User:Djahandarie/Channel Hardening

From Rizon Wiki
Jump to navigation Jump to search

"Know your enemy and know yourself, find naught in fear for 100 battles" - Sun Tzu

Truly securing a channel means protecting from both external and internal threats. These threats are often very real and do cause problems for channels. Naturally, the larger a channel gets, the bigger these threats are.

However, the goal of a secure channel can be achieved with only a few philosophical ideals and technical alterations.


The best way to protect against an attack, is to not be a target in the first place.

The way to do this is to avoid attracting "bad attention". Sometimes bad attention is attracted through abusive or confrontational channel staff. If someone feels they have been wronged "by the channel", they will retaliate in various ways. Of course, it is sometimes necessary to kick/ban troublemakers, but it should be limited to only that, in order to not create troublemakers by accident.


Be a minimalist.

This idea is useful in many ways. When giving out access to your users, usually less is better. Giving out halfops or higher just for vanity purposes is usually not suggested. That said, a reality is that IRC channels often revolve around hierarchical status, and it is what spurs much of their activity. It is important to find a balance and only give more access to people who you know will not cause problems.

Similarly, constantly ranting about channel policy or channel politics in the channel itself is usually not a good idea, especially if you're in the process of kicking or banning people -- it will normally just cause a mess. Do only what is needed to solve the problem, and repair/discuss policies at a later time, or in a separate channel.




SecureOps

/msg ChanServ SET #channel SECUREOPS ON

This permanently syncs channel status (+hoaq) to access list permissions. This is generally a good idea, because it means only people who can modify the access list can give out +o, rather than any existing +o.


Channel modes

The two default modes are recommended to be left on: +n, which prevents external messages, and +t, which only allows halfops+ to set the topic.

Some annoying things can simply be disabled, such as channel notices. They almost never have legitimate uses, and can be used as an attack vector. /mode #channel +N

Similarly, channel CTCPs can be used to perform denial of service on channel users due to auto-response. Rizon is currently rolling out an update for a channel mode to block CTCPs.


It is recommended to set /mode #channel +p, which prevents halfops from halfopping other people, and also shows invite notices if the channel is set to invite-only.

It's also worth noting that setting your channel to "secret"/+s, can prevent bots that scrape the channel list from spamming the channel. This is viable in the cases that say, most of the traffic comes from your website or some other source.


Finally, once you decide on what modes you want, it is recommended to lock the important ones. For example, if you followed the suggestions here:

/msg ChanServ SET #channel MLOCK +ntNp

This would prevent malicious, beginner, or fat-fingered ops from unsetting important modes. You could also prevent certain modes from being set, such as +i, but we will later learn that these modes can be useful for mitigating attacks.




Responding to attacks

Depending on the type of attack, there are various different solutions to help mitigate the attack.