Fixing the IRC server

beaglebone.txt

 
 IRC is not an especially secure system.  For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems.  However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over.
 
-Because hybrid doesn't support OpenSSL by default, you have to do a manual patch to get it working.
-
 #+BEGIN_SRC: bash
+adduser ircserver
 cd ~/build
-mkdir hybrid
-cd hybrid
-apt-get update
-apt-get install build-essential openssl libssl-dev debhelper dpatch docbook-to-man flex bison libpcre3-dev screen
-apt-get source ircd-hybrid
+wget http://freedombone.uk.to/ircd-hybrid-8.1.20.tgz
 #+END_SRC
 
-To enable SSL
+Verify the download.
 
 #+BEGIN_SRC: bash
-editor ircd-hybrid-*/debian/rules
+sha256sum ircd-hybrid-8.1.20.tgz
+5570be89fa76b2712d7f08d6c828d613d201daed8c1064be7245fe10bdffa228
 #+END_SRC
 
-At the top add:
+Download Anope.
 
 #+BEGIN_SRC: bash
-USE_OPENSSL = 1
+wget http://freedombone.uk.to/anope-2.0.1-source.tar.gz
 #+END_SRC
 
-So the file should looks like:
+And verify it.
 
 #+BEGIN_SRC: bash
-# ...
-# Some useful stuff to edit here.
-# Beware: TOPICLEN may not exceed 390.
-NICKLEN = 15
-TOPICLEN = 350
-MAXCLIENTS = 200
-USE_OPENSSL = 1
-8# ...
+sha256sum anope-2.0.1-source.tar.gz
+539f603adc4f982e3a5ffd175ecb007aadc619a692409b3e9e1f7f15fb1288e6
 #+END_SRC
 
-Save and exit, then rebuild the deb-file and install it:
+Then compile and install them.
 
 #+BEGIN_SRC: bash
-cd ircd-hybrid-*
-dpkg-buildpackage -rfakeroot -uc -b
-cd ..
-dpkg -i ircd-hybrid_*.deb
+apt-get install libssl-dev cmake
+tar -xvf ircd-hybrid-8.1.20.tgz
+tar -xvf anope-2.0.1-source.tar.gz
+cd ~/build/ircd-hybrid-8.1.20
+./configure -prefix="/home/ircserver/ircd"
+make
+make install
+cd ~/build/anope-2.0.1-source
+./Config
 #+END_SRC
 
-Edit connect, listen and operator settings:
+Answer the questions as follows:
 
 #+BEGIN_SRC: bash
-editor /etc/ircd-hybrid/ircd.conf
+In what directory do you want the binaries to be installed?
+/home/ircserver/services
+
+Create it?
+y
+
+Where do you want the data files to be installed?
+/home/ircserver/services
+
+Which group should all Services data files be owned by?
+ircserver
+
+What should the default umask for data files be (in octal)?
+007
+
+Would you like to build a debug version of Anope?
+n
+
+Would you like to utilize run-cc.pl?
+n
+
+Do you want to build using precompiled headers?
+n
+
+If you need no extra include directories.
+NONE
+
+Are there any extra arguments you wish to pass to CMake?
+NONE
 #+END_SRC
 
-Edit the connect section.  Set *name* to the name of your server, and set a description.
+Then build and install Anope.
 
-#+BEGIN_SRC: c
-connect {
-        /* name: the name of the server */
-        name = "myircdomainname.com";
-Set a *network_name* and *network_desc*.
-        /* host: the host or IP to connect to.  If a hostname is used it
-         * must match the reverse dns of the server.
-         */
-        host = "127.0.0.1";
+#+BEGIN_SRC: bash
+cd build
+make
+make install
+cd /home/ircserver/ircd/etc
+cp reference.conf ircd.conf
 #+END_SRC
 
-Set max_clients to 20.
+Create some ssl certificates:
 
-#+BEGIN_SRC: c
-        /* passwords: the passwords we send (OLD C:) and accept (OLD N:).
-         * The remote server will have these passwords reversed.
-         */
-        send_password = "password";
-        accept_password = "password";
+#+BEGIN_SRC: bash
+mkdir /home/ircserver/ircd/ssl
+openssl genrsa -out /home/ircserver/ircd/ssl/ircd.key 4096
+openssl req -new -x509 -key /home/ircserver/ircd/ssl/ircd.key -out /home/ircserver/ircd/ssl/ircd.pem -days 3650
 #+END_SRC
 
-Within the admin section set your *name* and *email*.
+You will be asked for some details. The next step will take a few minutes to gather entropy, so go and do something else.
+
+#+BEGIN_SRC: bash
+openssl dhparam -out /home/ircserver/ircd/ssl/dhparam.pem 1024
+#+END_SRC
 
-Enable compression.
+Now alter the permissions on the files so that they're accessible to the /ircserver/ user:
 
