Configuring ngIRCd

  We will be configuring ngIRCd to utilize TLS encryption. It is important that some form of encryption is used since the Atheme IRC Service for NickServ user authentication would otherwise be handled in clear-text. This could present an opportunity for an attacker to MITM user credentials.

The following ports listed will either be used or disabled for this guide.

6667 = enabled (localhost access only)
6668 = disabled
6669 = enabled (localhost access only)
6697 = enabled
7000 = disabled
9999 = enabled

Let's start by allowing an exception in our firewall for ports 6697 and 9999.

  • UFW (Uncomplicated Firewall) method.

  • ufw allow in 6697,9999/tcp

  • The iptables method.

  • iptables -A INPUT -p tcp -m tcp --dport 6697 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
    netfilter-persistent save
    netfilter-persistent reload

Now we can begin with configuring ngIRCd.

vi /etc/ngircd/ngircd.conf

Note
If you are unable to locate a configuration file for ngIRCd, then you can obtain an example config file from the ngIRCd GitHub repository.[1]

For the [Global] section of the config file, locate each of the following lines and modify them as seen below. You can replace the server name with your own.

[Global]
  Name = irc.emhmki.org
  AdminInfo1 = IRC user
  AdminInfo2 = Dallas, TX
  AdminEMail = admin@irc.server
  Listen = 0.0.0.0
  MotdFile = /etc/ngircd/ngircd.motd
  Network = irc.emhmki.org
  Password = <You can set a global password if you want.>
  Ports = 6667, 6669
  ServerGID = irc
  ServerUID = irc

For the [Limits] section of the config file, locate each of the following lines and modify them as seen below.

[Limits]
  MaxNickLength = 15

For the [Options] section of the config file, locate each of the following lines and modify them as seen below.

[Options]
  AllowedChannelTypes = #&+
  AllowRemoteOper = no
  PAM = no

For the [SSL] section of the config file, locate each of the following lines and modify them as seen below.

Note

The following example will use an X.509 certificate generate by Let's Encrypt.

This guide will assume that you already have such a certificate. If you fail to configure a certificate here, then the ngIRCd daemon will refuse all connections.

The certificate file and path must be accessible for the ngircd service account. (Verify file permissions.)


[SSL]
  CertFile = /etc/letsencrypt/live/irc.emhmki.org/fullchain.pem
  DHFile = /etc/ngircd/dhparams.pem
  KeyFile = /etc/letsencrypt/live/irc.emhmki.org/privkey.pem
  Ports = 6697, 9999

For the [Operator] section of the config file, locate each of the following lines and modify them as seen below.

[Operator]
  Name = TheOper
  Password = <insert a password here>

For the [Server] section of the config file, locate each of the following lines and modify them as seen below.

Note

The "Name" field here will be the name of our IRC Service dameon, Atheme. Avoid using the same name here as you applied previously for the [Global] section. You can use any name that you want, just keep note of it for later when setting up Atheme.

In the password fields, come up with any password you want. "MyPassword" is for ngIRCd which will be used by Atheme. "PeerPassword" is for Atheme, which we will be used by ngIRCd. Both ngIRCd and Atheme will authenticate with one another and should be aware of each others passwords. Keep note of these passwords for later when setting up Atheme.


[Server]
  Name = service.emhmki.org
  MyPassword = <insert a password here for ngIRCd server>
  PeerPassword = <insert a password here for Atheme>
  ServiceMask = *Serv

Save your configuration and close the file.

Create the motd (Message Of The Day) file. You can add anything to it that you would like ngIRCd to announce when users connect.

touch /etc/ngircd/ngircd.motd

Create Diffie-Hellman parameters.

openssl dhparam -out /etc/ngircd/dhparams.pem 2048


References

1. https://github.com/ngircd/ngircd/blob/master/doc/sample-ngircd.conf.tmpl

[Return to top]

Back

Next

Last modified date: 2021-03-15