Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
help:technical:znc [2017/05/24 23:34]
rubin 		help:technical:znc [2017/05/26 15:54]
rubin
Line 1: Line 1:
 ====== ZNC install for network Administrators ====== ====== ZNC install for network Administrators ======
-This guide tells how we install ZNC for our whole networkwith integrated login to our X3 services.+ 
 +If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet: 
 + 
 +===== Install saslauthd ===== 
 +  * Install saslauthd package: ''apt-get install sasl2-bin'' 
 +  * edit ''/etc/defaults/saslauthd'': 
 + 
 +  START=yes 
 +  MECHANISM="ldap" 
 + 
 +  * edit/create ''/etc/saslauthd.conf'': 
 + 
 +  ldap_servers: ldaps://yourldapserver.domain 
 +  ldap_search_base: ou=Users,dc=yourdomain,dc=org 
 +  ldap_filter: (uid=%u) 
 +  #ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer 
 + 
 +  * Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed 
 +  * start saslauthd: ''/etc/init.d/saslauthd start'' 
 +  * Test saslauthd: ''testsaslauthd -u "yourldapuid" -p yourpassword -f /var/run/saslauthd/mux'' 
 +  * Troubleshooting: 
 +    * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d'' 
 +    * check ''/var/log/auth.log'' and ''/var/log/daemon.log'' 
 +    * try ldapsearch and see if that works:  
 + 
 +  ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org" -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org" -s sub "(objectclass=*)"
  
 ===== Install ZNC ===== ===== Install ZNC =====
Line 6: Line 31:
 Assuming a debian 8 (jessie) base system: Assuming a debian 8 (jessie) base system:
  
 +  * Add the znc user account to the sasl group: ''sudo adduser yourzncuser sasl'' **log out and back in**
   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''
   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''
Line 14: Line 40:
   * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https://github.com/evilnet/znc]]   * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https://github.com/evilnet/znc]]
   * cd to the cloned repository   * cd to the cloned repository
 +  * ./configure --prefix=/data/irc/services/znc --enable-cyrus --enable-python --enable-perl
   * enable git submodules: ''git submodule update --init --recursive''   * enable git submodules: ''git submodule update --init --recursive''
   * compile: ''make''   * compile: ''make''
   * install: ''make install''   * install: ''make install''
 +  * Remove plugins (See list below) that you don't want around for security or irrelevance
   * Run for the first time, from the install directory: ''bin/znc --makeconf''   * Run for the first time, from the install directory: ''bin/znc --makeconf''
     * Username: admin     * Username: admin
Line 24: Line 52:
     * Real name: ZNC Administrator     * Real name: ZNC Administrator
     * Bind host: empty     * Bind host: empty
 +  * Connect to the ZNC using an irc client as the above user
 +    * Load the cyrusauth module with subcomponents: ''/msg *status load cyrusauth saslauthd webirc impersonation''
 +    * Create a dummy user in znc to use as a skel/clone identity: ''/msg *controlpanel adduser zncclone somepassword''
 +      * Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind.
 +    * Configure cyrusauth module: (''/msg *cyrusauth help'')
 +      * Set cyrusauth module to use it the cloneuser: ''cloneuser yourcloneusernamehere''
 +      * Let it create users: ''createuser Yes''
 +      * Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: ''setimpersonateaccount znc somepassword''
 +      * A network to configure for cloned users: ''setNetworkName yournetwork''
 +      * A server to configure for them: ''setServer irc.yournetwork.org 6697 true''
 +      * Salt is used to unpredictibly hash usernames: ''set UserSalt somethingrandom''
 +      * A WebIRC Block in nefarious lets us setup our hostname: ''setWebIrc username password''
 +      * What hostname to use: ''setWebIrcHost .users.yournetwork.org''
 +    * Load the sasl module: ''/msg *status load sasl''
 +    * Configure the sasl module (''/msg *sasl help''):
 +      * Require authentication: ''requireauth yes''
 +      * SASL Mechanism to support: ''mechanism PLAIN''
 +      * Set <username> <password>: Not used, dont set this
  
-===== Install saslauthd ===== +===== Setup IRCD ===== 
-  * Install saslauthd package: ''apt-get install sasl2-bin'' +  * Add a webIRC line:
-  * edit ''/etc/defaults/saslauthd'':+
  
-  START=yes +  WebIRC { 
-  MECHANISM="ldap"+    description "znc"; 
 +    host = "*@zncip"
 +    pass = "crypted password"; 
 +  }; 
 +   
 +  * Except block to protect znc from flood limits:
  
-  * edit/create ''/etc/saslauthd.conf'':+  Except { 
 +    host = "*@zncip"; 
 +    gline = yes; 
 +    rdns = yes; 
 +    ipcheck = yes; 
 +    targetlimit = yes; 
 +  };
  