-#+BEGIN_SRC: c
-        /* compressed: controls whether traffic is compressed via ziplinks.
-         * By default this is disabled
-         */
-        compressed = yes;
-};
+#+BEGIN_SRC: bash
+chmod 600 /home/ircserver/ircd/ssl/ircd.key
+chmod 600 /home/ircserver/ircd/ssl/ircd.pem
+chmod 600 /home/ircserver/ircd/ssl/dhparam.pem
+chown -R ircserver:ircserver /home/ircserver/ircd
+chown -R ircserver:ircserver /home/ircserver/services
 #+END_SRC
 
-Within the *listen* section set host to your fixed IP address (in the earlier sections it was 192.168.1.60).
+Now edit the configuration:
 
-#+BEGIN_SRC: c
-/* listen {}: contain information about the ports ircd listens on (OLD P:) */
-listen {
-/* port: the specific port to listen on. if no host is specified
- * before, it will listen on all available IPs.
- *
- * ports are seperated via a comma, a range may be specified using ".."
- */
+#+BEGIN_SRC: bash
+editor /home/ircserver/ircd/etc/ircd.conf
+#+END_SRC
+
+Comment out:
+
+#+BEGIN_SRC: bash
+// havent_read_conf = 1;
+// flags = need_ident;
+#+END_SRC
 
-/* port: listen on all available IPs, ports 6665 to 6669 */
-host = "127.0.0.1";
-port = 6665 .. 6669;
+Uncomment and change the following lines:
 
-/* sslport: ports to accept ONLY ssl connections on */
-flags = ssl;
-port = 6697
-};
+#+BEGIN_SRC: bash
+rsa_private_key_file = "/home/ircserver/ircd/ssl/ircd.key";
+ssl_certificate_file = "/home/ircserver/ircd/ssl/ircd.pem";
+ssl_dh_param_file = "/home/ircserver/ircd/ssl/dhparam.pem";
 #+END_SRC
 
-Generate a password for the IRC operator using mkpasswd tool.
+Above the ssl parameters set *network_name* to your domain name.
+
+Uncomment:
 
 #+BEGIN_SRC: bash
-mkpasswd -Hmd5
+ssl_server_method = tldv1, sslv3;
 #+END_SRC
 
-Search for operator block and change it to look like this, including the password which you just generated:
+Within the *operator* section (line 424):
 
-#+BEGIN_SRC: c
-# ...
-operator {
-/* name: the name of the oper */
-name = "root";
+#+BEGIN_SRC: bash
+name = "myusername";
+user = "*@192.168.1.*";
+password = "mypassword";
+encrypted = no;
+#+END_SRC
 
-/* user: the user@host required for this operator. CIDR is not
- * supported. multiple user="" lines are supported.
- */
-user = "*@*";
+Within the *connect* section (line 555):
 
-/* password: the password required to oper. By default this will
- * need to be encrypted using '/usr/bin/mkpasswd'.
- * WARNING: Please do not mix up the 'mkpasswd' program from
- * /usr/sbin with this one. If you are root, typing 'mkpasswd'
- * will run that one instead and you will receive a strange error.
- *
- * MD5 is supported. If you want to use it, use mkpasswd -Hmd5.
- */
-password = "#MD5 PASSWORD HERE#";
-# ...
+#+BEGIN_SRC: bash
+name = "mydomainname.com";
+host = "192.168.1.60";
+vhost = "192.168.1.60";
+send_password = "mysendacceptpassword";
+accept_password = "mysendacceptpassword";
 #+END_SRC
 
-Within the *auth* section set user = "*@192.168.1.60" - or whatever the fixed IP address of the BBB is on your network.
+And within the *service* section:
+
+#+BEGIN_SRC: bash
+name = "mydomainname.com";
+#+END_SRC
+
+Within the serverinfo section change *name*, *network_name* and *network_desc* to a name and description for your IRC server. To avoid confusion you could make the name and network name the same as your domain name.
+
+Change *max_clients* to 20, or a number which is sufficient for the number of simultaneous users you expect.
 
 Save and exit.
 
-#+BEGIN_SRC: c
-service ircd-hybrid restart
+#+BEGIN_SRC: bash
+cd /home/ircserver/services/conf
+cp example.conf services.conf
+editor services.conf
 #+END_SRC
 
-Now open ports 6665 to 6669 on your internet router/firewall.
+Set the following, replacing /operatorpassword/ with a password which will be used to manage your IRC channels, /mydomainname.com/ with your domain name and /myusername/ with your username:
 
-After connecting to IRC server you should see something like this:
+Within the *module* section set *name* to "hybrid".
+
+Within the *uplink* section set *password* to the /sendacceptpassword/.
+
+Uncomment *#oper* and *name* underneath it, and change the name to your username.
+
+Save and exit, then create a daemon.
 
