ircd hybrid zum zweiten

IRC ist eine nette Sache und jede größere Internetgemeinschaft,
die etwas auf sich hält, hat inzwischen sowas. Ausserdem kann/könnte
es bei Firmeninterner Komunikation auch ab und an ganz nützlich sein.
Diesmal: Version 7.2.1

Ein zweiter „Aufguss“ da sich doch ein paar Sachen, zum 7.0.2 geändert
und gebessert haben und es so einfacher zum Nachschlagen ist.
Ausserdem ist in dieser Anleitung (Config) SSL hinzugekommen.

Hier nun, in meiner gewohnt copy ’n paste fähigen Art, das HowTo:


HP: http://www.ircd-hybrid.org/

Ich baue hier einen standalone (oder für ein sehr kleines IRC-Netz (<5 Server)) ircd.
Auf die Dependencies gehe ich hier mal nicht näher ein.
(autoconf/automake/OpenSSL(mit libs und headern)/gettext(braucht libgcj)/yacc oder bison(braucht m4)/flex/zlib)

User und Gruppe ircd (UID: 6667; GID 6667) anlegen:
/etc/passwd: ircd:x:6667:6667:IRC Daemon:/usr/local/ircd:/usr/local/bin/bash
/etc/shadow: ircd:!:12891:0:99999:7:::
/etc/groups: ircd:x:6667:

Installieren:
# cd /usr/local/src
/usr/local/src # wget http://mesh.dl.sourceforge.net/sourceforge/ircd-hybrid/ircd-hybrid-7.2.1.tgz
/usr/local/src # tar xzf ircd-hybrid-7.2.1.tgz
/usr/local/src # cd ircd-hybrid-7.2.1
/usr/local/src/ircd-hybrid-7.2.1 # ./configure –prefix=/usr/local/ircd –disable-assert –enable-openssl –enable-zlib –with-nicklen=32 –with-topiclen=256 –enable-halfops –disable-gline-voting –enable-small-net
/usr/local/src/ircd-hybrid-7.2.1 # make && make install
/usr/local/src/ircd-hybrid-7.2.1 # cd /usr/local/ircd/logs/
/usr/local/ircd/logs # touch foperlog gline ircd.log kill kline operlog userlog xline.conf nresv.conf cresv.conf
/usr/local/ircd/logs # cd /usr/local/
/usr/local # chown -R 6667:6667 ircd
/usr/local # chmod 750 ircd

Konfigurieren (Root-Rechte hierfür unnötig, ergo nur als user ircd):
/usr/local # su – ircd
$ cd etc/
etc $ vi ircd.conf

serverinfo {
name = "irc.futzelnet.de";
# Binde ausgehende  Verbindungen auf folgende IP
#vhost = "123.123.123.123";
sid = "0SN";
description = "FutzelNet IRC Server";
network_name = "FutzelNet";
network_desc = "FutzelNet IRC";
hub = yes;
max_clients = 1000;
# openssl genrsa -out rsa.key 2048
# openssl rsa -in rsa.key -pubout -out rsa.pub
# openssl req -new -x509 -key rsa.key -out cert.crt
ssl_certificate_file = "/usr/local/ircd/etc/cert.crt";
rsa_private_key_file = "/usr/local/ircd/etc/rsa.key";
};

admin {
name = "IRC Admin";
description = "Main Server Administrator";
email = "ircnet@futzelnet.de";
};

logging {
fuserlog = "logs/userlog";
foperlog = "logs/operlog";
fkilllog = "logs/kill";
fklinelog = "logs/kline";
fglinelog = "logs/gline";
log_level = L_INFO;
};

class {
name = "restricted";
ping_time = 5 minutes;
number_per_ip = 1;
max_number = 100;
sendq = 60kb;
};
class {
name = "users";
ping_time = 3 minutes;
number_per_ip = 6;
max_number = 600;
sendq = 100 kbytes;
};
class {
name = "opers";
ping_time = 1 minutes;
number_per_ip = 20;
max_number = 200;
sendq = 1000 kbytes;
};
class {
name = "server";
ping_time = 1 minutes;
connectfreq = 5 minutes;
max_number = 1;
sendq=2 megabytes;
};

listen {

host = "123.123.123.123";
port = 6667;

