SkipIRC - Oper Guide

SkipIRC - Guide for Opers (IRCOps)

Introduction

This guide is aimed at chat admins who will be receiving Oper permissions in SkipIRC. While you may not need to use all of this all the time, you will certainly need to use some of it some of the time.

Receiving your Oper Block

When you connect to SkipIRC, you will need to generate your oper password. This is an additional password to your NickServ password. When connected, enter this command anywhere.

/mkpasswd bcrypt [password]

You'll receive something like this:

-safe.oh.us.irc.scpwiki.com- bcrypt hashed password for hunter2 is $2a$10$4uElGvGr5[redacted]Frvl/JD6kpp7N9C

Send that hashed password to bluesoul along with the username you wish to use to oper up. This is also separate from your NickServ password, and will work even if services are completely offline. You will still use hunter2 when you oper up, but this way your password is not revealed anywhere to anyone.

You will also need to connect from a reliable location, whether that's a bouncer like ZNC, an IRC bouncer service like IRCCloud, or a consistent DNS suffix like hsd1.il.comcast.net, in order of preferability. Multiple hosts can be added to the list to oper up, and you will only be able to be an oper from those approved locations.

Once you're told everything is set up, you can oper up with, for example:

/oper bluesoul hunter2

If successful, you will be dumped into a couple of channels immediately. If not, you will be told why. In addition, all online opers are notified on all successes and failures.

Oper Field Guide

There's a wide variety of things you may need to do in a given day. This field guide will lay out a wide variety of situations and commands to use to deal with them.

Handling Netsplits

A netsplit is a condition where two servers lose synchronization for any number of reasons. All oper alerting channels will fire off alerts when a split occurs and should give some indication as to why.

For reference, this is the current (and desired) link topology:

skipirc-topology.png

If you find yourself connected to a server that was part of the split, first attempt to reconnect it to its desired hub. For example, using the picture above, if you were connected to safe and it lost its connection to blackjack, try to reconnect it to blackjack first:

/connect blackjack*

If blackjack is not responding, reroute it to the other hub instead.

/connect hookers*

Now, if you were connected to safe, and saw hookers lose its connection to keter saying that keter timed out, you can send a remote connect command. The order here is important.

/rconnect hookers.ca.us.irc.scpwiki.com keter.nsw.au.irc.scpwiki.com

The first argument will be the server that's still connected to the network, and the second will be the one that is not. In this example, if keter was still not connecting, you could tell your local hub to try instead.

/rconnect blackjack.va.us.irc.scpwiki.com keter.nsw.au.irc.scpwiki.com

Note that client servers will also automatically attempt to connect to their desired hub automatically if it disconnects, and will try the backup if the primary fails. This is simply to expedite the process.

Hubs will not attempt to reconnect to other hubs automatically! If you see the hubs split you must do an /rconnect!

VHosts

Opers and Helpers will receive all vhost requests to approve. Note that unlike our previous services package, you cannot set a mask that includes the ident name.

Was OK, Still OK: /hs request no.kings
Was OK, Now Not OK: /hs request no@kings.never
Never been OK: /hs request bluesoul!no@kings.never

Users can set that ident name in their own client, somewhere so they can still get what they want.

You can review pending VHosts with:

/hs waiting

You'll get a list of nicknames and their requested host.

Nick:bluesoul, vhost:1-800.DISCOUNT.OCELOTS (bluesoul - Sep 14 15:36:22 2020 +0000)

You can approve a single one off the list:

/hs activate bluesoul

Or, if they're all fine, do all of them at once.

/hs activate *

If a nickname is objectionable, offensive, or potentially misleading…

Nick:JoeBloggs, vhost:netop.irc.scpwiki.com (JoeBloggs - Sep 14 15:36:22 2020 +0000)

Just reject it, and optionally tell them why.

/hs reject JoeBloggs Impersonating opers is forbidden.

This one also lets you reject all with /hs reject * as you could for approving.

