Déployer serveur IRC sous Ubuntu 16.04

La procédure pour déployer un serveur IRC est faite sous Ubuntu 16.04. Le paquet utilisé pour monter le serveur IRC est « inspircd » avec en complément optionnel Anope(https://www.anope.org/) qui permet d’ajouter certaines options bien pratiques.

Mise à jour et installation du paquet serveur IRC

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install inspircd

La paquet est installé on peut éditer le fichier de configuration, pensez à modifier les quelques éléments comme l’adresse ip, le port suivant vos besoins.

sudo nano /etc/inspircd/inspircd.conf
<config format="xml"> #Set the configuration file format to XML.
<pid file="/var/run/inspircd.pid">
<server name="192.168.22.137" #The name of your server, preferably the hostname that users connect from.
    description="server1 - ircnetwork.local" #Description of your server.
    network="ircnetwork.local"> #The name of your IRC network.

<admin name="Lolo" nick="Administrator"> #Real name and IRC nickname of the IRC administrator.

#<bind address="192.168.22.137" #An IP address for the server to bind to. This should be your global/public IP address.
#    port="6697" #Port for connections. 6697 is often used for SSL connections, but anything above 1023 is technically fine.
#    type="clients" #Only clients can connect using this bind. IRC allows for servers to connect to eachother too.
#    ssl="gnutls"> #Use GnuTLS for handling the SSL connection.

<bind address="192.168.22.137" #An IP address for the server to bind to. This should be your global/public IP address.
    port="6697" #Port for connections. 6697 is often used for SSL connections, but anything above 1023 is technically fine.
    type="clients" #Only clients can connect using this bind. IRC allows for servers to connect to eachother too.
    ssl="gnutls"> #Use GnuTLS for handling the SSL connection.
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/inspircd/conf/selfsigned.key -out /etc/inspircd/conf/selfsigned.crt
<gnutls certfile="/etc/inspircd/conf/selfsigned.crt"
        keyfile="/etc/inspircd/conf/selfsigned.key"
        priority="SECURE192:-VERS-SSL3.0">
#If you're using a self-signed certificate, you can omit the cafile directive. cafile="/etc/inspircd/conf/ca.pem"
<module name="m_ssl_gnutls.so">

<connect allow="*" #Which IPs/hosts can connect to the server. Wildcard "*" for all.
    modes="+xS" #Apply user modes. "x" = user cloaking, "S" = strip colour control codes.
    maxchans="5" #Maximum number of channels a user can be in simultaneously.
    timeout="5" #How long the user has to register upon connecting before been dropped.
    localmax="5" #Maximum local connections per IP.
    globalmax="5" #Maximum network-wide connections per IP.
    limit="20" #Number of user "slots" available.
    requiressl="off" #This option must be set to "off" in order to allow the initial handshake to take place.
    hardsenq="96K" #A hard limit on the amount of data in each user's send queue.
    softsendq="72K" #A soft limit for the above. Useful to reduce spam/denial of service.
    recvq="8192" #Amount of data in a user's receive queue before they are dropped.
    threshold="10" #Anti-spam threshhold before been dropped or fakelagged.
    commandrate="1000" #Maximum command lines that can be processed per second. 1000 is equal to 1 line per second.
    fakelag="off"> #Induce fake lag upon users instead of dropping them when they exceed their threshold.

<files motd="/etc/inspircd/inspircd.motd"
       rules="/etc/inspircd/inspircd.rules"> #Include source texts for the "message of the day" and server rules.

<channels users="50" opers="5"> #Maximum number of channels a user/operator is allowed to be in simultaneously.

<dns timeout="5"> #How long to wait for a response from the DNS server.

<disabled commands="NICK" #Disabled commands. I disable the NICK command to reduce nickname-change spam.
    usermodes="" #Disabled user modes.
    chanmodes="" #Disabled channel mades.
    fakenoneexistant="no"> #Tell the user that the command is unknown instead of just disabled.

