Webchat downtime

Hi everyone.
Currently the freenode webchat instance (webchat.freenode.net) is down. This is due to maintenance by the host of the box upon which the service sits, and looks set to continue for up to a further 6 hours.
This is maintenance that we, as staff, were not previously aware of.
We’re very sorry for the inconvenience and are doing what we can to reduce it.

Update: resolved.

freenode webchat changes

Webchat has always presented an interesting problem, mostly for the staff of various channels as well as the network itself, but indirectly for all our users as well.  All webchat connections come from the IP address of the webchat service.  This results in them having to be handled a little bit differently from other connections.

To begin with, there needs to be a way for network or channel staff to identify individual connections, as well as where they originated from.  The way this has previously been handled is by encoding the IP of the source (the IP someone uses to connect to the webchat) in hexadecimal form in the ident field of the user.  The webchat users are “cloaked” (that is, their real hostname, which would be that of the webchat server, is replaced) with a unique string identifying the connection.  This method allows channel staff to ban or quiet a webchat user via the unique connection string, or via the ident information.

While this works, it’s confusing to many. The unique connection string changes every time a user makes a new connection through webchat. Therefore, we’ve changed how we do the cloaking so IPs are shown in cloaks. This makes it much simpler for channel staff to see what is going on, and who is who. For now, this change only applies to those using the freenode webchat at http://webchat.freenode.net. The effect is to change a cloak of the form “gateway/web/freenode/x-iiqzrxiqfnnglqji” to the form “gateway/web/freenode/ip.171.205.239.16“.

We would like to point out that this does not in any way reduce the privacy of users of webchat: it has always been possible for anyone to directly convert the encoded ident string back to an IP address. In addition, the real hostnames of clients have always been visible unencoded in the “whois” output for the user.

In addition, we have made a small but potentially significant change to how the “ident” is shown. This has become necessary so that, with future versions of our ircd, we can properly limit connections per IP address via webchat. For a typical freenode webchat user, the full hostmask previously had the form “~abcdef1@gateway/web/freenode/...“. Many historical webchat bans and quiets are set as “*!~abcdef1@gateway/web/freenode/*“. The change that we are making will break these bans. We have removed the ~ from the ident for all webchat connections (not just freenode’s webchat), giving a full mask of the form “abcdef1@gateway/web/freenode/ip.171.205.239.16“.

As such, channel ops are advised to adjust their bans into the form of either “*!abcdef1@gateway/web/freenode/*” or “*!*@gateway/web/freenode/ip.171.205.239.16” as soon as possible.

A further result of this change is that those hosts from which a large number of legitimate users connect to freenode through the webchat service may suffer refused connections due to breaching the limits. If you find youself faced by an error of the form “Too many connections”, please email iline at freenode dot net with details of the IP address affected (which can be obtained from www.whatismyip.org), the name of the organisation, and the number of connections expected, so that we can place a limit exemption. Please note that if you have a message of the form “Gateway connections are currently blocked” or “Gateway connections are currently being throttled”, this is a different matter for which an I:line cannot help.

We hope that these changes make connections through the freenode webchat easier to manage for channel ops and more transparent for all users.

freenode is dead, long live freenode

After much time in development and testing, the move to ircd-seven is finally complete. The migration took place in the early hours of today, Saturday January 30th 2010.

I would like to express thanks to everyone who has helped us get here — those staff and users who have helped find and squash bugs, those who have done extensive load testing and those who have helped finalising documentation in preparation for the migration earlier today.

In particular I would like to thank the Charybdis development team and the ratbox contributors whose work left us with a brilliant ircd platform to build upon to create the more freenode specific ircd-seven. In no particular order my thanks go to:

dwr, Valery Yatsko <dwr -at- shadowircd.net>
gxti, Michael Tharp <gxti -at- partiallystapled.com>
jilles, Jilles Tjoelker <jilles -at- stack.nl>
nenolod, William Pitcock <nenolod -at- nenolod.net>
AndroSyn, Aaron Sethman <androsyn -at- ratbox.org>
anfl, Lee Hardy <lee -at- leeh.co.uk>
beu, Elfyn McBratney <elfyn.mcbratney -at- gmail.com>
Entrope, Michael Poole <mdpoole -at- trolius.org>
ThaPrince, Jon Christopherson <jon -at- vile.com>
twincest, River Tarnell <river -at- attenuate.org>
w00t, Robin Burchell <surreal.w00t -at- gmail.com>

And for leading the development efforts of ircd-seven, for putting up with my many quirky and often unreasonable requests:
spb, Stephen Bennett <stephen -at- freenode.net>

I’d also like to express my gratitude to the following freenode volunteers for the hard work they’ve put in to make the migration go as smoothly as possible. I’ve been amazed at the initiative and responsibility shown in this last phase. Your help has been invaluable and I feel privileged to work with you:

kloeri, Bryan Østergaard
Lorez, Mike Mattice
Martinp23, Martin Peeks
Md, Marco D’Itri

With the exception of port(s) 7000 and 7070 which are now being used for SSL, all other ports and DNS stay the same as it did prior to migration.

