make it more difficult for stack- and heap-based exploits to work. This is nice, but should not be your main focus point, you have a far more bigger risk of getting exploited through the other points than this... for various reasons.
Another option is enabling chrooting (*NIX only), which means upon a succesfull exploit, the user is confined to the UnrealIRCd directory and cannot touch any other files. This requires root privileges, modifying of include/config.h (search for CHROOTDIR, and also set IRC_USER and IRC_GROUP), and a recompile.

There's one thing you should definately do, which is to ALWAYS USE THE LATEST VERSION, subscribe to the unreal-notify mailinglist right now so you receive the release announcements (unreal-notify is for release announcements only, so only 1 mail per X months). Usually it's explicitly mentioned in the release announcement if the release contains (high risk) security fixes, but it's good to upgrade anyway.

8.9 Summary

As you now hopefully understand, you can never be 100% secure. You (and us) have to find&fix every hole out there, while an attacker only needs to find just 1 server with 1 hole. Everything that was explained here DOES however help by minimizing the risks considerably. Do take the time to secure your network and educate your opers. A lot of people don't care about security until they got hacked, try to avoid that :).

9 – Frequently Asked Questions (FAQ)

The FAQ is available online here

A Regular Expressions

Regular expressions are used in many places in Unreal, including badwords, spamfilter, and aliases. Regular expressions are a very complex tool used for pattern matching. They are sometimes referred to as "regexp" or "regex." Unreal uses the TRE regular expression library for its regex. This library supports some very complex and advanced expressions that may be confusing. The information below will help you understand how regexps work. If you are interested in more technical and detailed information about the regexp syntax used by Unreal, visit the TRE homepage.

A.1 Literals

Literals are the most basic component of a regexp. Basically, they are characters that are treated as plaintext. For example, the pattern "test" consists of the four literals, "t," "e," "s," and "t." In Unreal, literals are treated as case insensitive, so the previous regex would match "test" as well as "TEST." Any character that is not a "meta character" (discussed in the following sections) is treated as a literal. You can also explicitely make a character a literal by using a backslash (\). For example, the dot (.) is a metacharacter. If you wish to include a literal ., simply use \. and Unreal will treat this as a period. It is also possible that you want to check for a character that is not easily typed, say ASCII character 3 (color). Rather than having to deal with using an IRC client to create this character, you can use a special sequence, the \x. If you type \x3, then it is interpretted as being the ASCII character 3. The number after the \x is represented as hexidecimal and can be in the range from \x0 to \xFF.

A.2 Dot Operator

The dot (.) operator is used to match "any character." It matches a single character that has any value. For example, the regex "a.c" will match "abc," "adc," etc. However, it will not match "abd" because the "a" and "c" are literals that must match exactly.

A.3 Repetition Operators

One of the common mistakes people make with regex is assuming that they work just like wildcards. That is, the * and ? characters will match just like in a wildcard. While these characters do have similar meaning in a regex, they are not exactly the same. Additionaly, regular expressions also support other, more advanced methods of repetition.

The most basic repetition operator is the ? operator. This operator matches 0 or 1 of the previous character. This, "of the previous character," is where the ? in regex differs from a wildcard. In a wildcard, the expression, "a?c" matches an "a" followed by any character, followed by a "c". In regex it has a different meaning. It matches 0 or 1 of the letter "a" followed by the letter "c". Basically, the ? is modifying the a by specifying how many a's may be present. To emulate the ? in a wildcard, the . operator is used. The regex "a.c" is equivilent to the previously mentioned wildcard. It matches the letter "a" followed by any character, followed by a "c".

The next repetition operator is the *. Again, this operator is similar to a wildcard. It matches 0 or more of the previous character. Note that this "of the previous character" is something that is characteristic of all repetition operators. The regex "a*c" matches 0 or more a's followed by a "c". For example, "aaaaaac" matches. Once again, to make this work like a wildcard, you would use "a.*c" which will cause the * to modify the . (any character) rather than the "a."