<options fixedquit="Quit" #Force all quit messages to be this value.
    fixedpart="Left Channel" #Force all left channel messages to be this value.
    syntaxhints="yes" #Provide help when a user issues an erroneous command.
    announcets="yes" #All users are notified when a channel timestamp changes.
    hostintopic="no" #Channels show hostname of the topic setter.
    defaultmodes="ntzS" #Default channel modes. "n" = must be in channel to chat,
    #"t" = prevent topic change by normal user, "z" = SSL users only, "S" = strip colour control codes.
    moronbanner="You are banned from this server." #Message shown to banned users.
    welcomenotice="yes"> #Welcome text shown to users upon successful registration.

<performance netbuffersize="10240" #Size of buffer for receiving client data.
    somaxconn="5"> #Maximum amount of connections that may be waiting in the accept queue.

<security announceinvites="ops" #Which group of users receive notifcations when someone is invited to a channel.
    hidewhois="" #Text to hide the server a user is currently on when they are whoised by a non-operator.
    hidebans="no" #Hide ban messages from non-operator users.
    maxtargets="5" #Maximum number of targets per command. Stop users sending messages to more than X channels at once.
    customversion="ircd" #Custom server version number. Used to hide the true version number of InspIRCd.
    restrictbannedusers="yes" #Prevent banned users from chatting or changing nickname.
    genericoper="yes"> #Don't distinguish between different operator types when they are whoised.

<limits maxnick="16" #Maximum length of nicknames.
    maxident="16" #Maximum length of usernames. Usernames are your computer's username unless specified otherwise.
    maxchan="16" #Maximum length of a channel name.
    maxtopic="64" #Maximum length of a channel topic.
    maxgecos="32" #Maximum length of a real name. This is your real name, for example: "Joe Bloggs".
    maxmodes="10" #Maximum number of mode changes per command.
    maxquit="64" #Maximum length of a quit message.
    maxkick="64" #Maximum length of a kick message.
    maxaway="64"> #Maximum length of an away message.

<log method="file" #Log to a file.
    type="* -USERINPUT -USEROUTPUT" #Log everything except user input/output.
    level="default" #Loggin level. "default" = general messages, including errors.
    target="logs/ircd.log"> #File to log to.

<whowas groupsize="8" #Maximum entries per nickname when using /whowas.
    maxgroups="256" #Maximum number of nickname groups to keep track of server-wide.
    maxkeep="3d"> #Maximum time to keep nickname history.

<badnick nick="ChanServ" reason="Nick reserved for services."> #Disallowed nickname.
<badnick nick="NickServ" reason="Nick reserved for services.">
<badnick nick="OperServ" reason="Nick reserved for services.">
<badnick nick="MemoServ" reason="Nick reserved for services.">
<badnick nick="Jamie*" reason="Nick disallowed."> #Wildcards can be used.

<badhost host="root@*" reason="Don't IRC as root!"> #Disallowed user/hostname.

<class name="admins" #Classes are like permission groups for server operators.
    commands="*" #Which commands they can perform.
    usermodes="" #Operator-only user modes that operators in this class can use.
    chanmodes=""> #Operator-only channel modes that operators in this class can use.

<type name="Administrator" #Name of operator group.
    classes="admins" #Which permission classes this operator group has.
    vhost="admin.ircnetwork.local"> #Hostname given to operators.

<oper name="Lolo" #Name used to oper-up.
    hash="hmac-sha256" #Hashing algorithm used for passwords.
    password="kB1NudF4$2zYGxd2fE+SuMJXtAqghDUnGBot5jmF5hpT7171ILnA" #Place the password hash generated in the next section here.
    host="userlocal@192.168.22.*" #Only allow local connections.
    sslonly="no" #Only allow SSL users to oper-up.
    type="Administrator"> #Which permission group this operator is a member of.

#<module name="m_ssl_gnutls.so"> #Load the GnuTLS module.
#<gnutls certfile="/etc/inspircd/conf/cert.pem" #Path to certificate file.
#    keyfile="/etc/inspircd/conf/key.pem" #Path to private key file.
#    dhbits="2048" #Bits to use for Diffie Hellman parameter generation.
#    priority="SECURE256:-MD5" #Only use ciphers that use a 256-bit key. Disable md5.
#    hash="sha1"> #Use sha1 fingerprint instead of md5.

<module name="m_sslinfo.so"> #Load the SSL info module. Shows information about SSL connections.
<module name="m_sslmodes.so"> #Load the sslmodes channel. Allows SSL-only channels.