If you are a regular freenode user you will most likely be aware that there’s some user facing changes with the move to ircd-seven (and likely to have been annoyed by my global notices on the subject), you may wish to familiarise yourself with the updated FAQ and glance at some of these earlier ircd-seven related blog posts:

http://blog.freenode.net/2010/01/connecting-to-freenode-using-tor-sasl/

http://blog.freenode.net/2008/11/help-us-test-ircd-seven/

http://blog.freenode.net/2010/01/migration-to-new-ircd/

http://blog.freenode.net/2010/01/ircd-migration…-jan-30th-2010/

Again, thank you for helping out, however small or large your contribution may have been. We are celebrating the migration to ircd-seven with a special fundraiser “Give £7 for seven”. This campaign will end on February 7th 2010, until such time you may read more and donate here. Any donation of £21 or any multiple of £7 over £21 will receive a freenode t-shirt.

To all our users, thank you for using the network, and welcome to seven!

Connecting to freenode using Tor: SASL

With our change of ircd to the all new ircd-seven, we are trialling a new method of allowing users to connect to the network via Tor. This method brings a number of changes:

  • The only Tor hidden service is: the new p4fsi4ockecnea7l.onion.
  • You will need to have a registered and verified NickServ account to connect using Tor. Beyond this, no further steps are necessary.
  • You will need to use a SASL mechanism to identify to the server.

We have collected together scripts for irssi and mirc, while Conspire supports SASL natively. Scripts may be available for other clients in addition.

irssi

Download and install this script (cap_sasl.pl) and, after loading it, configure it using

/sasl set <network> <username> <password> <mechanism>

Supported mechanisms are PLAIN and DH-BLOWFISH.

mirc

A mirc script is available, taken from a forum post by Kyle Travaglini. You can retrieve the source here.

Instructions (adapted from that forum):

  • Place SASL.dll and sasl.mrc into your $mircdir.
  • Load sasl.mrc into your remotes.
  • Press F2 and configure the network, before connecting as usual.

If you have any problems, either pop into #freenode from a non-torified connection or drop an email to support AT freenode.net.

This method of connecting to freenode using Tor supersedes all previous methods, including Tor-GPG. We hope that this method of connecting via Tor will help to make it somewhat more accessible to you!

Javascript spam

You may have noticed some unusual amounts of spam over the past few days, which has had an impact on a number of channels.  This spam is the result of some malicious javascript being distributed on a number of webpages which causes visitors to these pages to make a connection to freenode and send spam.  While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site.

If you have been banned from the network after clicking on one of these links, please email [email protected] with your internet-routeable IP address. Visit http://myip.dk/ and include both the IP address and hostname provided on this site.  It’s also helpful if you let us know what nick you were using at the time.  We will address these requests as quickly as possible, but please be patient.

It is of course never a good idea to visit a link that’s not from a trusted source.  If you must do so, look into using a browser with limited or no scripting support (wget from the command line is a great solution here on linux, as is links) or using something like no-script for firefox.

If you run a channel on freenode, you might want to consider setting +R to prevent unregistered users from sending to the channel as the spambots described here will not be registered.  If you do so please consider being proactive about contacting unregistered users joining your channel to ensure they get the help they need, and feel free to send them to #freenode so network staff can help them register.

For users, now is an excellent time to register your nickname and setup your client to auto-identify.  You can find information about registering here.  Configuring your client to auto-identify varies depending on the client, but one easy way is setting up your client to send the nickserv password as your server password. Most clients have an option for this.

It is also worth noting we will be moving to a new ircd in just 13 more days, as described here.  This new ircd provides a number of exciting new capabilities including improved capability to deal with spam of all kinds, including this most recent type which is entirely mitigated by improvements in seven.

Possible SORBS closure

Short blog post this evening but an important one!

I suspect many of you rely on the SORBS DNS blacklists to help provide spamless emails.  Sadly infrastructure support is being withdrawn by the current providers leaving a significant void to effective spam handling.

I encourage you to read over the articles on  http://www.au.sorbs.net/ and if at all possible offer assistance.

Thanks!