-  ldap_servers: ldaps://yourldapserver.domain +===== Security ===== 
-  ldap_search_base: ou=Users,dc=yourdomain,dc=org +I run this script after ''make install'' to disable a bunch of the plugins: 
-  ldap_filter(uid=%u) + 
-  #ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer+<code> 
 +#!/bin/bash 
 + 
 +RM='/bin/rm -v' 
 +echo "Lets delete modules we dont trust or need for security!" 
 + 
 +#Lets remove unsafe modules! 
 +#keep#lib/znc/adminlog.so 
 +#keep#lib/znc/alias.so 
 +#keep#lib/znc/autoattach.so 
 +#keep#lib/znc/autocycle.so 
 +#keep#lib/znc/autoop.so 
 +#keep#lib/znc/autoreply.so 
 +#keep#lib/znc/autovoice.so 
 +#keep#lib/znc/awaynick.so 
 +$RM lib/znc/awaystore.so 
 +#keep#lib/znc/block_motd.so 
 +#keep#lib/znc/blockuser.so 
 +$RM lib/znc/bouncedcc.so 
 +#keep#lib/znc/buffextras.so 
 +$RM lib/znc/certauth.so 
 +$RM lib/znc/cert.so 
 +# ADD? #lib/znc/chanfilter.so 
 +#keep#lib/znc/chansaver.so 
 +#keep#lib/znc/clearbufferonmsg.so 
 +# ADD? #lib/znc/clientaway.so 
 +# ADD? #lib/znc/clientbuffer.so 
 +#keep#lib/znc/clientnotify.so 
 +$RM lib/znc/controlpanel.so 
 +$RM lib/znc/crypt.so 
 +#keep#lib/znc/ctcpflood.so 
 +#keep#lib/znc/cyrusauth.so 
 +$RM lib/znc/dcc.so 
 +#keep#lib/znc/disconkick.so 
 +#keep#lib/znc/fail2ban.so 
 +#keep#lib/znc/flooddetach.so 
 +#keep#lib/znc/identfile.so 
 +$RM lib/znc/imapauth.so 
 +#keep#lib/znc/keepnick.so 
 +#keep#lib/znc/kickrejoin.so 
 +#keep#lib/znc/lastseen.so 
 +$RM lib/znc/listsockets.so 
 +#keep#lib/znc/log.so 
 +$RM lib/znc/missingmotd.so 
 +#$RM lib/znc/modperl 
 +$RM lib/znc/modperl.so 
 +$RM lib/znc/modperl/startup.pl 
 +$RM lib/znc/modperl/ZNC.pm 
 +$RM lib/znc/modperl/ZNC.so 
 +#$RM lib/znc/modpython 
 +$RM lib/znc/modpython.so 
 +$RM lib/znc/modpython/znc_core.py 
 +$RM lib/znc/modpython/_znc_core.so 
 +$RM lib/znc/modpython/znc.py 
 +#keep#lib/znc/modules_online.so 
 +$RM lib/znc/nickserv.so 
 +$RM lib/znc/notes.so 
 +#keep#lib/znc/notify_connect.so 
 +# ADD? #lib/znc/partdetach2.cpp 
 +#keep#lib/znc/partyline.so 
 +#keep#lib/znc/perform.so 
 +$RM lib/znc/perleval.pm 
 +$RM lib/znc/pyeval.py 
 +$RM lib/znc/q.so 
 +$RM lib/znc/raw.so 
 +# ADD? #lib/znc/playback.so 
 +# ADD? #lib/znc/privmsg_auto.so 
 +#keep#lib/znc/route_replies.so 
 +$RM lib/znc/sample.so 
 +#keep#lib/znc/sasl.so 
 +$RM lib/znc/savebuff.so 
 +$RM lib/znc/schat.so 
 +$RM lib/znc/send_raw.so 
 +#keep#lib/znc/shell.so 
 +#keep#lib/znc/simple_away.so 
 +# ADD? #lib/znc/snomask.so 
 +#keep#lib/znc/stickychan.so 
 +#keep#lib/znc/watch.so 
 +#keep#lib/znc/webadmin.so 
 +</code>
  
-  * Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed 
-  * start saslauthd: ''/etc/init.d/saslauthd start'' 
-  * Test saslauthd: ''testsaslauthd -u "yourldapuid" -p yourpassword -f /var/run/saslauthd/mux'' 
-  * Troubleshooting: 
-    * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d'' 
-    * check ''/var/log/auth.log'' and ''/var/log/daemon.log'' 
-    * try ldapsearch and see if that works: ''ldapsearch -D 'uid=youruid,ou=Users,dc=yourdomain,dc=org' -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org' -s sub "(objectclass=*)"'' 

Page Tools