<module name="m_cloaking.so"> #Load the user cloaking module. Allows the masking of user IPs/hostnames.
<cloak mode="full" key="KEY_HERE" #Insert the cloak key here. More about this in next section.
    prefix="cloaked-"> #Prefix for cloaked users.

<module name="m_conn_umodes.so"> #Load connection user modes module. Allows user modes to be applied upon connection.
<module name="m_password_hash.so"> #Load the password hashing module. Allows passwords to be hashed.
<module name="m_sha256.so"> #Load the sha256 module. Allows sha256 hashing.
<module name="m_md5.so"> #Load the md5 module. Allows md5 hashing.
<module name="m_stripcolor.so"> #Load the strip colours module. Allows colour control codes to be stripped from messages.
<module name="m_operprefix.so">#Module permettant de passer admin
   
<module name="m_permchannels.so"> #Load the permanent channels module. Allows for permanent channels.
#https://wiki.inspircd.org/2.0/Channel_Modes
<permchannels channel="#general" #Create a permanent channel.
    modes="ntSPz" #Apply channel modes. "P" = make the channel permanent.
    topic="Channel Général qui va s'en prend plein la poire"> #Default channel topic.

<module name="m_conn_join.so"> #Load the connection join module. Automatically joins a user to a channel upon connection.
<autojoin channel="#general"> #The channel to automatically join.

<module name="m_securelist.so"> #Load the secure list module. Prevents repeated use of the list command.
<securelist waittime="15"> #How many seconds from connection to prevent the list command.

Générer le hash du password pour admin depuis votre client IRC

Windows/Linux : Client GUI recommandé Hexchat (https://hexchat.github.io/)

/quote mkpasswd hmac-sha256 <password>

On peut gérer le service du serveur irc, et vérifier le status avec les commandes ci-dessous

sudo systemctl enable/disable
sudo systemctl start/stop/status

Pour opérer une authentification et passer opérateur après ajout dans le fichier de conf

Tapez cette Commande dans votre Client IRC

/oper Lolo password

L’ajout de Anope(https://www.anope.org/) est facultative, mais permet d’ajouter quelques options très utile :

  • NickServ sert à enregistrer, protéger et gérer votre pseudo sur un serveur IRC.
  • ChanServ sert à enregistrer, protéger et gérer votre chan sur un serveur IRC.
  • MemoServ sert à envoyer et recevoir des messages, même lorsque votre interlocuteur est hors-ligne.
  • HostServ permet aux utilisateurs d’enregistrer et d’utiliser un vhost de manière à masquer leur adresse IP réelle sur IRC.
  • BotServ place une représentation de ChanServ, sous la forme d’un bot, sur un chan enregistré, permettant d’effectuer certaines actions de manière conviviale.
  • OperServ est réservé aux administrateurs. Il sert notamment à gérer le serveur et les services.
  • Différents modules permettent de compléter les fonctions de base.
  • DevNull se contente d’ignorer tout message qui lui est envoyé.
  • HelpServ est un service conçu pour donner des informations sur les Services.

L’installation se fait simplement depuis les sources :

cd AnopeX.x
./Config
cd build
make
sudo make install

Script d’un Bot IRC en NodeJS pour tester votre serveur, le bot va chercher le prix en dollar du Bitcoin sur la plateforme Bitstamp toute les 5 minutes et l’affiche sur le channel.

var irc = require('irc');

bot = new irc.Client('192.168.23.129','MichelBernardLebot', {
    channels: ['#general'],
    port: 6667,
    debug: true,
    userName: 'localbot', // on the host is like wizard@host/ip
    realName: 'cortanayolo',  // real name on whois
    showErrors: true,
    autoRejoin: true, // auto rejoin channel when kicked
    autoConnect: true, // persistence to connect
});

bot.addListener('error', function(message) {
    console.log('error: ', message);
});

