Configuring ngIRCd
We will be configuring ngIRCd to utilize TLS encryption. It is important that some form of encryption is used since the Atheme IRC Service for NickServ user authentication would otherwise be handled in clear-text. This could present an opportunity for an attacker to MITM user credentials.
The following ports listed will either be used or disabled for this guide.
6667 = enabled (localhost access only)
6668 = disabled
6669 = enabled (localhost access only)
6697 = enabled
7000 = disabled
9999 = enabled
Let's start by allowing an exception in our firewall for ports 6697 and 9999.
- UFW (Uncomplicated Firewall) method.
- The iptables method.
ufw allow in 6697,9999/tcp
iptables -A INPUT -p tcp -m tcp --dport 6697 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
netfilter-persistent save
netfilter-persistent reload
Now we can begin with configuring ngIRCd.
vi /etc/ngircd/ngircd.conf
Note |
| If you are unable to locate a configuration file for ngIRCd, then you can obtain an example config file from the ngIRCd GitHub repository.[1] |
For the [Global] section of the config file, locate each of the following lines and modify them as seen below. You can replace the server name with your own.
[Global]
Name = irc.emhmki.org
AdminInfo1 = IRC user
AdminInfo2 = Dallas, TX
AdminEMail = admin@irc.server
Listen = 0.0.0.0
MotdFile = /etc/ngircd/ngircd.motd
Network = irc.emhmki.org
Password = <You can set a global password if you want.>
Ports = 6667, 6669
ServerGID = irc
ServerUID = irc
For the [Limits] section of the config file, locate each of the following lines and modify them as seen below.
[Limits]
MaxNickLength = 15
For the [Options] section of the config file, locate each of the following lines and modify them as seen below.
[Options]
AllowedChannelTypes = #&+
AllowRemoteOper = no
PAM = no
For the [SSL] section of the config file, locate each of the following lines and modify them as seen below.
| Note |
|
The following example will use an X.509 certificate generate by Let's Encrypt. This guide will assume that you already have such a certificate. If you fail to configure a certificate here, then the ngIRCd daemon will refuse all connections. The certificate file and path must be accessible for the ngircd service account. (Verify file permissions.) |
[SSL]
CertFile = /etc/letsencrypt/live/irc.emhmki.org/fullchain.pem
DHFile = /etc/ngircd/dhparams.pem
KeyFile = /etc/letsencrypt/live/irc.emhmki.org/privkey.pem
Ports = 6697, 9999
For the [Operator] section of the config file, locate each of the following lines and modify them as seen below.
[Operator]
Name = TheOper
Password = <insert a password here>
For the [Server] section of the config file, locate each of the following lines and modify them as seen below.
| Note |
|
The "Name" field here will be the name of our IRC Service dameon, Atheme. Avoid using the same name here as you applied previously for the [Global] section. You can use any name that you want, just keep note of it for later when setting up Atheme. In the password fields, come up with any password you want. "MyPassword" is for ngIRCd which will be used by Atheme. "PeerPassword" is for Atheme, which we will be used by ngIRCd. Both ngIRCd and Atheme will authenticate with one another and should be aware of each others passwords. Keep note of these passwords for later when setting up Atheme. |
[Server]
Name = service.emhmki.org
MyPassword = <insert a password here for ngIRCd server>
PeerPassword = <insert a password here for Atheme>
ServiceMask = *Serv
Save your configuration and close the file.
Create the motd (Message Of The Day) file. You can add anything to it that you would like ngIRCd to announce when users connect.
touch /etc/ngircd/ngircd.motd
Create Diffie-Hellman parameters.
openssl dhparam -out /etc/ngircd/dhparams.pem 2048
References
1. https://github.com/ngircd/ngircd/blob/master/doc/sample-ngircd.conf.tmpl
[Return to top]