Transferring channel ownership

We worked through the exact preferred procedure today and it should go as follows:

/cs ftransfer #channel newfounder
/cs fflags #channel oldfounder -*

Dealing with Problem Users

You have a number of ways to deal with users that are being problematic. Bear in mind that outside the official channels, issues between users in private channels should generally be handled by those users. If a user is banned from a channel that someone else owns, and wants to be unbanned, that is not something for opers to get involved in. However, spam (for example) in any channel is against our rules and thus an oper can get involved at any time.

Some of the tools available to you are Whois, Check, Kill, Shun, Zline, Akill, and Defcon. All kills, shuns, lines, akills, and adjusting of defcon will fire alerts to all online opers.

Whois

For an oper, a /whois command returns additional information than when a standard user does it.

/whois baduser
[14:08:58] baduser is moc.tibbim.thhn3e-PCS|c2e3f2da#moc.tibbim.thhn3e-PCS|c2e3f2da * Mibbit User
[14:08:58] baduser is connecting from moc.tibbim.1picri|c2e3f2da#moc.tibbim.1picri|c2e3f2da 207.192.75.252
[14:08:58] baduser using safe.oh.us.irc.scpwiki.com Safe - Ohio, USA
[14:08:58] baduser is using modes +ix
[14:08:58] baduser has been idle 4secs, signed on Mon Sep 14 14:08:52 2020
[14:08:58] baduser End of /WHOIS list.

All oper-level commands that involve hostmasks need the uncloaked value present in the "is connecting from" line.

(Yes, I know that's mibbit's host. I haven't set up the webirc block yet. I'll get around to it before the network is live. It's just an example. Don't @ me.)

Check

The /check command is used to get detailed information about a wide variety of things on the network. You'll primarily use it to check on a mask to see if there are others online from the same address. You can use the cloaked or uncloaked value.

/check SCP-e3nhht.mibbit.com
[14:14:41] START SCP-e3nhht.mibbit.com
[14:14:41] match 1 baduser!moc.tibbim.1picri|c2e3f2da#moc.tibbim.1picri|c2e3f2da 207.192.75.252 Mibbit User
[14:14:41] matches 1
[14:14:41] END SCP-e3nhht.mibbit.com

You can use it to check a channel to see who is in it.

/check #baduserzone
[14:19:46] START #baduserzone
[14:19:46] createdat 2020-09-14 20:19:37 UTC (1600114777)
[14:19:46] modes nt
[14:19:46] membercount 1
[14:19:46] member 1 @baduser!moc.tibbim.thhn3e-PCS|c2e3f2da#moc.tibbim.thhn3e-PCS|c2e3f2da (Mibbit User)
[14:19:46] END #baduserzone

You can use it to find all users online from a particular CIDR block.

/check 207.192.75.0/24
[14:22:15] START 207.192.75.0/24
[14:22:15] match 1 baduser!moc.tibbim.1picri|c2e3f2da#moc.tibbim.1picri|c2e3f2da 207.192.75.252 Mibbit User
[14:22:15] matches 1
[14:22:15] END 207.192.75.0/24

Kill

Killing a user disconnects them from the server they are connected to with an optional message.

/kill baduser
/kill spammeruser Spam is forbidden.

The user can reconnect immediately. This is thus useful to send a warning to a user that further bad behavior will result in an escalation to stronger actions.

Shun

Shunning a user instructs the servers to discard any messages or notices from that user, and all commands except /part and /quit. The user is not informed that they have been shunned. This can be useful for ban evasion cases where a user wishes to spam, it will appear to them that they are spamming but they are not.

A shun requires a time to be specified. It does not require a hostmask.

/shun baduser 1y2w3d4h5m6s Shunned for one year, two weeks, 3 days, 4 hours, 5 minutes, and 6 seconds for ban evasion and spamming.
/shun spamuser 7d Spam

To remove a shun, enter just the username, if they're still online, or their IP if they are not.