# Nutze für SSL Port 6668
flags = ssl;
host = "123.123.123.123";
port = 6668;

# Binde Port 6669 auf IP 127.0.0.1 und verstecke es vor statistiken
flags = hidden;
host = "127.0.0.1";
port = 6669;
};

auth {
user = "*@hostname1.doma.in";
user = "user@hostname2.doma.in";
class = "users";
password = "gecryptetes_connect_passwort";
encrypted = yes;
flags = need_password, can_idle;
};
auth {
user = "irc@ircservices.futzelnet.de";
class = "server";
flags = need_ident, exceed_limit, kline_exempt, gline_exempt, resv_exempt, can_flood, can_idle;
#exceed_limit = yes;
#kline_exempt = yes;
#gline_exempt = yes;
};
auth {
user = "irc@127.0.0.1";
class = "opers";
password = "gecryptetes_connect_passwort";
encrypted = yes;
flags = need_password, need_ident, exceed_limit, kline_exempt, gline_exempt, resv_exempt, can_flood, can_idle;
#spoof = "irc.futzelnet.de";
};
auth {
user = "*@*";
class = "restricted";
#password = "klartextpasswort";
#encrypted = no;
#flags = need_password, can_idle;
};

operator {
name = "unit0";
class = "opers";
user = "irc@127.0.0.1";
password = "gecryptetes_operator_password";
global_kill = yes;
remote = yes;
kline = yes;
unkline = yes;
gline = yes;
xline = yes;
die = yes;
rehash = yes;
nick_changes = yes;
admin = yes;
};

# Auskommentiert da dies erstmal ein standalone Server sein soll
#connect {
#        name = "irc2.futzelnet.de";
#        class = "server";
#        host = "192.168.0.1";
#        port = 6666;
#        send_password = "password";
#        accept_password = "password";
#        encrypted = no;
#        autoconn = yes;
#        topicburst = yes;
#        cryptlink = yes;
#        rsa_public_key_file = "/usr/local/ircd/etc/remote.server.keyfile";
#};

#shared {
#};

kill {
user = "*@*aol*";
reason = "We dont like AOL-Users";
};

#deny {
#};

exempt {
ip = "127.0.0.0/8";
};

#resv {
#};

gecos {
name = "sub7server";
reason = "Trojan drone";
action = reject;
#action = warn;
#action = silent;
};

channel {
use_invex = yes;
use_except = yes;
use_halfops = yes;
use_anonops = no;
use_vchans = no;
vchans_oper_only = yes;
use_knock = yes;
knock_delay = 15 minutes;
knock_delay_channel = 5 minute;
max_chans_per_user = 15;
quiet_on_ban = yes;
max_bans = 50;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
oper_pass_resv = yes;
};

serverhide {
flatten_links = no;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
hide_servers = no;
disable_remote_commands = no;
disable_local_channels = no;
};

general {
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
dot_in_ip6_addr = yes;
min_nonwildcard = 3;
max_accept = 20;
anti_nick_flood = yes;
max_nick_time = 60 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 10 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
kline_with_reason = yes;
kline_with_connection_closed = no;
non_redundant_klines = yes;
warn_no_nline = yes;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = yes;
no_oper_flood = yes;
true_no_oper_flood = yes;
glines = yes;
gline_time = 7 day;
idletime = 0;
maximum_links = 1;
#havent_read_conf = 1;
fname_userlog = "logs/userlog";
fname_operlog = "logs/operlog";
fname_foperlog = "logs/foperlog";
max_targets = 2;
client_flood = 20;
use_help = yes;
message_locale = "custom";
oper_only_umodes = bots, cconn, debug, full, skill, nchange, rej, spy, external, operwall, locops, unauth;
oper_umodes = locops, servnotice, operwall, wallop;
#compression_level = 6;
throttle_time = 10;
hide_spoof_ips = no
};

glines {
enable = yes;
duration = 7 day;
logging = reject, block;
}

modules {
path = "/usr/local/ircd/modules";
path = "/usr/local/ircd/modules/autoload";
#module = "some_module.so";
};

Dies ist eine (bis auf Passwörter, Certs, IPs und Hostnamen) voll funktionsfähige Konfig!
Jeder Admin sollte sie aber nochmal überdenken und anpassen! 🙂
Hierzu sollte die Datei /usr/local/ircd/etc/example.conf konsultiert werden.
Gecryptete Passwörter können mit /usr/local/ircd/bin/mkpasswd erzeugt werden.

etc $ vi ircd.motd

Welcome at Futzelnet IRC Network
-------------------------------------------------------------------------------

Local IRC operators:
- ircop

-------------------------------------------------------------------------------

Rules
- Be friendly
- Obey the OPs
- Abidance by the german law

By connecting to this network you accept the rules and give us permission
to come and take your liver if you break them.