 #+BEGIN_SRC: bash
-23:50 -!- - hybrid7.debian.local Message of the Day -
-23:50 -!- -         _,met$$$$$gg.       ircd-hybrid 7.2.2
-23:50 -!- -      ,g$$$$$$$$$$$$$$$P.    -----------------
-23:50 -!- -    ,g$$P""       """Y$$.".
-23:50 -!- -   ,$$P'              `$$$.  If you are seeing this, you have
-23:50 -!- - ',$$P       ,ggs.     `$$b: installed the ircd-hybrid package and
-23:50 -!- - `d$$'     ,$P"'   .    $$$  you are now connected to your new IRC
-23:50 -!- -  $$P      d$'     ,    $$P  server -- congratulations.
-23:50 -!- -  $$:      $$.   -    ,d$$'
-23:50 -!- -  $$;      Y$b._   _,d$P'    Since you have just installed the
-23:50 -!- -  Y$$.    `.`"Y$$$$P"'       package, there are some things you
-23:50 -!- -  `$$b      "-.__            should do before going any further:
-23:50 -!- -   `Y$$b
-23:50 -!- -    `Y$$.                    1. Edit /etc/ircd-hybrid/ircd.conf to
-23:50 -!- -      `$$b.                  suit your needs. Beware some options have
-23:50 -!- -        `Y$$b.               been removed or moved into other blocks in
-23:50 -!- -          `"Y$b._            the configuration file since
-23:50 -!- -             `""""           ircd-hybrid 7.0.3.
-23:50 -!- -
-23:50 -!- -                             2. Edit /etc/ircd-hybrid/ircd.motd (this
-23:50 -!- -                             MOTD) to suit your needs. You are free
-23:50 -!- -                             to use this Debian swirl under the
-23:50 -!- -                             Debian Open Use Logo License. :)
-23:50 -!- -
-23:50 -!- -                             3. Restart the server using invoke-rc.d
-23:50 -!- -                             ircd-hybrid restart.
-23:50 -!- -
-23:50 -!- End of /MOTD command.
+editor /etc/init.d/ircd-hybrid
 #+END_SRC
 
-If necessary you can change the message of the day with:
+Add the following:
 
 #+BEGIN_SRC: bash
-editor /etc/ircd-hybrid/ircd.motd
+#!/bin/bash
+# /etc/init.d/ircd-hybrid
+
+### BEGIN INIT INFO
+# Provides:          ircd-hybrid
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts irc server
+# Description:       starts irc server
+### END INIT INFO
+
+# Author: Bob Mottram <bob@robotics.uk.to>
+
+#Settings
+SERVICE='ircd-hybrid'
+COMMAND='ircd'
+USER='ircserver'
+NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources
+HISTORY=1024
+INVOCATION="nice -n ${NICELEVEL} ${COMMAND}"
+PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/home/ircserver/ircd/sbin:/home/ircserver/ircd/bin'
+
+
+irc_start() {
+echo "Starting $SERVICE..."
+cd /home/$USER/ircd
+su --command "bin/$COMMAND" $USER
+su --command "/home/$USER/services/bin/services" $USER
+}
+
+
+irc_stop() {
+echo "Stopping $SERVICE"
+killall -15 $COMMAND
+killall -15 $USER
+}
+
+
+#Start-Stop here
+case "$1" in
+  start)
+    irc_start
+    ;;
+  stop)
+    irc_stop
+    ;;
+  restart)
+    irc_stop
+    sleep 10s
+    irc_start
+    ;;
+    *)
+  echo "Usage: $0 {start|stop|restart}"
+  exit 1
+  ;;
+esac
+
+exit 0
 #+END_SRC
 
-The restart the irc server.
+Save and exit, then start the daemon.
 
 #+BEGIN_SRC: bash
+chmod +x /etc/init.d/ircd-hybrid
+update-rc.d ircd-hybrid defaults
 service ircd-hybrid start
 #+END_SRC
 
+NOTE: to debug anope
+su - ircserver
+cd ~/services/bin
+./services -debug -nofork
+
 *** Channel management
 
 To to install channel management tools.
 And regenerate the IRC server keys:
 
 #+BEGIN_SRC: bash
-openssl genrsa -out /etc/ircd-hybrid/key/ircd.key 4096
-openssl req -new -x509 -key /etc/ircd-hybrid/key/ircd.key -out /etc/ircd-hybrid/key/ircd.pem -days 3650
-chmod 600 /etc/ircd-hybrid/key/ircd.key
-chmod 600 /etc/ircd-hybrid/key/ircd.pem
+openssl genrsa -out /home/ircserver/ircd/ssl/ircd.key 4096
+openssl req -new -x509 -key /home/ircserver/ircd/ssl/ircd.key -out /home/ircserver/ircd/ssl/ircd.pem -days 3650
+openssl dhparam -out /home/ircserver/ircd/ssl/dhparam.pem 1024
+#+END_SRC
+
+This will take a few minutes to gather entropy.
+
+#+BEGIN_SRC: bash
+chmod 600 /home/ircserver/ircd/ssl/ircd.key
+chmod 600 /home/ircserver/ircd/ssl/ircd.pem
+chmod 600 /home/ircserver/ircd/ssl/dhparam.pem
+chown -R ircserver:ircserver /home/ircserver/ircd/ssl
 #+END_SRC
 
 Regenerate email certificate.