====== ZNC install for network Administrators ====== This is a guide for IRC Network Administrators. If you just want to connect to AfterNET's ZNC bouncer, go to [[:help:connecting:znc]] If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet: ===== Install saslauthd ===== * Install saslauthd package: ''apt-get install sasl2-bin'' * edit ''/etc/defaults/saslauthd'': START=yes MECHANISM="ldap" * edit/create ''/etc/saslauthd.conf'': ldap_servers: ldaps://yourldapserver.domain ldap_search_base: ou=Users,dc=yourdomain,dc=org ldap_filter: (uid=%u) #ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer * Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed * start saslauthd: ''/etc/init.d/saslauthd start'' * Test saslauthd: ''testsaslauthd -u "yourldapuid" -p yourpassword -f /var/run/saslauthd/mux'' * Troubleshooting: * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d'' * check ''/var/log/auth.log'' and ''/var/log/daemon.log'' * try ldapsearch and see if that works: ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org" -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org" -s sub "(objectclass=*)" ===== Install ZNC ===== Assuming a debian 8 (jessie) base system: * Add the znc user account to the sasl group: ''sudo adduser yourzncuser sasl'' **log out and back in** * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update'' * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc'' * Install CMake: ''sudo apt-get install cmake'' * Install ICU: ''sudo apt-get install libicu-dev'' * Install SWIG: ''sudo apt-get install swig3.0'' * Install Boost: ''sudo apt-get install libboost-all-dev'' * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https://github.com/evilnet/znc]] * cd to the cloned repository * ./configure --prefix=/data/irc/services/znc --enable-cyrus --enable-python --enable-perl * enable git submodules: ''git submodule update --init --recursive'' * compile: ''make'' * install: ''make install'' * Remove plugins (See list below) that you don't want around for security or irrelevance * Run for the first time, from the install directory: ''bin/znc --makeconf'' * Username: admin * Password: see keepass db (rubin) * Nickname: zncadmin * Ident: zncadmin * Real name: ZNC Administrator * Bind host: empty * Connect to the ZNC using an irc client as the above user * Load the cyrusauth module with subcomponents: ''/msg *status load cyrusauth saslauthd webirc impersonation'' * Create a dummy user in znc to use as a skel/clone identity: ''/msg *controlpanel adduser zncclone somepassword'' * Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind. * Configure cyrusauth module: (''/msg *cyrusauth help'') * Set cyrusauth module to use it the cloneuser: ''cloneuser yourcloneusernamehere'' * Let it create users: ''createuser Yes'' * Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: ''setimpersonateaccount znc somepassword'' * A network to configure for cloned users: ''setNetworkName yournetwork'' * A server to configure for them: ''setServer irc.yournetwork.org 6697 true'' * Salt is used to unpredictibly hash usernames: ''set UserSalt somethingrandom'' * A WebIRC Block in nefarious lets us setup our hostname: ''setWebIrc username password'' * What hostname to use: ''setWebIrcHost .users.yournetwork.org'' * Load the sasl module: ''/msg *status load sasl'' * Configure the sasl module (''/msg *sasl help''): * Require authentication: ''requireauth yes'' * SASL Mechanism to support: ''mechanism PLAIN'' * Set : Not used, dont set this ===== Setup IRCD ===== * Add a webIRC line: WebIRC { description = "znc"; host = "*@zncip"; pass = "crypted password"; }; * Except block to protect znc from flood limits: Except { host = "*@zncip"; gline = yes; rdns = yes; ipcheck = yes; targetlimit = yes; }; ===== Security ===== I run this script after ''make install'' to disable a bunch of the plugins: #!/bin/bash RM='/bin/rm -v' echo "Lets delete modules we dont trust or need for security!" #Lets remove unsafe modules! #keep#lib/znc/adminlog.so #keep#lib/znc/alias.so #keep#lib/znc/autoattach.so #keep#lib/znc/autocycle.so #keep#lib/znc/autoop.so #keep#lib/znc/autoreply.so #keep#lib/znc/autovoice.so #keep#lib/znc/awaynick.so $RM lib/znc/awaystore.so #keep#lib/znc/block_motd.so #keep#lib/znc/blockuser.so $RM lib/znc/bouncedcc.so #keep#lib/znc/buffextras.so $RM lib/znc/certauth.so $RM lib/znc/cert.so # ADD? #lib/znc/chanfilter.so #keep#lib/znc/chansaver.so #keep#lib/znc/clearbufferonmsg.so # ADD? #lib/znc/clientaway.so # ADD? #lib/znc/clientbuffer.so #keep#lib/znc/clientnotify.so $RM lib/znc/controlpanel.so $RM lib/znc/crypt.so #keep#lib/znc/ctcpflood.so #keep#lib/znc/cyrusauth.so $RM lib/znc/dcc.so #keep#lib/znc/disconkick.so #keep#lib/znc/fail2ban.so #keep#lib/znc/flooddetach.so #keep#lib/znc/identfile.so $RM lib/znc/imapauth.so #keep#lib/znc/keepnick.so #keep#lib/znc/kickrejoin.so #keep#lib/znc/lastseen.so $RM lib/znc/listsockets.so #keep#lib/znc/log.so $RM lib/znc/missingmotd.so #$RM lib/znc/modperl $RM lib/znc/modperl.so $RM lib/znc/modperl/startup.pl $RM lib/znc/modperl/ZNC.pm $RM lib/znc/modperl/ZNC.so #$RM lib/znc/modpython $RM lib/znc/modpython.so $RM lib/znc/modpython/znc_core.py $RM lib/znc/modpython/_znc_core.so $RM lib/znc/modpython/znc.py #keep#lib/znc/modules_online.so $RM lib/znc/nickserv.so $RM lib/znc/notes.so #keep#lib/znc/notify_connect.so # ADD? #lib/znc/partdetach2.cpp #keep#lib/znc/partyline.so #keep#lib/znc/perform.so $RM lib/znc/perleval.pm $RM lib/znc/pyeval.py $RM lib/znc/q.so $RM lib/znc/raw.so # ADD? #lib/znc/playback.so # ADD? #lib/znc/privmsg_auto.so #keep#lib/znc/route_replies.so $RM lib/znc/sample.so #keep#lib/znc/sasl.so $RM lib/znc/savebuff.so $RM lib/znc/schat.so $RM lib/znc/send_raw.so #keep#lib/znc/shell.so #keep#lib/znc/simple_away.so # ADD? #lib/znc/snomask.so #keep#lib/znc/stickychan.so #keep#lib/znc/watch.so #keep#lib/znc/webadmin.so