Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
help:technical:znc [2017/05/23 14:40]
rubin 		help:technical:znc [2017/05/26 15:55] (current)
rubin
Line 1: Line 1:
 ====== ZNC install for network Administrators ====== ====== ZNC install for network Administrators ======
-This guide tells how we install ZNC for our whole network, with integrated login to our X3 services. 
  
-===== Install =====+This is a guide for IRC Network Administrators. If you just want to connect to AfterNET's ZNC bouncer, go to [[:help:connecting:znc]] 
 + 
 +If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet: 
 + 
 +===== Install saslauthd ===== 
 +  * Install saslauthd package: ''apt-get install sasl2-bin'' 
 +  * edit ''/etc/defaults/saslauthd'': 
 + 
 +  START=yes 
 +  MECHANISM="ldap" 
 + 
 +  * edit/create ''/etc/saslauthd.conf'': 
 + 
 +  ldap_servers: ldaps://yourldapserver.domain 
 +  ldap_search_base: ou=Users,dc=yourdomain,dc=org 
 +  ldap_filter: (uid=%u) 
 +  #ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer 
 + 
 +  * Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed 
 +  * start saslauthd: ''/etc/init.d/saslauthd start'' 
 +  * Test saslauthd: ''testsaslauthd -u "yourldapuid" -p yourpassword -f /var/run/saslauthd/mux'' 
 +  * Troubleshooting: 
 +    * Stop saslauthd and run it in debug mode: ''/usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d'' 
 +    * check ''/var/log/auth.log'' and ''/var/log/daemon.log'' 
 +    * try ldapsearch and see if that works:  
 + 
 +  ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org" -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org" -s sub "(objectclass=*)" 
 + 
 +===== Install ZNC =====
  
 Assuming a debian 8 (jessie) base system: Assuming a debian 8 (jessie) base system:
  
