I just experienced odd behavior on my first eggdrop (1.6.19+ctcpfix+ssl) and wanted some clarification from the pros if this is intentional behavior or indeed a bug.
I want to issue certain commands to the eggdrop via php by utilizing a telnet connection.
For security purposes I want to limit the eggdrop script user as much as possible.
I.e. only allow telnet connections and no IRC connections.
And furthermore only allow telnet connections for that user coming from localhost.
I have activated the protect-telnet option but apparently eggdrop is not matching the allowed hosts on per-user basis, but immediately on connect and independently from the users the host mask was specified for.
Example:
User A has access with this hostmask: -telnet!*@*.t-dialin.net
User B has access with this hostmask: -telnet!*@*.comcast.net
User C does not have a telnet hostmask at all.
Instead of refusing all telnet login attempts for user C, someone with the hostmask of user A or B can log in via telnet as user C.
Also connections to user A and B are not limited to their own hostmasks, but to all known hostmasks, meaning a user with user Bs telnet hostmask could log in as user A and vice-versa.
Now I am wondering if this behavior is intentional or a bug and if there is any way to bypass this?
Thanks in advance for any assistance.
Regards,
charles
This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
protect-telnet / global hostmask match
There isn't any behavior change as far i can remenber. The telnet hosts are allowed to telnet regardless of who there username is with the telnet address.# This setting will drop telnet connections not matching a known host.
If youre looking for the feature you have mentioned, you should look at
And give the +p flag to people you wish to allow dcc/telnet access to.# Define here whether or not a +o user still needs the +p flag to dcc the bot.
set require-p 0
TCL_no_TK,
Thank you for the explanation.
I already have "set require-p 1" in my config for security purposes, but what I am looking for for my script user is a bit differently.
I wanted the user (whose credentials will be unencrypted in a php script) to have access to the bot only via telnet and only from localhost.
So even in case there would be a security leak through the php script, a potential attacker would not be able to use the stolen login information.
But as there seemingly is no way to limit a user to telnet-only access and the telnet access by hostmask on per user basis, I will probably have to think of something else.
Maybe I will abandon telnet access for regular users all together and only allow telnet from localhost and therefore for the script user - not exactly what I had wished for, but I am willing to sacrifice a bit of convenience for security
Thank you for the explanation.
I already have "set require-p 1" in my config for security purposes, but what I am looking for for my script user is a bit differently.
I wanted the user (whose credentials will be unencrypted in a php script) to have access to the bot only via telnet and only from localhost.
So even in case there would be a security leak through the php script, a potential attacker would not be able to use the stolen login information.
But as there seemingly is no way to limit a user to telnet-only access and the telnet access by hostmask on per user basis, I will probably have to think of something else.
Maybe I will abandon telnet access for regular users all together and only allow telnet from localhost and therefore for the script user - not exactly what I had wished for, but I am willing to sacrifice a bit of convenience for security
You *may* want to look at the "livestats" feature of the stats.mod, since this has a simlar system to what you are asking about for my very basic usage of it 
Thinking that you'll no doubt be using a socket for this, i wouldn't think any protect telnet or likewise, would affect this unless you add some feature for this to be included.
Thinking that you'll no doubt be using a socket for this, i wouldn't think any protect telnet or likewise, would affect this unless you add some feature for this to be included.