The + operator is very similar to the *. However, instead of matching 0 or more, it matches 1 or more. Basically, "a*c" will match "c" (0 a's followed by a c), where as "a+c" would not. The "a+" states that there must be "at least" 1 a. So "c" does not match but "ac" and "aaaaaaaaac" do.

The most advanced repetition operator is known as a "boundary." A boundary lets you set exact constraints on how many of the previous character must be present. For example, you may want to require exactly 8 a's, or at least 8 a's, or between 3 and 5 a's. The boundary allows you to accomplish all of these. The basic syntax is {M,N} where M is the lower bound, and N is the upper bound. For example, the match between 3 and 5 a's, you would do "a{3,5}". However, you do not have to specify both numbers. If you do "a{8}" it means there must be exactly 8 a's. Therefore, "a{8}" is equivilent to "aaaaaaaa." To specify the "at least" example, you basically create a boundary that only has a lower bound. So for at least 8 a's, you would do "a{8,}".

By default, all of the repetition operators are "greedy." Greediness is a somewhat complex idea. Basically, it means that an operator will match as many characters as it can. This is best explained by an example.

Say we have the following text:
HELLO
And the following regex:
.+L

In this example, you might think that the .+ matches "HE." However, this is incorrect. Because the + is greedy, it matches "HEL." The reason is, it chooses the largest portion of the input text that can be matched while still allowing the entire regex to match. In this example, it chose "HEL" because the only other requirement is that the character after the text matched by .+ must be an "L". Since the text is "HELLO", "HEL" is followed by an "L," and therefore it matches. Sometimes, however, it is useful to make an operator nongreedy. This can be done by adding a ? character after the repetition operator. Modifying the above to, ".+?L" the .+? will now match "HE" rather than "HEL" since it has been placed in a nongreedy state. The ? can be added to any repetition character: ??, *?, +?, {M,N}?.

A.4 Bracket Expressions

Bracket expressions provide a convenient way to do an "or" operator. For example, if you want to say "match an a or a b." The bracket expression gets its name from the fact that it is enclosed in brackets ([]). The basic syntax is that the expression includes a series of characters. These characters are then treated as though there were an "or" between them. As an example, the expression "[abc]" matches an "a," a "b," or a "c." Therefore, the regexp "a[bd]c" matches "abc" and "adc" but not "acc."

One very common thing to do is to check for things such as, a letter, or a digit. Rather than having to do, for example, "[0123456789]", the bracket operator supports ranges. Ranges work by specifying the beginning and ending point with a - between them. Therefore, a more simplistic way to test for a digit is to simply do "[0-9]". The same thing can be used on letters, or in fact, any range of ASCII values. If you want to match a letter, simply do "[a-z]" since Unreal is case insensitive, this will match all letters. You can also include multiple ranges in the same expression. To match a letter or a number, "[0-9a-z]". One complication that this creates is that the - is a special character in a bracket expression. To have it match a literal -, the easiest way is to place it as either the first or last character in the expression. For example, "[0-9-]" matches a digit or a -.

To make things even more simple, there are several "character classes" that may be used within a bracket expression. These character classes eliminate the need to define certain ranges. Character classes are written by enclosing their name in :'s. For example, "[0-9]" could also be written as "[:isdigit:]". The list below shows all of the available character classes and what they do:

One important note about character classes is that they MUST be the only element in the expression. For example, [:isdigit:-] is NOT legal. Instead, you can accomplish this same goal by nesting the expressions, for example, to do the same thing as "[0-9-]" using a character class, you could do "[[:isdigit:]-]".

The last feature of the bracket expression is negation. Sometimes it is useful to say "anything except these characters." For example, if you want to check if the character is "not a letter," it is easier to list a-z and say "not these," than it is to list all the non-letters. Bracket expressions allow you to handle this through negation. You negate the expression by specifying a "^" as the first character. For example, "[^a-z]" would match any non-letter. As with the -, if you want to include a literal ^, do not place it in the first position, "[a-z^]". Also, to negate a character class, you must once again use nesting, "[^[:isdigit:]]" would match any non-digit.