/shun spamuser
/shun 207.192.75.252

Zline

A Zline is used to prevent an IP address or range from connecting to any server on the network (there is no /gzline as on other networks, all lines are global.) A user within the scope of an active Zline will not be able to connect at all.

The syntax is identical to /shun:

/zline baduser 7d spam
[14:30:34] -safe.oh.us.irc.scpwiki.com- *** QUIT: Client exiting: baduser!moc.tibbim.1picri|c2e3f2da#moc.tibbim.1picri|c2e3f2da (207.192.75.252) [Z-lined: spam]

The user will receive this message:

baduser, You have been banned from SkipIRC. If you believe this was in error, please email moc.ikiwpcs|cri#moc.ikiwpcs|cri with the ERROR line below for help.

From that point forward, the server will refuse to communicate with the IP in question at all, and will not provide any message to the user.

A Zline can be set on a range of IP addresses using CIDR notation. If you are not sure what that means or how to determine the size of the CIDR block to scope, please message bluesoul for assistance. If a block of IPs needs to be permanently blocked from connecting, please message bluesoul so it can be added to the global config file rather than a Zline.

/zline 207.192.74.0/23 4w Spambot attack from this IP range

Removing a Zline is handled mostly the same as a shun, with the caveat that using the username won't be sufficient. You will need to remove the IP address or range instead.

/zline 207.192.75.252
/zline 207.192.74.0/23

Akill

You can opt for an Akill instead of a Zline, which lets the user connect and then /kills them once the connection is complete with a message explaining what happened. Not useful for spammers and obvious bad actors, but possibly more so for more borderline cases. This makes use of OperServ so the format is different from the rest of the above.

/os akill add baduser !T 7d spam
[14:52:10] -OperServ- Timed AKILL on *@ircip2.mibbit.com was successfully added and will expire in 7 days, 0:00:00.

Note you can use !P instead of !T and omit the duration to make an Akill permanent, but permanent Akills should generally be replaced with blocks set in config files against entire ranges.

Removing an Akill looks like:

/os akill del *@ircip2.mibbit.com

DEFCON

In the event of a significant attack, you can set a DEFCON mode that will affect the behavior of the entire network. This is not to be done lightly.

DEFCON Mode Result
/os defcon 5 Default network state.
/os defcon 4 New registrations of nicknames and channels are disabled.
/os defcon 3 DEFCON 4 + forces all channels on the network to +R.
/os defcon 2 DEFCON 3 + Services silently ignore all requests by non-opers.
/os defcon 1 DEFCON 2 + All new connections to the server are automatically Akilled.

VPNs

Be aware that nearly every VPN provider is blocked at the network level through an extensive and proprietary list of Zlines. Should a user reach out to you and wish to connect via a VPN, exceptions can be carved out by a combination of ident name and IP. If their IP changes constantly, we can investigate the IP block and determine if it's possible to relax the restriction for a larger block given a particular ident name, but they should be strongly encouraged to use a static IP. Creating the exceptions is done with /eline, an Exception line placed similarly to other lines.

/eline 252.57.291.702|luoseulb#252.57.291.702|luoseulb 1y bluesoul - NordVPN Static IP

The above is analogous to a hostmask exception of *!252.57.291.702|luoseulb#252.57.291.702|luoseulb and thus allows the user to still be able to change their nickname.

Session Limits

Users connecting to the network have a limit of 3 sessions initiated per IP by default. If someone needs more than this, for example if they're running a bot from the same place as their other connections, you can increase this limit, but only if the user is connecting from a static IP. The hard limit is 10 sessions per IP, more than this will require setting up custom configurations.

You increase the limit by using OperServ's clones command. Use /os help clones for exact syntax for all situations.

To increase the number of sessions to 5 for 86.75.30.9 for 30 days (43,200 minutes), you do:

/os clones addexempt 86.75.30.9 5 !T 43200 [reason]

Pernanent exceptions can be created with !P instead of !T [minutes.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License