//https://www.bitstamp.net/api/v2/ticker/BTCUSD/
var DeclareFunction = function RequestBTCUSD(){
    const request = require("request");
    request('https://www.bitstamp.net/api/v2/ticker/BTCUSD/', function (error, response, body) {
      if (!error && response.statusCode == 200) {
        var ObjectBody = JSON.parse(body);
        var date = new Date(ObjectBody.timestamp*1000);
        var DateFormated =  date.getDate()+ '/' + (("0" + date.getMonth().slice(-2)) + 1) + '/' +  date.getFullYear() + " - " +("0" + date.getHours()).slice(-2)+ ':' + date.getMinutes();
        bot.say('#general', "====Bitstamp BTCUSD====  Time : " +  DateFormated);
        bot.say('#general', " Open : " +  ObjectBody.open + " Last : "+ ObjectBody.last + " Volume : " +  ObjectBody.volume);
        bot.say('#general', " High : " + ObjectBody.high +  "Low : " +  ObjectBody.low);
        bot.say('#general', " Bid : " +  ObjectBody.bid + " Ask : " +  ObjectBody.ask);
      }
    });

}

var minutes = 5, the_intervalMinutes = minutes * 60 * 1000;//5 minutes

setInterval(function() {
  var CurrentPriceObject = function(callback) {
    callback();
  };
  CurrentPriceObject(DeclareFunction);  
}, the_intervalMinutes);

Quelques points sécurité :

Si vous recherchez des syntaxes afin de sécuriser votre serveur consultez le fichier de configuration d’exemple : https://wiki.inspircd.org/Annotated_Configuration

Le protocole irc n’est pas chiffré, il est important si vous déployez votre serveur sur le WAN de chiffrer avec un certificat.

La documentation Inspircd recommande également quelques points à vérifier (https://wiki.inspircd.org/Security) :

La désignation des opérateur de channel doit se faire avec le nom complet de l’host, ici X représente l’adresse IP de l’opérateur de channel.
Dans mon exemple cela donnera :
Je me connecte à mon serveur IRC avec le pseudonyme « mytestuser », la ligne ci-dessous sera à ajouter/editer dans sudo nano /etc/inspircd/inspircd.conf afin de permettre à l’utilisateur « mytestuser » depuis le réseau 192.168.22.* ou du localhost de s’authentifier comme opérateur. Auquel cas l’authentification sera refusé et la connection au serveur irc réinitialisé.

<oper name="eLement" pass="inspired" host="mytestuser@192.168.22.* mytestuser@localhost" type="root">

Veillez également à utiliser un utilisateur dédié au service et évitez absolument le 777 sur les répertoires.

On peut également ajouter un certificat afin de chiffrer le contenu qui transit vers le serveur.
L’équipe de développement de inspircd recommande l’utilisation de « gnutls » plutot que openssl pour des raisons de performances, libre à vous de choisir.
Dans mon example le bind est deja déclaré comme « gnutls », on va compléter les quelques informations manquantes
On va générer un certificat auto signé pour le serveur
On va générer un certificat

sudo mkdir /etc/inspircd/conf
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/inspircd/conf/selfsigned.key -out /etc/inspircd/conf/selfsigned.crt

On édite le fichier de configuration du serveur, on y ajoute un bind pour ssl

sudo nano /etc/inspircd/inspircd.conf
#La ligne en début de fichier de configuration indique deja le support
<bind address="192.168.22.137" #An IP address for the server to bind to. This should be your global/public IP address.
    port="6697" #Port for connections. 6697 is often used for SSL connections, but anything above 1023 is technically fine.
    type="clients" #Only clients can connect using this bind. IRC allows for servers to connect to eachother too.
    ssl="gnutls"> #Use GnuTLS for handling the SSL connection.
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/inspircd/conf/selfsigned.key -out /etc/inspircd/conf/selfsigned.crt
<gnutls certfile="/etc/inspircd/conf/selfsigned.crt"
        keyfile="/etc/inspircd/conf/selfsigned.key"
        priority="SECURE192:-VERS-SSL3.0">

On vérifie que les droits sont corrects

chown -R irc:irc /etc/inspircd/

On re-démarre le service afin de prendre en compte les modifications

sudo systemctl restart inspircd.service

Sources et références :

https://www.howtoforge.com/tutorial/how-to-build-your-own-irc-server-with-inspircd-and-anope/
https://www.jamieweb.net/blog/inspircd-linux-guide/
https://fr.wikipedia.org/wiki/Modes_IRC
https://wiki.inspircd.org/2.0/Channel_Modes

Laisser un commentaire