Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
help:technical:znc [2017/05/25 07:17] rubinhelp:technical:znc [2017/05/26 22:55] (current) rubin
Line 1: Line 1:
 ====== ZNC install for network Administrators ====== ====== ZNC install for network Administrators ======
-This guide tells how we install ZNC for our whole networkwith integrated login to our X3 services.+ 
 +This is a guide for IRC Network Administrators. If you just want to connect to AfterNET's ZNC bouncergo to [[:help:connecting:znc]] 
 + 
 +If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth moduleHere is how we build ZNC for afternet:
  
 ===== Install saslauthd ===== ===== Install saslauthd =====
Line 22: Line 25:
     * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d''     * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d''
     * check ''/var/log/auth.log'' and ''/var/log/daemon.log''     * check ''/var/log/auth.log'' and ''/var/log/daemon.log''
-    * try ldapsearch and see if that works: ''ldapsearch -D 'uid=youruid,ou=Users,dc=yourdomain,dc=org-w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org-s sub "(objectclass=*)"''+    * try ldapsearch and see if that works:  
 + 
 +  ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org-w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org-s sub "(objectclass=*)"
  
 ===== Install ZNC ===== ===== Install ZNC =====
Line 28: Line 33:
 Assuming a debian 8 (jessie) base system: Assuming a debian 8 (jessie) base system:
  
