ZNC install for network Administrators

If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet:

• Install saslauthd package: apt-get install sasl2-bin
• edit /etc/defaults/saslauthd:

START=yes
MECHANISM="ldap"

• edit/create /etc/saslauthd.conf:

ldap_servers: ldaps://yourldapserver.domain
ldap_search_base: ou=Users,dc=yourdomain,dc=org
ldap_filter: (uid=%u)
#ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer

• Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed
• start saslauthd: /etc/init.d/saslauthd start
• Test saslauthd: testsaslauthd -u “yourldapuid” -p yourpassword -f /var/run/saslauthd/mux
• Troubleshooting:
  • Stop saslauthd and run it in debug mode: /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d
  • check /var/log/auth.log and /var/log/daemon.log
  • try ldapsearch and see if that works:

ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org" -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org" -s sub "(objectclass=*)"

Assuming a debian 8 (jessie) base system:

• Add the znc user account to the sasl group: sudo adduser yourzncuser sasl log out and back in
• Install debian backports: add deb http://ftp.debian.org/debian jessie-backports main to /etc/apt/sources.list. dont forget to sudo apt-get update
• Install build dependencies by cheating a bit using the debian dependency list: sudo apt-get build-dep znc
• Install CMake: sudo apt-get install cmake
• Install ICU: sudo apt-get install libicu-dev
• Install SWIG: sudo apt-get install swig3.0
• Install Boost: sudo apt-get install libboost-all-dev
• git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: https://github.com/evilnet/znc
• cd to the cloned repository
• ./configure –prefix=/data/irc/services/znc –enable-cyrus –enable-python –enable-perl
• enable git submodules: git submodule update –init –recursive
• compile: make
• install: make install
• Remove plugins (See list below) that you don't want around for security or irrelevance
• Run for the first time, from the install directory: bin/znc –makeconf
  • Username: admin
  • Password: see keepass db (rubin)
  • Nickname: zncadmin
  • Ident: zncadmin
  • Real name: ZNC Administrator
  • Bind host: empty
• Connect to the ZNC using an irc client as the above user
  • Load the cyrusauth module with subcomponents: /msg *status load cyrusauth saslauthd webirc impersonation
  • Create a dummy user in znc to use as a skel/clone identity: /msg *controlpanel adduser zncclone somepassword
    • Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind.
  • Configure cyrusauth module: (/msg *cyrusauth help)
    • Set cyrusauth module to use it the cloneuser: cloneuser yourcloneusernamehere
    • Let it create users: createuser Yes
    • Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: setimpersonateaccount znc somepassword
    • A network to configure for cloned users: setNetworkName yournetwork
    • A server to configure for them: setServer irc.yournetwork.org 6697 true
    • Salt is used to unpredictibly hash usernames: set UserSalt somethingrandom
    • A WebIRC Block in nefarious lets us setup our hostname: setWebIrc username password
    • What hostname to use: setWebIrcHost .users.yournetwork.org
  • Load the sasl module: /msg *status load sasl
  • Configure the sasl module (/msg *sasl help):
    • Require authentication: requireauth yes
    • SASL Mechanism to support: mechanism PLAIN
    • Set <username> <password>: Not used, dont set this

• Add a webIRC line:

WebIRC {
  description = "znc";
  host = "*@zncip";
  pass = "crypted password";
};

* Except block to protect znc from flood limits:

Except {
  host = "*@zncip";
  gline = yes;
  rdns = yes;
  ipcheck = yes;
  targetlimit = yes;
};

I run this script after make install to disable a bunch of the plugins:

#!/bin/bash

RM='/bin/rm -v'
echo "Lets delete modules we dont trust or need for security!"

#Lets remove unsafe modules!
#keep#lib/znc/adminlog.so
#keep#lib/znc/alias.so
#keep#lib/znc/autoattach.so
#keep#lib/znc/autocycle.so
#keep#lib/znc/autoop.so
#keep#lib/znc/autoreply.so
#keep#lib/znc/autovoice.so
#keep#lib/znc/awaynick.so
$RM lib/znc/awaystore.so
#keep#lib/znc/block_motd.so
#keep#lib/znc/blockuser.so
$RM lib/znc/bouncedcc.so
#keep#lib/znc/buffextras.so
$RM lib/znc/certauth.so
$RM lib/znc/cert.so
# ADD? #lib/znc/chanfilter.so
#keep#lib/znc/chansaver.so
#keep#lib/znc/clearbufferonmsg.so
# ADD? #lib/znc/clientaway.so
# ADD? #lib/znc/clientbuffer.so
#keep#lib/znc/clientnotify.so
$RM lib/znc/controlpanel.so
$RM lib/znc/crypt.so
#keep#lib/znc/ctcpflood.so
#keep#lib/znc/cyrusauth.so
$RM lib/znc/dcc.so
#keep#lib/znc/disconkick.so
#keep#lib/znc/fail2ban.so
#keep#lib/znc/flooddetach.so
#keep#lib/znc/identfile.so
$RM lib/znc/imapauth.so
#keep#lib/znc/keepnick.so
#keep#lib/znc/kickrejoin.so
#keep#lib/znc/lastseen.so
$RM lib/znc/listsockets.so
#keep#lib/znc/log.so
$RM lib/znc/missingmotd.so
#$RM lib/znc/modperl
$RM lib/znc/modperl.so
$RM lib/znc/modperl/startup.pl
$RM lib/znc/modperl/ZNC.pm
$RM lib/znc/modperl/ZNC.so
#$RM lib/znc/modpython
$RM lib/znc/modpython.so
$RM lib/znc/modpython/znc_core.py
$RM lib/znc/modpython/_znc_core.so
$RM lib/znc/modpython/znc.py
#keep#lib/znc/modules_online.so
$RM lib/znc/nickserv.so
$RM lib/znc/notes.so
#keep#lib/znc/notify_connect.so
# ADD? #lib/znc/partdetach2.cpp
#keep#lib/znc/partyline.so
#keep#lib/znc/perform.so
$RM lib/znc/perleval.pm
$RM lib/znc/pyeval.py
$RM lib/znc/q.so
$RM lib/znc/raw.so
# ADD? #lib/znc/playback.so
# ADD? #lib/znc/privmsg_auto.so
#keep#lib/znc/route_replies.so
$RM lib/znc/sample.so
#keep#lib/znc/sasl.so
$RM lib/znc/savebuff.so
$RM lib/znc/schat.so
$RM lib/znc/send_raw.so
#keep#lib/znc/shell.so
#keep#lib/znc/simple_away.so
# ADD? #lib/znc/snomask.so
#keep#lib/znc/stickychan.so
#keep#lib/znc/watch.so
#keep#lib/znc/webadmin.so