This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
openbsd:irc:znc [2020/03/05 02:09] jrmu |
openbsd:irc:znc [2020/08/01 09:02] (current) baytuch |
||
---|---|---|---|
Line 18: | Line 18: | ||
Shell: /sbin/nologin | Shell: /sbin/nologin | ||
OK? (y/n) [y]: y | OK? (y/n) [y]: y | ||
+ | </code> | ||
I am not sure if this is necessary, but in /etc/login.conf, I add the following: | I am not sure if this is necessary, but in /etc/login.conf, I add the following: | ||
Line 39: | Line 40: | ||
</code> | </code> | ||
- | There should be a line with znc that looks like this (I check to make sure znc has the right login class): | + | There should be a line with znc that looks like this (I check to make sure znc has the right login class; the '1001' is the uid, which you may find to be different from this example, but it should not be changed): |
<code> | <code> | ||
- | znc:*:1001:1001::0:0:znc:/home/znc:/bin/sh | + | znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin |
</code> | </code> | ||
Line 48: | Line 49: | ||
<code> | <code> | ||
- | cap_mkdb /etc/login.conf | + | $ doas cap_mkdb /etc/login.conf |
</code> | </code> | ||
+ | |||
+ | Now change znc shell to /bin/ksh , then continue with the steps below. | ||
<code> | <code> | ||
Line 65: | Line 68: | ||
</code> | </code> | ||
- | I then set the default shell to /sbin/nologin: | + | |
+ | I then set the default shell to /sbin/nologin (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.): | ||
<code> | <code> | ||
Line 72: | Line 76: | ||
... | ... | ||
- | znc:*:1001:1001::0:0:znc:/home/znc:/sbin/nologin | + | znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin |
</code> | </code> | ||
- | Run this install script (tested for OpenBSD 6.6 and znc-1.7.4) as root to put znc inside the chroot at /home/znc: | + | Run this install script (tested for OpenBSD 6.7 and znc-1.7.5) as root to put znc inside the chroot at /home/znc: |
<code> | <code> | ||
Line 87: | Line 91: | ||
mknod -m 644 /home/znc/dev/urandom c 45 2 | mknod -m 644 /home/znc/dev/urandom c 45 2 | ||
mknod -m 666 /home/znc/dev/null c 2 2 | mknod -m 666 /home/znc/dev/null c 2 2 | ||
- | cp /usr/lib/libc++.so.3.0 /home/znc/usr/lib/libc++.so.3.0 | + | cp /usr/lib/libc++.so.4.0 /home/znc/usr/lib/libc++.so.4.0 |
- | cp /usr/lib/libc++abi.so.1.0 /home/znc/usr/lib/libc++abi.so.1.0 | + | cp /usr/lib/libc++abi.so.2.1 /home/znc/usr/lib/libc++abi.so.2.1 |
- | cp /usr/lib/libc.so.95.1 /home/znc/usr/lib/libc.so.95.1 | + | cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0 |
- | cp /usr/lib/libcrypto.so.45.5 /home/znc/usr/lib/libcrypto.so.45.5 | + | cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1 |
cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1 | cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1 | ||
cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1 | cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1 | ||
- | cp /usr/lib/libssl.so.47.6 /home/znc/usr/lib/libssl.so.47.6 | + | cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1 |
cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0 | cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0 | ||
cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so | cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so | ||
Line 107: | Line 111: | ||
<code> | <code> | ||
- | # HOME=/home/znc/ | + | # export HOME=/home/znc/ |
# chroot -u znc -g znc /home/znc znc --makeconf | # chroot -u znc -g znc /home/znc znc --makeconf | ||
</code> | </code> | ||
Line 116: | Line 120: | ||
[ ** ] -- Global settings -- | [ ** ] -- Global settings -- | ||
[ ** ] | [ ** ] | ||
- | [ ?? ] Listen on port (1025 to 65534): 6697 | + | [ ?? ] Listen on port (1025 to 65534): 31337 |
[ ?? ] Listen using SSL (yes/no) [no]: yes | [ ?? ] Listen using SSL (yes/no) [no]: yes | ||
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no | [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no | ||
Line 148: | Line 152: | ||
# export HOME=/home/znc | # export HOME=/home/znc | ||
# /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & | # /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & | ||
+ | </code> | ||
+ | |||
+ | Creating a start script: | ||
+ | <code> | ||
+ | doas touch /etc/rc.d/znc | ||
+ | doas chmod +x /etc/rc.d/znc | ||
+ | </code> | ||
+ | |||
+ | File contents: | ||
+ | <code> | ||
+ | #!/bin/ksh | ||
+ | # | ||
+ | # $OpenBSD: znc,v 1.2 2018/01/11 19:27:07 rpe Exp $ | ||
+ | |||
+ | daemon_pidfile="/home/znc/home/znc/.znc/znc.pid" | ||
+ | daemon="env HOME=/home/znc /usr/sbin/chroot -u znc -g znc /home/znc znc" | ||
+ | |||
+ | |||
+ | service_stop() { | ||
+ | if [ -f $daemon_pidfile ]; then | ||
+ | pid=$(sed 's/[^0-9]*//g' $daemon_pidfile) | ||
