Site logo image
[Home Page]
[Blog]
[Contact]
[About]

[Guides]
[News]
[Reviews]
[RSS Feeds]

[IRC Server]
[Links]

Return to IRC guides

printer icon mail icon

Next Generation IRC Daemon setup guide

Date: 2021-01-16



ngIRCd logo image

  In this guide you're going setup an IRC daemon (server) for Debian 10.7 systems. It's expected of you to be familiar to some degree in how IRC functions and proficient in obtaining a domain name, a TLS certificate, and server hosting. You will be using The Next Generation IRC Daemon, "a free, portable and lightweight Internet Relay Chat server for small or private networks, developed under the GNU General Public License (GPL)." --Alexander Barton

You will also utilize Atheme for additional IRC services such as NickServ and ChanServ.



Installing ngIRCd

Before you begin with installing any additional packages, go ahead and make sure that the system is up-to-date. I recommend rebooting the server after the fact to apply any kernal updates.

apt update
apt upgrade

With the updates out of the way, install ngIRCd.

apt install ngircd

You can locate the ngIRCd files in the following directories:

  • /usr/sbin/ngircd: executable server.
  • /etc/ngircd/ngircd.conf: configuration file.

[Return to top]

Building Atheme

Before you begin building Atheme, install some prerequisite dependencies.

apt install pkg-config build-essential gettext git wget xz-utils

Download Atheme to the server you will be hosting from. As of the writing of this guide Atheme release version v7.2.10-r2 will be used in the following examples, however you should be fine with any newer release. You can locate the latest release from the Atheme GitHub repository.[1]

Make sure to downlow the archive file ending in ".tar.xz". Once downloaded, extract the contents and move into the extracted atheme directory.

wget https://github.com/atheme/atheme/releases/download/v7.2.10-r2/atheme-v7.2.10-r2.tar.xz
tar -xf atheme-v7.2.10-r2.tar.xz
cd atheme-v7.2.10-r2/

You can now begin with building Atheme. Run the ./configure script first. It will run through a check to detect local system dependencies. If it comes back with an error for missing dependencies, you will have to search for a package containing the requisite dependency to install.

Note
You should specify an installation location for Atheme. By default running “make install” will install Atheme in “/present/working/directory/atheme/”. I recommend installing in “/usr/local/atheme/”. This can be specified when running the configure script. It's also easier to remove in the future since everything would be installed in that directory.
One more thing to note; when building Atheme, the location it was configured and installed for at build time cannot be changed. Moving the Atheme files to a different directory on the file-system will result in library file path location errors. If you need to move Atheme to a different directory, then you should re-build with the installation location specified in advance.

./configure --prefix=/usr/local/atheme/
make
make install

If you followed the previous step for specifying an installation location for Atheme, then you can locate the Atheme files in the following directories:

  • /usr/local/atheme/bin/atheme-services: executable server
  • /usr/local/atheme/etc/atheme.conf.example: sample configuration
  • /usr/local/atheme/etc/services.db: Atheme database file (generated on first launch)

[Return to top]

Configuring ngIRCd

You will be configuring ngIRCd to utilize TLS encryption. It is important that some form of encryption is used since the Atheme IRC Service for NickServ user authentication would otherwise be handled in clear-text. This could present an opportunity for an attacker to MITM user credentials.

The following ports listed will either be used or disabled for this guide.

6667 = enabled (localhost access only)
6668 = disabled
6669 = enabled (localhost access only)
6697 = enabled
7000 = disabled
9999 = enabled

Start by allowing an exception in your firewall for ports 6697 and 9999. You can do this with either UFW or iptables.

  • UFW (Uncomplicated Firewall) method.

  • ufw allow in 6697,9999/tcp

  • The iptables method.

  • iptables -A INPUT -p tcp -m tcp --dport 6697 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
    netfilter-persistent save
    netfilter-persistent reload

Now you can begin with configuring ngIRCd.

vi /etc/ngircd/ngircd.conf

Note
If you are unable to locate a configuration file for ngIRCd, then you can obtain an example config file from the ngIRCd GitHub repository.[3]

For the [Global] section of the config file, locate each of the following lines and modify them as seen below. You can replace the server name with your own.

[Global]
  Name = irc.emhmki.org
  AdminInfo1 = IRC user
  AdminInfo2 = Dallas, TX
  AdminEMail = admin@irc.server
  Listen = 0.0.0.0
  MotdFile = /etc/ngircd/ngircd.motd
  Network = irc.emhmki.org
  Password = <You can set a global password if you want.>
  Ports = 6667, 6669
  ServerGID = irc
  ServerUID = irc

For the [Limits] section of the config file, locate each of the following lines and modify them as seen below.

[Limits]
  MaxNickLength = 15

For the [Options] section of the config file, locate each of the following lines and modify them as seen below.

[Options]
  AllowedChannelTypes = #&+
  AllowRemoteOper = no
  PAM = no

For the [SSL] section of the config file, locate each of the following lines and modify them as seen below.

Note

The following example will use an X.509 certificate generate by Let's Encrypt.

This guide will assume that you already have such a certificate. If you fail to configure a certificate here, then the ngIRCd daemon will refuse all connections.

The certificate file and path must be accessible for the ngircd service account. (Verify file permissions.)


[SSL]
  CertFile = /etc/letsencrypt/live/irc.emhmki.org/fullchain.pem
  DHFile = /etc/ngircd/dhparams.pem
  KeyFile = /etc/letsencrypt/live/irc.emhmki.org/privkey.pem
  Ports = 6697, 9999

For the [Operator] section of the config file, locate each of the following lines and modify them as seen below.

