ZNC install for network Administrators

This is a guide for IRC Network Administrators. If you just want to connect to AfterNET's ZNC bouncer, go to znc

If you use X3 with ldap support (Or any services with ldap support) you can host a ZNC bouncer for all your users to use, by using ZNC's cyrusauth module. Here is how we build ZNC for afternet:

Install saslauthd

  • Install saslauthd package: apt-get install sasl2-bin
  • edit /etc/defaults/saslauthd:
START=yes
MECHANISM="ldap"
  • edit/create /etc/saslauthd.conf:
ldap_servers: ldaps://yourldapserver.domain
ldap_search_base: ou=Users,dc=yourdomain,dc=org
ldap_filter: (uid=%u)
#ldap_tls_cacert_file: /etc/ssl/yourcertificate.cer
  • Copy the CA certificate matching your ldap server to /etc/ssl/yourcertificate.cer if needed
  • start saslauthd: /etc/init.d/saslauthd start
  • Test saslauthd: testsaslauthd -u “yourldapuid” -p yourpassword -f /var/run/saslauthd/mux
  • Troubleshooting:
    • Stop saslauthd and run it in debug mode: /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 1 -d
    • check /var/log/auth.log and /var/log/daemon.log
    • try ldapsearch and see if that works:
ldapsearch -D "uid=youruid,ou=Users,dc=yourdomain,dc=org" -w yourpassword -H ldaps://ldapservername -b "ou=Users,dc=yourdomain,dc=org" -s sub "(objectclass=*)"

Install ZNC

Assuming a debian 8 (jessie) base system:

  • Add the znc user account to the sasl group: sudo adduser yourzncuser sasl log out and back in
  • Install debian backports: add deb http://ftp.debian.org/debian jessie-backports main to /etc/apt/sources.list. dont forget to sudo apt-get update
  • Install build dependencies by cheating a bit using the debian dependency list: sudo apt-get build-dep znc
  • Install CMake: sudo apt-get install cmake
  • Install ICU: sudo apt-get install libicu-dev
  • Install SWIG: sudo apt-get install swig3.0
  • Install Boost: sudo apt-get install libboost-all-dev
  • git clone the repository. We maintain some patches to ZNC for integration with sasl/ldap etc so you'll want to use the latest version branch from our znc fork: https://github.com/evilnet/znc
  • cd to the cloned repository
  • ./configure –prefix=/data/irc/services/znc –enable-cyrus –enable-python –enable-perl
  • enable git submodules: git submodule update –init –recursive
  • compile: make
  • install: make install
  • Remove plugins (See list below) that you don't want around for security or irrelevance
  • Run for the first time, from the install directory: bin/znc –makeconf
    • Username: admin
    • Password: see keepass db (rubin)
    • Nickname: zncadmin
    • Ident: zncadmin
    • Real name: ZNC Administrator
    • Bind host: empty
  • Connect to the ZNC using an irc client as the above user
    • Load the cyrusauth module with subcomponents: /msg *status load cyrusauth saslauthd webirc impersonation
    • Create a dummy user in znc to use as a skel/clone identity: /msg *controlpanel adduser zncclone somepassword
      • Configure this user how you want them. Mainly use your above zncadmin account to disable their flag access to bind.
    • Configure cyrusauth module: (/msg *cyrusauth help)
      • Set cyrusauth module to use it the cloneuser: cloneuser yourcloneusernamehere
      • Let it create users: createuser Yes
      • Your services/ircd need to provide an account to auth as, which can set the users account on IRC (Impersonization). In X3/nefarious this is the I flag in authserv. Create an account with this flag and set its details here: setimpersonateaccount znc somepassword
      • A network to configure for cloned users: setNetworkName yournetwork
      • A server to configure for them: setServer irc.yournetwork.org 6697 true
      • Salt is used to unpredictibly hash usernames: set UserSalt somethingrandom
      • A WebIRC Block in nefarious lets us setup our hostname: setWebIrc username password
      • What hostname to use: setWebIrcHost .users.yournetwork.org
    • Load the sasl module: /msg *status load sasl
    • Configure the sasl module (/msg *sasl help):
      • Require authentication: requireauth yes
      • SASL Mechanism to support: mechanism PLAIN
      • Set <username> <password>: Not used, dont set this