 +  * Add the znc user account to the sasl group: ''sudo adduser yourzncuser sasl'' **log out and back in**
   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''   * Install debian backports: add ''deb http://ftp.debian.org/debian jessie-backports main'' to /etc/apt/sources.list. dont forget to ''sudo apt-get update''
   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''   * Install build dependencies by cheating a bit using the debian dependency list: ''sudo apt-get build-dep znc''
Line 14: Line 42:
   * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https://github.com/evilnet/znc]]   * git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: [[https://github.com/evilnet/znc]]
   * cd to the cloned repository   * cd to the cloned repository
 +  * ./configure --prefix=/data/irc/services/znc --enable-cyrus --enable-python --enable-perl
   * enable git submodules: ''git submodule update --init --recursive''   * enable git submodules: ''git submodule update --init --recursive''
   * compile: ''make''   * compile: ''make''
 +  * install: ''make install''
 +  * Remove plugins (See list below) that you don't want around for security or irrelevance
 +  * Run for the first time, from the install directory: ''bin/znc --makeconf''
 +    * Username: admin
 +    * Password: see keepass db (rubin)
 +    * Nickname: zncadmin
 +    * Ident: zncadmin
 +    * Real name: ZNC Administrator
 +    * Bind host: empty
 +  * Connect to the ZNC using an irc client as the above user
 +    * Load the cyrusauth module with subcomponents: ''/msg *status load cyrusauth saslauthd webirc impersonation''
 +    * Create a dummy user in znc to use as a skel/clone identity: ''/msg *controlpanel adduser zncclone somepassword''
 +      * Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind.
 +    * Configure cyrusauth module: (''/msg *cyrusauth help'')
 +      * Set cyrusauth module to use it the cloneuser: ''cloneuser yourcloneusernamehere''
 +      * Let it create users: ''createuser Yes''
 +      * Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: ''setimpersonateaccount znc somepassword''
 +      * A network to configure for cloned users: ''setNetworkName yournetwork''
 +      * A server to configure for them: ''setServer irc.yournetwork.org 6697 true''
 +      * Salt is used to unpredictibly hash usernames: ''set UserSalt somethingrandom''
 +      * A WebIRC Block in nefarious lets us setup our hostname: ''setWebIrc username password''
 +      * What hostname to use: ''setWebIrcHost .users.yournetwork.org''
 +    * Load the sasl module: ''/msg *status load sasl''
 +    * Configure the sasl module (''/msg *sasl help''):
 +      * Require authentication: ''requireauth yes''
 +      * SASL Mechanism to support: ''mechanism PLAIN''
 +      * Set <username> <password>: Not used, dont set this
 +
 +===== Setup IRCD =====
 +  * Add a webIRC line:
 +
 +  WebIRC {
 +    description = "znc";
 +    host = "*@zncip";
 +    pass = "crypted password";
 +  };
 +  
 +  * Except block to protect znc from flood limits:
 +
 +  Except {
 +    host = "*@zncip";
 +    gline = yes;
 +    rdns = yes;
 +    ipcheck = yes;
 +    targetlimit = yes;
 +  };
 +
 +===== Security =====
 +I run this script after ''make install'' to disable a bunch of the plugins:
 +
 +<code>
 +#!/bin/bash
 +
 +RM='/bin/rm -v'
 +echo "Lets delete modules we dont trust or need for security!"
 +
 +#Lets remove unsafe modules!
 +#keep#lib/znc/adminlog.so
 +#keep#lib/znc/alias.so
 +#keep#lib/znc/autoattach.so
 +#keep#lib/znc/autocycle.so
 +#keep#lib/znc/autoop.so
 +#keep#lib/znc/autoreply.so
 +#keep#lib/znc/autovoice.so
 +#keep#lib/znc/awaynick.so
 +$RM lib/znc/awaystore.so
 +#keep#lib/znc/block_motd.so
 +#keep#lib/znc/blockuser.so
 +$RM lib/znc/bouncedcc.so
 +#keep#lib/znc/buffextras.so
 +$RM lib/znc/certauth.so
 +$RM lib/znc/cert.so
 +# ADD? #lib/znc/chanfilter.so
 +#keep#lib/znc/chansaver.so
 +#keep#lib/znc/clearbufferonmsg.so
 +# ADD? #lib/znc/clientaway.so
 +# ADD? #lib/znc/clientbuffer.so
 +#keep#lib/znc/clientnotify.so
 +$RM lib/znc/controlpanel.so
 +$RM lib/znc/crypt.so
 +#keep#lib/znc/ctcpflood.so
 +#keep#lib/znc/cyrusauth.so
 +$RM lib/znc/dcc.so
 +#keep#lib/znc/disconkick.so
 +#keep#lib/znc/fail2ban.so
 +#keep#lib/znc/flooddetach.so
 +#keep#lib/znc/identfile.so
 +$RM lib/znc/imapauth.so
 +#keep#lib/znc/keepnick.so
 +#keep#lib/znc/kickrejoin.so
 +#keep#lib/znc/lastseen.so
 +$RM lib/znc/listsockets.so
 +#keep#lib/znc/log.so
 +$RM lib/znc/missingmotd.so
 +#$RM lib/znc/modperl
 +$RM lib/znc/modperl.so
 +$RM lib/znc/modperl/startup.pl
 +$RM lib/znc/modperl/ZNC.pm
 +$RM lib/znc/modperl/ZNC.so
 +#$RM lib/znc/modpython
 +$RM lib/znc/modpython.so
 +$RM lib/znc/modpython/znc_core.py
 +$RM lib/znc/modpython/_znc_core.so
 +$RM lib/znc/modpython/znc.py
 +#keep#lib/znc/modules_online.so
 +$RM lib/znc/nickserv.so
 +$RM lib/znc/notes.so
 +#keep#lib/znc/notify_connect.so
 +# ADD? #lib/znc/partdetach2.cpp
 +#keep#lib/znc/partyline.so
 +#keep#lib/znc/perform.so
 +$RM lib/znc/perleval.pm
 +$RM lib/znc/pyeval.py
 +$RM lib/znc/q.so
 +$RM lib/znc/raw.so
 +# ADD? #lib/znc/playback.so
 +# ADD? #lib/znc/privmsg_auto.so
 +#keep#lib/znc/route_replies.so
 +$RM lib/znc/sample.so
 +#keep#lib/znc/sasl.so
 +$RM lib/znc/savebuff.so
 +$RM lib/znc/schat.so
 +$RM lib/znc/send_raw.so
 +#keep#lib/znc/shell.so
 +#keep#lib/znc/simple_away.so
 +# ADD? #lib/znc/snomask.so
 +#keep#lib/znc/stickychan.so
 +#keep#lib/znc/watch.so
 +#keep#lib/znc/webadmin.so
 +</code>
 +

Page Tools