[Operator]
  Name = TheOper
  Password = <insert a password here>

For the [Server] section of the config file, locate each of the following lines and modify them as seen below.

Note

The "Name" field here will be the name of your IRC Service dameon, Atheme. Avoid using the same name here as you applied previously for the [Global] section. You can use any name that you want, just keep note of it for later when setting up Atheme.

In the password fields, come up with any password you want. "MyPassword" is for ngIRCd which will be used by Atheme. "PeerPassword" is for Atheme, which will be used by ngIRCd. Both ngIRCd and Atheme will authenticate with one another and should be aware of each others passwords. Keep note of these passwords for later when setting up Atheme.


[Server]
  Name = service.emhmki.org
  MyPassword = <insert a password here for ngIRCd server>
  PeerPassword = <insert a password here for Atheme>
  ServiceMask = *Serv

Save your configuration and close the file.

Create the motd (Message Of The Day) file. You can add anything to it that you would like ngIRCd to announce when users connect.

touch /etc/ngircd/ngircd.motd

Create Diffie-Hellman parameters.

openssl dhparam -out /etc/ngircd/dhparams.pem 2048

[Return to top]

Configuring Atheme

By default Atheme does not include a configuration file, which means you will have to create one by copying from the example configuration file.

cp /usr/local/atheme/etc/atheme.conf.example /usr/local/atheme/etc/atheme.conf
vi /usr/local/atheme/etc/atheme.conf

Locate the MODULES section and scroll down to the list of IRC daemon protocol modules. You can add the ngIRCd module on a new line.

loadmodule "modules/protocol/ngircd";

The nickserv enforce module will enforce users to identify themselves if they attempt to use a registered nickname. Locate the line and uncomment (remove the pound character "#") for the nickserv enforce module. Don't modify the other defaults in this section unless it's necessary or if you already know what you're doing.

loadmodule "modules/nickserv/enforce";

Scroll down in the config file until you reach the "serverinfo" block. This block will define how the Atheme service will appear to ngIRCd. Use the 'name' that you configured previously in the [Server] block of the ngircd.conf file.

For the netname, use the name that you configured in the [Global] block of the ngircd.conf file. Don't modify the other defaults in this section unless it's neccesary.

serverinfo {
  name = "service.emhmki.org";
  netname = "irc.emhmki.org";
  adminname = "<insert any name here>";
  adminemail = "<insert any mail address here>";
};

Scroll down in the config file until you reach the "uplink" block. This block will define how the Atheme service will connect to ngIRCd. For the send_password, use the password configured previously in the [Server] block of the ngircd.conf file for "MyPassword." For the receive_password, use the password configured previously in the [Server] block of the ngircd.conf file for "PeerPassword." Don't modify the other defaults in this section unless it's neccesary.

uplink "irc.emhmki.org" {
  send_password = "<insert the password here>";
  receive_password = "<insert the password here>";
};

Scroll down in the config file until you reach the "nickserv" block. Don't modify the other defaults in this section unless it's neccesary.

nickserv {
  host = "irc.emhmki.org";
};

Scroll down in the config file until you reach the "chanserv" block. Don't modify the other defaults in this section unless it's neccesary.

chanserv {
  host = "irc.emhmki.org";
};

[Return to top]

Setup Atheme service account and Systemd startup script.

It would be best practice to run the Atheme daemon from a non-root service account.

useradd --system --comment "Athemed IRC Service Daemon" --shell /sbin/nologin --home-dir /usr/local/atheme/bin/ athemed

Our athemed user will also need permission to read and write in the /usr/local/atheme directory.

chown -R athemed:athemed /usr/local/atheme/

Next you will need a Systemd unit service file for running Atheme.

vi /usr/lib/systemd/system/athemed.service

Add the following configuration to the file.

[Unit]
Description=Atheme IRC Service Daemon
After=network.target

[Service]
PrivateTmp=yes
NoNewPrivileges=true
User=athemed
ExecStart=/usr/local/atheme/bin/atheme-services
RemainAfterExit=true

[Install]
WantedBy=multi-user.target

[Return to top]

Enable Services

Now that ngIRCd and Atheme are installed and configured, enable their services.

systemctl enable ngircd athemed
systemctl start ngircd athemed

You can view the status of both services with the following command.

systemctl status ngircd athemed

You should see similar output.

● ngircd.service - Next Generation IRC Daemon
Loaded: loaded (/usr/lib/systemd/system/ngircd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-11-23 01:23:04 UTC; 2 weeks 0 days ago

● athemed.service - Atheme IRC Services Daemon
Loaded: loaded (/usr/lib/systemd/system/athemed.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2020-11-23 01:23:04 UTC; 2 weeks 0 days ago

[Return to top]

Notes

• Troubleshoot

If you're having trouble with either the ngircd or athemed daemon starting up, you can narrow down the cause with journalctl.

journalctl -u ngircd

• Let's Encrypt certbot

If you use Let's Encrypt's certbot utility for renewing certificates, then use the following as a post hook command. Ngircd won't ingest the renewed certificate unless the process is completely reset. This can cause some momentary downtime for users on the server, so you should consider informing them that the server might bounce every two months.

post-hook = systemctl restart ngircd athemed

[Return to top]

References

1. https://github.com/atheme/atheme/releases/

2. https://github.com/atheme/atheme#obtaining-atheme

3. https://github.com/ngircd/ngircd/blob/master/doc/sample-ngircd.conf.tmpl

[Return to top]

Last modified date: 2021-06-30

nationality icon

Copyright © 2020-2022 emhmki.org All Rights Reserved.