Setup IRCD

  • Add a webIRC line:
WebIRC {
  description = "znc";
  host = "*@zncip";
  pass = "crypted password";
};

* Except block to protect znc from flood limits:
Except {
  host = "*@zncip";
  gline = yes;
  rdns = yes;
  ipcheck = yes;
  targetlimit = yes;
};

Security

I run this script after make install to disable a bunch of the plugins:

#!/bin/bash

RM='/bin/rm -v'
echo "Lets delete modules we dont trust or need for security!"

#Lets remove unsafe modules!
#keep#lib/znc/adminlog.so
#keep#lib/znc/alias.so
#keep#lib/znc/autoattach.so
#keep#lib/znc/autocycle.so
#keep#lib/znc/autoop.so
#keep#lib/znc/autoreply.so
#keep#lib/znc/autovoice.so
#keep#lib/znc/awaynick.so
$RM lib/znc/awaystore.so
#keep#lib/znc/block_motd.so
#keep#lib/znc/blockuser.so
$RM lib/znc/bouncedcc.so
#keep#lib/znc/buffextras.so
$RM lib/znc/certauth.so
$RM lib/znc/cert.so
# ADD? #lib/znc/chanfilter.so
#keep#lib/znc/chansaver.so
#keep#lib/znc/clearbufferonmsg.so
# ADD? #lib/znc/clientaway.so
# ADD? #lib/znc/clientbuffer.so
#keep#lib/znc/clientnotify.so
$RM lib/znc/controlpanel.so
$RM lib/znc/crypt.so
#keep#lib/znc/ctcpflood.so
#keep#lib/znc/cyrusauth.so
$RM lib/znc/dcc.so
#keep#lib/znc/disconkick.so
#keep#lib/znc/fail2ban.so
#keep#lib/znc/flooddetach.so
#keep#lib/znc/identfile.so
$RM lib/znc/imapauth.so
#keep#lib/znc/keepnick.so
#keep#lib/znc/kickrejoin.so
#keep#lib/znc/lastseen.so
$RM lib/znc/listsockets.so
#keep#lib/znc/log.so
$RM lib/znc/missingmotd.so
#$RM lib/znc/modperl
$RM lib/znc/modperl.so
$RM lib/znc/modperl/startup.pl
$RM lib/znc/modperl/ZNC.pm
$RM lib/znc/modperl/ZNC.so
#$RM lib/znc/modpython
$RM lib/znc/modpython.so
$RM lib/znc/modpython/znc_core.py
$RM lib/znc/modpython/_znc_core.so
$RM lib/znc/modpython/znc.py
#keep#lib/znc/modules_online.so
$RM lib/znc/nickserv.so
$RM lib/znc/notes.so
#keep#lib/znc/notify_connect.so
# ADD? #lib/znc/partdetach2.cpp
#keep#lib/znc/partyline.so
#keep#lib/znc/perform.so
$RM lib/znc/perleval.pm
$RM lib/znc/pyeval.py
$RM lib/znc/q.so
$RM lib/znc/raw.so
# ADD? #lib/znc/playback.so
# ADD? #lib/znc/privmsg_auto.so
#keep#lib/znc/route_replies.so
$RM lib/znc/sample.so
#keep#lib/znc/sasl.so
$RM lib/znc/savebuff.so
$RM lib/znc/schat.so
$RM lib/znc/send_raw.so
#keep#lib/znc/shell.so
#keep#lib/znc/simple_away.so
# ADD? #lib/znc/snomask.so
#keep#lib/znc/stickychan.so
#keep#lib/znc/watch.so
#keep#lib/znc/webadmin.so