New freenode webchat (and why to use it)

As of today we have disabled access to the freenode irc network via mibbit.  While there are numerous reasons for this, it ultimately comes down to the ability to prevent abuse via this client.  We allow connections from many types of web gateways, and such connections require a certain amount of trust and communication between the server operators and the gateway operators.  While we have tried to maintain a good working relationship with anyone who wishes to provide access to freenode and are lucky that most of our users and projects are very friendly and communicative, we have found it difficult to maintain open communications with mibbit.  This has resulted in a large amount of staff time being spent on managing abuse coming from mibbit, disrupting service for other mibbit users and reducing the quality of the network.  Sadly, we feel that this is ultimately not beneficial to mibbit users or the network as a whole.

We apologize to those who used mibbit for the inconvenience this has caused, and for the need to find a new client or method to connect to freenode.

In response to this, we have implemented our own web gateway at http://webchat.freenode.net.  The webchat runs qwebirc package which was developed for and extensively used by quakenet. We’d like to extend our thanks to Chris “slug” Porter and the rest of the team for making it available.

Some of the features of qwebirc can be found here.

Our new webchat facility also makes it easy to add to your own site.  To do this, just click on the menu icon on the top left corner where you will find an “add webchat to your site” option.  You will be taken through an easy wizard to get this going and get the webchat on your very own site!

freenode Network Services Cleanup and Changes.

As announced previously, we have recently (as of Thursday, June 10th) pruned our nickserv and chanserv databases.  We also performed some additional updates and modifications.  While the most obvious change of this will be that any nicks older than 60 days have been dropped, there have been some additional changes implemented as well.  In addition, we have added a new webchat service for users who wish to irc from behind a firewall disallowing a more direct connection.  You can try it out here!

First, we have made a modification to make it easier to identify, as long as your client supports a server password.  Previously, users were able to identify by using a registered nick and sending the password for that registered nick as their server password.   You can also now identify on connect regardless of nick by providing both your account name and password, as follow: “/connect irc.freenode.net 6667 :mquin uwhY8wgzWw22-zXs.M39p.”  This will identify you upon connection.

As a result of this change, we have removed the requirement to group an alternate nick before requesting an unaffiliated cloak.  The requirements for a cloak are outlined here.

Group Contacts are welcome to check in with us within the next 4 weeks to resolve any issues that may have arisen as a result of the pruning.   If you are a group contact, and have any issues as a result of this maintenance, feel free to drop in to #freenode and ask for assistance.

As always, thank you for using freenode, and have a great day!

[Scheduled Maintenance] Services database clear-out.

This is just to let you know that we will soon be performing a fairly substantial cleanup of the NickServ and ChanServ databases.

We’ll be dropping all expired nicknames. As explained in the FAQ, nicknames on freenode expire after 60 days. Nicks that are at least two weeks old and that were last used less than two hours after their creation are also considered to be expired.

There are a few things you should know about this cleanup process:

  1. It will take place at 9am UTC on Thursday  11th June 2009.
  2. It may take a little while. We prune the database infrequently and it’s grown fairly large sine the last time.
  3. A channel for which all contacts are expired will be deleted. If your channel is active but your contacts are not, please let us know by midnight Wednesday 10th June (again, UTC) and we’ll try make special arrangements.
  4. We will try avoid expiring project cloaked user nicknames.
  5. Grouped alternate nicknames which are considered to be expired will be dropped.
  6. If you’ve not used your grouped nick much, or you haven’t used it recently, it may be expired.
  7. Please make sure your bots identify to NickServ or its registration may be lost.
  8. Be sure to do the canonical setup so you don’t lose your nicks and channels. Please follow these canonical nickname setup instructions to make sure that your nicknames and channels aren’t lost through disuse.

Please make sure your nick(s) are set up properly before Thursday and that you’ve spoken with freenode staff to resolve any outstanding channel and nick issues. Thanks for your understanding, and thank you for using freenode.

Nickserv Access Module Loaded.

We recently added support for NickServ’s ACCESS command to freenode’s services. This allows you to define a list of hostmasks from which nickserv will recognise you before you have identified. Logging in as normal is still required, but matching an entry on this list will prevent NickServ from changing your nick if ENFORCE is enabled.

For more detailed information, see NickServ’s help topic:

/msg NickServ HELP ACCESS

There is one caveat to this feature: if you match an entry on your nickname’s access list, you will not receive notices from NickServ asking you to identify. This, combined with nickname access lists that were migrated from our old theia database and have lain dormant since, may cause some auto-identify scripts to stop functioning.

If you find that this is the case, the simplest workaround is just to remove all entries from your nickname’s access list. Use

/msg NickServ ACCESS LIST

to see all entries, and

/msg NickServ ACCESS DEL <hostmask>

to remove them.