 +  * Add the znc user account to the sasl group: ''sudo adduser yourzncuser sasl'' **log out and back in**
   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''
   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''
Line 40: Line 46:
   * compile: ''make''   * compile: ''make''
   * install: ''make install''   * install: ''make install''
 +  * Remove plugins (See list below) that you don't want around for security or irrelevance
   * Run for the first time, from the install directory: ''bin/znc --makeconf''   * Run for the first time, from the install directory: ''bin/znc --makeconf''
     * Username: admin     * Username: admin
Line 48: Line 55:
     * Bind host: empty     * Bind host: empty
   * Connect to the ZNC using an irc client as the above user   * Connect to the ZNC using an irc client as the above user
-    * Load the cyrusauth module: ''/msg *status load cyrusauth saslauthd'' +    * Load the cyrusauth module with subcomponents: ''/msg *status load cyrusauth saslauthd webirc impersonation'' 
-      * Create a dummy user in znc to use as a skel/clone identity +    * Create a dummy user in znc to use as a skel/clone identity: ''/msg *controlpanel adduser zncclone somepassword'' 
-      * Set cyrusauth module to use it: ''/msg *cyrusauth cloneuser yourcloneusernamehere'' +      * Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind. 
-      * Let it create users: ''/msg *cyrusauth createuser Yes''+    * Configure cyrusauth module: (''/msg *cyrusauth help''
 +      * Set cyrusauth module to use it the cloneuser: ''cloneuser yourcloneusernamehere'' 
 +      * Let it create users: ''createuser Yes'' 
 +      * Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: ''setimpersonateaccount znc somepassword'' 
 +      * A network to configure for cloned users: ''setNetworkName yournetwork'' 
 +      * A server to configure for them: ''setServer irc.yournetwork.org 6697 true'' 
 +      * Salt is used to unpredictibly hash usernames: ''set UserSalt somethingrandom'' 
 +      * A WebIRC Block in nefarious lets us setup our hostname: ''setWebIrc username password'' 
 +      * What hostname to use: ''setWebIrcHost .users.yournetwork.org''
     * Load the sasl module: ''/msg *status load sasl''     * Load the sasl module: ''/msg *status load sasl''
-      Require authentication: ''/msg *sasl requireauth yes'' +    Configure the sasl module (''/msg *sasl help''): 
-      *  +      * Require authentication: ''requireauth yes'' 
-    * Configure the modules+      * SASL Mechanism to support: ''mechanism PLAIN'' 
 +      * Set <username> <password>: Not used, dont set this 
 + 
 +===== Setup IRCD ===== 
 +  * Add a webIRC line: 
 + 
 +  WebIRC { 
 +    description = "znc"; 
 +    host = "*@zncip"; 
 +    pass = "crypted password"; 
 +  }; 
 +   
 +  * Except block to protect znc from flood limits: 
 + 
 +  Except { 
 +    host = "*@zncip"; 
 +    gline = yes; 
 +    rdns = yes; 
 +    ipcheck = yes; 
 +    targetlimit = yes; 
 +  }; 
 + 
 +===== Security ===== 
 +I run this script after ''make install'' to disable a bunch of the plugins: 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 +RM='/bin/rm -v' 
 +echo "Lets delete modules we dont trust or need for security!" 
 + 
 +#Lets remove unsafe modules! 
 +#keep#lib/znc/adminlog.so 
 +#keep#lib/znc/alias.so 
 +#keep#lib/znc/autoattach.so 
 +#keep#lib/znc/autocycle.so 
 +#keep#lib/znc/autoop.so 
 +#keep#lib/znc/autoreply.so 
 +#keep#lib/znc/autovoice.so 
 +#keep#lib/znc/awaynick.so 
 +$RM lib/znc/awaystore.so 
 +#keep#lib/znc/block_motd.so 
 +#keep#lib/znc/blockuser.so 
 +$RM lib/znc/bouncedcc.so 
 +#keep#lib/znc/buffextras.so 
 +$RM lib/znc/certauth.so 
 +$RM lib/znc/cert.so 
 +# ADD? #lib/znc/chanfilter.so 
 +#keep#lib/znc/chansaver.so 
 +#keep#lib/znc/clearbufferonmsg.so 
 +# ADD? #lib/znc/clientaway.so 
 +# ADD? #lib/znc/clientbuffer.so 
 +#keep#lib/znc/clientnotify.so 
 +$RM lib/znc/controlpanel.so 
 +$RM lib/znc/crypt.so 
 +#keep#lib/znc/ctcpflood.so 
 +#keep#lib/znc/cyrusauth.so 
 +$RM lib/znc/dcc.so 
 +#keep#lib/znc/disconkick.so 
 +#keep#lib/znc/fail2ban.so 
 +#keep#lib/znc/flooddetach.so 
 +#keep#lib/znc/identfile.so 
 +$RM lib/znc/imapauth.so 
 +#keep#lib/znc/keepnick.so 
 +#keep#lib/znc/kickrejoin.so 
 +#keep#lib/znc/lastseen.so 
 +$RM lib/znc/listsockets.so 
 +#keep#lib/znc/log.so 
 +$RM lib/znc/missingmotd.so 
 +#$RM lib/znc/modperl 
 +$RM lib/znc/modperl.so 
 +$RM lib/znc/modperl/startup.pl 
 +$RM lib/znc/modperl/ZNC.pm 
 +$RM lib/znc/modperl/ZNC.so 
 +#$RM lib/znc/modpython 
 +$RM lib/znc/modpython.so 
 +$RM lib/znc/modpython/znc_core.py 
 +$RM lib/znc/modpython/_znc_core.so 
 +$RM lib/znc/modpython/znc.py 
 +#keep#lib/znc/modules_online.so 
 +$RM lib/znc/nickserv.so 
 +$RM lib/znc/notes.so 
 +#keep#lib/znc/notify_connect.so 
 +# ADD? #lib/znc/partdetach2.cpp 
 +#keep#lib/znc/partyline.so 
 +#keep#lib/znc/perform.so 
 +$RM lib/znc/perleval.pm 
 +$RM lib/znc/pyeval.py 
 +$RM lib/znc/q.so 
 +$RM lib/znc/raw.so 
 +# ADD? #lib/znc/playback.so 
 +# ADD? #lib/znc/privmsg_auto.so 
 +#keep#lib/znc/route_replies.so 
 +$RM lib/znc/sample.so 
 +#keep#lib/znc/sasl.so 
 +$RM lib/znc/savebuff.so 
 +$RM lib/znc/schat.so 
 +$RM lib/znc/send_raw.so 
 +#keep#lib/znc/shell.so 
 +#keep#lib/znc/simple_away.so 
 +# ADD? #lib/znc/snomask.so 
 +#keep#lib/znc/stickychan.so 
 +#keep#lib/znc/watch.so 
 +#keep#lib/znc/webadmin.so 
 +</code>