Dear Misc, This is somewhat off topic, but it's been on my mind for
quite some time, and someone just brought up irc, so I thought I'd ask.
I've been looking to set up an irc server for some time now. It would be
mostly for personal use and I don't plan on having more than a handful
of concurrent users nor connecting said server to any IRC network. My
primary criteria are:
- Good security track record
- Runs on OpenBSD (port or package)
- Clean code (Preferably C)
- Supports encrypted connections
I've read some atrocious IRCd source, I believe I even read one (an old
version of hybrid?) where all configuration had to be done at compile
time with #define statements instead of using a configuration file. I
would prefer C over C++ (hence I'm not too fond of inspIRCd (also
because they recently had an exploit in one of their default modules)).
As I cannot trust the integrity of others' connections, I wish for
connections to be encrypted in some form or another. Multiple irc
servers support encryption via SSL, such a feature would be desirable. I
would like to have channels guaranteed to be private, where private is
defined by exclusively comprised of explicitly allowed users, (allowed
by me, in some configuration file,) who must have authenticated via PASS
or something to ensure that they are not impostors, and either be using
*encrypted* connections from *unspecified*, changing, origins (as in the
case of my phone, laptop, and friends' computers) or *unencrypted*
connections from *known*, fixed, origins (as in the case of my bots).
*IF THE ABOVE IS NOT POSSIBLE*, I want to prevent anyone from connecting
to my server except for myself, my friends, and my bots. Normally I
would accomplish this via PF, however in this case I cannot because I
don't have a list of IPs to allow. I frequently use IRC via my phone
whose IP very often changes and is in a range much bigger than I'd like
to allow. The problem of my phone could be solved by using a bouncer,
however such a service would also need to be locked down, thus bringing
me back to block 0. My friends also use varying (unpredictable)
locations, and whitelisting each one on an as-needed basis would be
infeasible. One potential solution I have sought is preventing users
from doing anything until a proper NICK/USER/PASS has been provided,
with all accounts created by myself and told to the intended user in a
secure/prearranged manner, and patching my bots to authenticate as such
would be rather trivial.
Features of the IRCd are not as important to me as its security. Sure,
nickserv & chanserv & friends would be nice, but I'm more concerned
about keeping outsiders/snoopers out of private channels and keeping
my/friends connections secure, and less concerned about preventing chat
flooding, opless channels, etc.
So far I have looked into:
* ngIRCd - so far my favorite
* UnrealIRCd }
* IRCD-Hybrid } - all forks from the same giant nightmare
* Ratbox IRCd }
* inspIRCd - written in C++, and doesn't have a great track-record
but I am completely open to anything.
Many thanks,
Jean-Philippe
