• Setting Up an IRC Bouncer on Ubuntu Linux

    Tue, 23 Jun 2020 11:00:00 -0700 - Paul Scott

    Introduction: IRC Bouncers and Why You Want One

    Internet Relay Chat (IRC) is a venerable online chat protocol, dating back to the late 1980s, but it is still widely used today, especially in the world of computing. There are IRC clients for every major operating system and dozens of IRC networks with thousands of chat channels. There’s a heavy emphasis on tech but nearly every topic is represented. When using IRC, you only receive messages when you are connected–a message is discarded after it is sent and history is not stored on the server.

    Enter the IRC bouncer. As the IRC client is responsible for storing and replaying history, it is divided between two pieces of software: the display application (GUI, TUI) and the bouncer. With a bouncer, you still use your favorite IRC client, but you connect to the bouncer (for example bouncer.example.com) instead of directly to the IRC network (such as chat.freenode.net). Your bouncer can remain connected when you’re logged out. When you log back in, your IRC bouncer presents you with the logged chat and messages that you otherwise would miss. Like an IRC server, an IRC bouncer runs on an always connected computer in order to maintain a persistent connection to an IRC network.

    In this article, I’ll show you how to set up ZNC, which is a widely used IRC bouncer application. We’ll go through the process of installing ZNC, setting up a user account, configuring it and logging in to IRC through the bouncer. We’ll also address some basic security issues.

    We’ll be following the process for Ubuntu, but the basics are similar for most Linux distributions.

    Install ZNC

    Ubuntu has a ZNC package in it’s repository, and you can install it with apt-get.

    $ sudo apt-get install znc
    

    Next you’ll add a dedicated user account for ZNC. This is a good practice when using any application that remains open to the Internet, since it provides a measure of protection for other accounts on your server (in particular your root account).

    I’m doing several things with the following command: I’m creating a new user named “znc-admin”. I’m setting the account up without a password (since this account will never log in) and I’m defining a home directory for the account. We recommend using /var/znc as your ZNC home directory, but you can use any directory you like (except your root directory!). Likewise you can choose a different account name if you want to.

    $ sudo adduser --disabled-password --home /var/znc znc-admin
    

    Configure ZNC

    With your new account set up, you’re ready to configure ZNC. Switch to the new account, go to the ZNC home directory, and run ZNC’s configuration routine.

    $ sudo su znc-admin
    $ cd ~
    $ znc --makeconf
    

    ZNC will present you with various options. Here are our recommendations for how to set them up. Note that ZNC presents the default options [in brackets]. If you like the default then just hit return

     -- Global settings --  
    Listen on port (1025 to 65534): 6697  
    Listen using SSL (yes/no) [no]: yes  
    Listen using both IPv4 and IPv6 (yes/no) [yes]: yes  
    

    We highly recommend using SSL and IPv6 for your traffic.

    ZNC will then create a PEM file at /var/znc/.znc/znc.pem. Next it will ask you to define the username and password that you will use to log in to your IRC bouncer. You will also define the nick and username that you want to use to connect to your IRC bouncer. Note this does not have to be the nickname you use on IRC, but it can be and is easier if it is.

    -- Admin user settings --  
    
    Username (alphanumeric): <username here>  
    Enter password:  
    Confirm password:  
    Nick [<username>]:  
    Alternate nick [<nick>_]:  
    Ident [<username>]:   
    Real name (optional): 
    Bind host (optional): 
    

    We recommend not binding to a host unless you have a good reason. The next set of variables configures your connection to the IRC network. Here Freenode.

    Set up a network? (yes/no) [yes]:  
    -- Network settings --  
    
    Name [freenode]:  
    Server host [chat.freenode.net]: 
    Server uses SSL? (yes/no) [yes]: yes  
    Server port (1 to 65535) [6697]: 6697  
    Server password (probably empty):  
    Initial channels:   
    

    If you already have some preferred IRC channels in mind then enter them above. Remember to precede the channel name with a hash mark (#) and separate them with a space.

    ZNC will write the config file (/var/znc/.znc/configs/znc.conf) and you’re all set up.

    Allow IRC on your Firewall

    Now that your bouncer is running, it’s time to allow that port on your firewall. You’ll use a utility called firewalld to make sure the correct port is open through your firewall. If you don’t have it already, just install it with apt-get. Note that firewalled will permit SSH by default, so you shouldn’t lose the connection to your server. Even if something goes wrong, if you are using a Prgmr.com system, you can use the management console to get back in and fix things.

    $ sudo apt-get install firewalld
    

    Now use it to configure the port. We recommend using port 6697, which is the standard port for encrypted IRC traffic.

    $ sudo firewall-cmd --add-port=6697/tcp
    $ sudo firewall-cmd --runtime-to-permanent
    

    Sign In to Your Bouncer

    You’ll need an IRC client if you don’t already have one. Popular choices include mIRC, Hexchat, and Weechat. Normally you would set up your client to connect directly to IRC, but here you’ll connect to the bouncer, and the bouncer will connect to IRC using the host and user credentials that you set up when you configured ZNC.

