Never Ending Security

It starts all here

Tag Archives: IRC

Set up a secure IRC with SSL, PAM auth and crypted salted passwords

1 Comment Posted by on 22 February 2015

ngircd with pam and ssl (strong ciphers)

– ngircd source – v21 minimal
– install libpam-passwd , libpam-dev and apache-utils (for htpasswd)

./configure –with=pam –with-openssl;make;make install
– create /etc/pam.d/ngircd:

auth required pam_pwdfile.so pwdfile=/usr/local/etc/ngircd.passwd
– create password file with crypt function and salt (!) as discussed here http://viki.brainsware.org/?en/Virtual_Users_simple – NOTICE!! crypt() alone is insecure – you need to use that perl function to create crypt() passwords with a salt, I have not found a stronger hash function that works with Ngircd
– fix ngircd.conf with

PAM = yes
PAMIsOptional = no
– enable SSL and allow default strong ciphers (CipherList = HIGH:!aNULL:@STRENGTH)
– start ngircd and check /var/log/syslog and /var/log/auth.log
Sample config:

[Global]
Name = hodor.pragmasec.nl
AdminInfo1 = Description
AdminInfo2 = Location
AdminEMail = admin@irc.server
;HelpFile = /usr/local/share/doc/ngircd/Commands.txt
Info = PragmaSEC IRC
Listen = 0.0.0.0
MotdPhrase = “Welcome to the PragmaSEC IRC server”
# Global password for all users needed to connect to the server.
# (Default: not set)
;Password = abc
PidFile = /var/run/ngircd/ngircd.pid
ServerGID = irc
ServerUID = irc
[Limits]
ConnectRetry = 60
IdleTimeout = 60
MaxConnections = 500
MaxConnectionsIP = 10
MaxJoins = 10
MaxNickLength = 9
MaxListSize = 10
PingTimeout = 120
PongTimeout = 20
[Options]
AllowedChannelTypes = #&+
AllowRemoteOper = no
;ChrootDir = /var/empty
;CloakHost = cloaked.host
;CloakHostModeX = cloaked.user
;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
;CloakUserToNick = yes
;ConnectIPv6 = yes
;ConnectIPv4 = yes
;DefaultUserModes = i
DNS = no
Ident = no
;IncludeDir = /usr/local/etc/conf.d
MorePrivacy = yes
;NoticeAuth = no
OperCanUseMode = no
;OperChanPAutoOp = yes
OperServerMode = no
PAM = yes
PAMIsOptional = no
RequireAuthPing = yes
;ScrubCTCP = no
;SyslogFacility = local1
;WebircPassword = xyz
[SSL]
CertFile = /etc/ssl/certs/hodor-bundle.crt
CipherList = HIGH:!aNULL:@STRENGTH
;CipherList = SECURE128
;DHFile = /usr/local/etc/ssl/dhparams.pem
KeyFile = /etc/ssl/private/hodor.key
;KeyFilePassword = secret
Ports = 6667
[Operator]
;Name = TheOper
;Password = ThePwd
;Mask = *!ident@somewhere.example.com

[Channel]
Name = #pragmasec
Topic = pragmasec
Modes = tnk
;Key = Secret
;KeyFile = /usr/local/etc/#chan.key
MaxUsers = 20
# -eof-

Encryption, Guides and Tutorials, Hardening, Scripts and Config , ,