A.5 Assertions

Assertions allow you to test for certain conditions that are not representable by character strings, as well as providing shortcuts for some common bracket expressions.

The ^ character is referred to as the "left anchor." This character matches the beginning of a string. If you simply specify a regex such as "test", it will match, for example "this is a test" since that string contains "test." But, sometimes it is useful to ensure that the string actually starts with the pattern. This can be done with ^. For example "^test" means that the text must start with "test." Additionally, the $ character is the "right anchor." This character matches the end of the string. So if you were to do "^test$", then the string must be exactly the word "test."

Similar tests also exist for words. All of the other assertions are specified using a \ followed by a specific character. For example, to test for the beginning and ending of a word, you can use \< and \> respectively.

The remaining assertions all come with two forms, a positive and a negative. These assertions are listed below:

A.6 Alternation

Alternation is a method of saying "or." The alternation operator is the vertical bar (|). For example, if you wanted to say "a or b" you could do "a|b". For normal letters, this could be replaced by a bracket expression, but alternation can also be used with subexpressions (discussed in the next section).

A.7 Subexpressions

Subexpressions are a portion of of a regex that is treated as a single entity. There are two ways to create a subexpression. The two methods differ with regard to "back references," which will be explained later. To declare a subexpression that uses back references, simply enclose it in parentheses (). To create a subexpression that does not use back references, replace the open-parenthesis with, "(?:". For example, "([a-z])" and "(?:[a-z])". The reason subexpressions are useful is you can then apply operators to the expression. All of the repetition operators, for example, that were mentioned as "X or more of the previous character," can also be used for "X or more of the previous subexpression." For example, if you have a regex of "[0-9][a-z][0-9]", to match a digit, followed by a letter, followed by a digit, and then you decided you wanted to match this sequence twice. Normally, you would do, "[0-9][a-z][0-9][0-9][a-z][0-9]". With subexpressions, however, you can simply do "([0-9][a-z][0-9]){2}".

A.8 Back References

Back references allow you to reference the string that matched one of the subexpressions of the regexp. You use a back reference by specifying a backslash (\) followed by a number, 0-9, for example \1. \0 is a special back reference that refers to the entire regexp, rather than a subexpression. Back references are useful when you want to match something that contains the same string twice. For example, say you have a nick!user@host. You know that there is a trojan that uses a nickname and username that matches "[0-9][a-z]{5}", and both the nickname and username are the same. Using "[0-9][a-z]{5}![0-9][a-z]{5}@.+" will not work because it would allow the nickname and username to be different. For example, the nickname could be 1abcde and the username 2fghij. Back references allow you to overcome this limitation. Using, "([0-9][a-z]{5})!\1@.+" will work exactly as expected. This searches for the nickname matching the given subexpressions, then it uses a back reference to say that the username must be the same text.

Since you can only have 9 back references, this is the reason why the (?:) notation is useful. It allows you to create a subexpression without wasting a back reference. Additionally, since back reference information does not need to be saved, it is also faster. Because of this, non-back reference subexpressions should be used whenever back references are not needed.

A.9 Case Sensitivity

As was already mentioned, Unreal makes all regexps case insensitive by default. The main reason for this is, there seem to be many more instances where you want case insensitive searching rather than sensitive, for example, if you block the text "www.test.com," you presumably want to block "WWW.TEST.COM" as well. However, there are instances where you may want case sensitivity, for example, matching for certain trojans. Because of this, a method is provided to dynamically turn case insensitivity on/off. To turn it off, simply use "(?-i)" and to turn it on, "(?i)". For example, "(?-i)[a-z](?i)[a-z]" will match a lowercase letter (case insensitivity is off) followed by either an uppercase or lowercase letter (case insensitivity is on). Additionally, rather than having to always remember to turn the flag back on when you are finished, you can also specify that the flag change should only apply to a subexpression, for example, "(?-i:[a-z])[a-z]" is equivilent to the previous regexp because the -i only applies to the given subexpression.