+ | kill $pid | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | case "$1" in | ||
+ | stop) | ||
+ | service_stop | ||
+ | ;; | ||
+ | esac | ||
+ | |||
+ | |||
+ | . /etc/rc.d/rc.subr | ||
+ | |||
+ | rc_reload=NO | ||
+ | |||
+ | rc_cmd $1 | ||
+ | </code> | ||
+ | |||
+ | <code> | ||
+ | doas rcctl start znc | ||
+ | doas rcctl stop znc | ||
</code> | </code> | ||
Line 153: | Line 199: | ||
<code> | <code> | ||
- | pass in proto tcp to port {http https} | + | pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60) |
- | pass in proto {tcp udp} to port { 6697 } #irc | + | pass in log quick proto tcp to port { 1337 31337 } keep state (max 3000, max-src-conn 200) #bnc |
</code> | </code> | ||
Line 166: | Line 212: | ||
<code> | <code> | ||
- | # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >/var/log/znc.log 2>&1 & | + | # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & |
</code> | </code> | ||
Line 178: | Line 224: | ||
<code> | <code> | ||
- | AnonIPLimit = 1000 | + | AnonIPLimit = 10000 |
AuthOnlyViaModule = false | AuthOnlyViaModule = false | ||
ConfigWriteDelay = 0 | ConfigWriteDelay = 0 | ||
Line 189: | Line 235: | ||
LoadModule = webadmin | LoadModule = webadmin | ||
LoadModule = certauth | LoadModule = certauth | ||
- | LoadModule = partyline | ||
MaxBufferSize = 10000 | MaxBufferSize = 10000 | ||
ProtectWebSessions = true | ProtectWebSessions = true | ||
Line 195: | Line 240: | ||
SSLDHParamFile = /home/znc/.znc/dhparam.pem | SSLDHParamFile = /home/znc/.znc/dhparam.pem | ||
SSLKeyFile = /home/znc/.znc/my.example.com.key | SSLKeyFile = /home/znc/.znc/my.example.com.key | ||
+ | PidFile = /home/znc/.znc/znc.pid | ||
ServerThrottle = 30 | ServerThrottle = 30 | ||
- | Version = 1.7.4 | + | Version = 1.7.5 |
<Listener listener0> | <Listener listener0> | ||
Line 204: | Line 250: | ||
IPv4 = true | IPv4 = true | ||
IPv6 = false | IPv6 = false | ||
- | Port = 6697 | + | Port = 1337 |
- | SSL = true | + | SSL = false |
URIPrefix = / | URIPrefix = / | ||
</Listener> | </Listener> | ||
<Listener listener1> | <Listener listener1> | ||
+ | AllowIRC = true | ||
+ | AllowWeb = false | ||
+ | Host = 192.168.1.1 | ||
+ | IPv4 = true | ||
+ | IPv6 = false | ||
+ | Port = 31337 | ||
+ | SSL = true | ||
+ | URIPrefix = / | ||
+ | </Listener> | ||
+ | |||
+ | <Listener listener2> | ||
AllowIRC = true | AllowIRC = true | ||
AllowWeb = false | AllowWeb = false | ||
Line 215: | Line 272: | ||
IPv4 = false | IPv4 = false | ||
IPv6 = true | IPv6 = true | ||
- | Port = 6697 | + | Port = 1337 |
+ | SSL = false | ||
+ | URIPrefix = / | ||
+ | </Listener> | ||
+ | |||
+ | <Listener listener3> | ||
+ | AllowIRC = true | ||
+ | AllowWeb = false | ||
+ | Host = 2001:db8:: | ||
+ | IPv4 = false | ||
+ | IPv6 = true | ||
+ | Port = 31337 | ||
SSL = true | SSL = true | ||
URIPrefix = / | URIPrefix = / | ||
</Listener> | </Listener> | ||
- | <Listener listener2> | + | <Listener listener4> |
+ | AllowIRC = true | ||
+ | AllowWeb = false | ||
+ | Host = 127.0.0.1 | ||
+ | IPv4 = true | ||
+ | IPv6 = false | ||
+ | Port = 1337 | ||
+ | SSL = false | ||
+ | URIPrefix = / | ||
+ | </Listener> | ||
+ | |||
+ | <Listener listener5> | ||
AllowIRC = false | AllowIRC = false | ||
AllowWeb = true | AllowWeb = true | ||
Line 226: | Line 305: | ||
IPv4 = true | IPv4 = true | ||
IPv6 = false | IPv6 = false | ||
- | Port = 6669 | + | Port = 1338 |
SSL = false | SSL = false | ||
URIPrefix = / | URIPrefix = / | ||
Line 234: | Line 313: | ||
We will load the identfile module by default. This is necessary to provide proper ident using [[openbsd:irc:oidentd|oidentd]]. Please follow the instructions in the link to configure ident. | We will load the identfile module by default. This is necessary to provide proper ident using [[openbsd:irc:oidentd|oidentd]]. Please follow the instructions in the link to configure ident. | ||
- | I have znc bind to port 6669 without SSL for the web server. I will later use [[openbsd:net:relayd|relayd]] to provide TLS acceleration on port 443. | + | I have znc bind to port 1338 without SSL for the web server. I will later use [[openbsd:net:relayd|relayd]] to provide TLS acceleration on port 443. |
Replace with your own IP addresses. Then, on your irc client logged into the bouncer: | Replace with your own IP addresses. Then, on your irc client logged into the bouncer: | ||
Line 250: | Line 329: | ||
<code> | <code> | ||
HOME=/home/znc | HOME=/home/znc | ||
- | */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >/var/log/znc.log 2>&1 & | + | */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & |
</code> | </code> | ||
Line 256: | Line 335: | ||
<code> | <code> | ||
- | $ openssl s_client -connect my.example.com:6697 | + | $ openssl s_client -connect my.example.com:31337 |
</code> | </code> | ||