    To connect to your bouncer, launch your client. For most clients, in the message field enter the following command:

    $ /server add -tls <znc_server> +6697 <password> <username>
    

    Or for weechat, if you want your server available via the name znc, your command will look like:

    $ /server add znc <znc_server>/6697 -ssl -username=<username> -password=<password> -nicks=<username>
    

    For use your Prgmr.com server address. So if your server is named "foo" then use foo.xen.prgmr.com as the ZNC server address.

    If you receive SSL errors, and are using a certificate generated by znc, you can basically whitelist that certificate via its fingerprint. Take the output from the below command:

    $ sudo cat /var/znc/.znc/znc.pem | openssl x509 -sha256 -fingerprint -noout | cut -d '=' -f 2- | sed 's/://ig'
    

    And add it to your irc client:

    $ /server modify <znc_server> -tls_pinned_cert <above_output_line>
    

    Or for weechat:

    $ /set irc.server.znc.ssl_fingerprint <above_output_line>
    

    If you ever want to change these settings then you can do so by interacting with the *status user. Type help for a list of options.

    Further Reading

    More documentation on ZNC can be found at the ZNC wiki.

  • Crosstalk/SRBDS (CVE-2020-0543) Vulnerability

    Tue, 09 Jun 2020 18:10:00 -0700 - Sarah Newman

    Summary

    None of our customer-hosting systems are vulnerable to a SRBDS Crosstalk/SRBDS side-channel attack announced today.

    This comes down to sheer luck on our end. Before this announcement, we were already actively planning to migrate away from Intel processors and will continue down that path.

    Background

    In Ivy Bridge and newer Intel processors, there is an onboard random number generator. Truly random numbers are required for many security algorithms. For some Intel processors, it is hypothethically possible to leak information from one core to another from that random number generator because there is a shared buffer between all the physical cores. The full list of processors is here. Note that desktop and server models from the same microarchitecture may not have the same vulnerabilities.

    Intel released a microcode update to mitigate this vulnerability. They also state that there is a significant performance impact, which suggests that disabling it may be a better option since most software using the Intel RNG was written using the assumed performance from before the mitigations.

    There has long been speculation that the Intel RNG is not safe to use, but for a different reason. Mostly this was in the context of the RNG potentially being backdoored by a nation-state. Back in 2013 The FreeBSD Security Working Group recommended not using the Intel RNG as the sole source of entropy.

    The Linux kernel, and presumably most other operating systems, will “mix” entropy provided by the Intel RNG with other sources. It is also already possible in the Linux kernel to disable use of Intel RNG with the nordrand kernel command line option. However this does not prevent user space from using the Intel RNG.

    Under both Xen and KVM, it is possible to disable exposing the Intel RNG (rdrand) feature. For Xen, in the xl config file this could be:

    cpuid="host,rdrand=0,rdseed=0"
    

    And for KVM, if calling qemu directly this could be:

    -cpu host,-rdrand,-rdseed
    

    You can confirm this was properly applied by running:

    grep -E 'rdrand|rdseed' /proc/cpuinfo
    

    In the guest afterwards.

  • Our Debian Mirror Is Now Private To Our Network

    Mon, 01 Jun 2020 20:30:00 -0700 - Chris Brannon

    For a number of years, we have operated a private mirror of part of Debian’s repository for use by our customers. Though it was never publicized, it was usable from outside of our network.

    As of Monday June 1st, 2020 we have limited access to the Debian portion of our mirror to our internal network. The maintenance overhead of this mirror has become too high and there are already an adequate number of Debian mirrors available in our geographic location.

    Our public mirrors of EPEL and Fedora will continue to be available.

    If you have any questions or concerns, please write us at support@prgmr.com.

  • OpenBSD 6.7 Installer Available

    Tue, 19 May 2020 11:30:00 -0700 - Chris Brannon

    The OpenBSD installer has been updated to OpenBSD 6.7. Notable changes include:

    • Implemented “strip” option in httpd.conf(5) for fastcgi to be able to have multiple chroots under /var/www for FastCGI servers.
    • Changed httpd(8) to send a 408 response when a timeout happens while headers are being received, but close the connection if no request is received.

    Have a look at the OpenBSD 6.7 release notes for more details.

    If you experience a crash on a prgmr VPS running a previous version of OpenBSD, upgrading to 6.7 may help. Please refer to the OpenBSD Upgrade Guide.

    If you’re interested in running OpenBSD on prgmr.com, please see our wiki page on OpenBSD.

    Note that the OpenBSD installer is only available for VPSes with HVM virtualization. The virtualization type can be checked from the ‘system details’ option of the management console. If your VPS uses PV and you are interested in a conversion to HVM, please write support@prgmr.com.

  • Scheduled Maintenance for Billing System

    Mon, 18 May 2020 11:00:00 -0700 - Brandon McGinty-Carroll

    We will perform a software upgrade for our billing system, billing.prgmr.com, during a two-hour maintenance window starting Saturday May 23 18:00:00 UTC. Downtime is expected to be less than 20 minutes.

    If you have any questions or concerns, please write us at support@prgmr.com.