-------------------------------------------------------------------------------


(Dieses MOTD darf frei kopiert werden.)

Testlauf:
etc $ cd ../bin
bin $ ./ircd
bin $ netstat -an | grep 666

tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6669 0.0.0.0:* LISTEN

$ tail -1 /usr/local/ircd/logs/ircd.log
[2006/4/16 09.01] Server Ready
$

Schön so!

Startscript bauen (als root):
# vi /etc/init.d/ircd

#!/bin/sh

case "$1" in
start)
su - ircd -c '/usr/local/ircd/bin/ircd'
stop)
kill `cat /usr/local/ircd/etc/ircd.pid`
;;
restart)
$0 stop
$0 start
reload)
kill -HUP `cat /usr/local/ircd/etc/ircd.pid`
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
;;
esac


# chmod +x /etc/init.d/ircd

Nun die Services wie NickServ, ChanServ und Co – man will es ja komfortabel haben.
HP http://www.ircservices.esper.net/version5.html

Installieren:
/usr/local/src # wget ftp://ftp.freenet.de/pub/ftp.ircservices.za.net/pub/ircservices/current.tar.gz
/usr/local/src # tar xzf current.tar.gz
/usr/local/src # cd ircservices-5.0.57
/usr/local/src/ircservices-5.0.57# ./configure -ignore-cache -prefix /usr/local/ircd/services
/usr/local/src/ircservices-5.0.57# mkdir -p /usr/local/ircd/services/sbin
/usr/local/src/ircservices-5.0.57# make && make install
/usr/local/src/ircservices-5.0.57# chown -R ircd:ircd /usr/local/ircd/services

Konfigurieren (auch wieder als User ircd):
# su – ircd
$ cd services/lib/services/
services/lib/services $ cp example-ircservices.conf ircservices.conf
services/lib/services $ cp example-modules.conf modules.conf

/usr/local/ircd/services/lib/services $ vi ircservices.conf

RemoteServer 127.0.0.1 6669 „klartext_passwort“
ServerName „services.futzelnet.de“
ServerDesc „Services for futzelnet IRC Networks“
ServiceUser „services@futzelnet.de“
RunGroup = 6667
Umask 007
LoadModule protocol/hybrid
#LoadModule statserv/main
#LoadModule misc/helpserv
#LoadModule httpd/main
#LoadModule httpd/auth-ip
#LoadModule httpd/auth-password

(Nur geänderte Zeilen angegeben.)

services/lib/services $ vi modules.conf

Module protocol/hybrid
NetworkDomain „futzelnet.de“
FromAddress irc-services@futzelnet.de
FromName „Futzelnet IRC Services“
RelayHost localhost
SMTPName services.futzelnet.de
ServicesRoot ircservices
NSRegEmailMax 20
NSRequireEmail
NSDefKill
NSDefPrivate
NSExpire 90d
NSNoAuthExpire 24h
CSExpire 30d

(Nur geänderte Zeilen angegeben.)

services/lib/services $ cd ~/etc/

# Fuer die services hinzugefuegt
connect {
name = "services.futzelnet.de";
class = "server";
host = "127.0.0.1";
send_password = "klartext_password";
accept_password = "klartext_password";
encrypted = no;
autoconn = yes;
};


Die Passwörter sind im klartext da ircservice (noch?) keine gecrypteten kann.

Starten:
$ /usr/local/ircd/services/sbin/ircservices

Sehen ob dies (alles) erfolgreich war:
$ ps -ax | grep ircd
19447 ? S 0:00 /usr/local/ircd/bin/ircd
19451 pts/3 S 0:00 /usr/local/ircd/services/sbin/ircservices
$ tail -2 /usr/local/ircd/services/lib/services/ircservices.log
[Apr 16 09:03:34 2006] IRC Services 5.0.51 starting up
$ tail -2 /usr/local/ircd/logs/ircd.log
[2006/4/16 09.03] Server Ready
[2006/4/16 09.03] Link with ircservices.futzelnet.de[irc@127.0.0.1] established: (TS EX IE KLN HUB TBURST)
$

Sehr schön, geht scheinbar alles.
Ein Connect mit einem IRC-Client und tests damit bringt endgültige Gewissheit.

Nun noch den Wrapper-Cron:
$ crontab -e

*/4 * * * * /usr/local/ircd/services/sbin/ircservices-chk

… und fertig!