Ratbox with SSL

Before we begin you should understand that this howto works with development code and tools. If you are not comfortable working with and compiling code then you should wait for its release. Secondly I am not going to go through how to configure a working IRCd, instead just how to manage the SSL bits. This particular setup is aimed at VoidNet but should be good for all.

Building the IRCd

The current stable release of ratbox (2.2.8 at the time of writing) doesn't contain the code for IRCS, so we need to download the development code (note that I unpack a particular revision that I know works, you can try the latest code to see how it goes).

$ svn co http://svn.ratbox.org/svnroot/ircd-ratbox/trunk ratbox-svn
.... output ....
$ cd ratbox-svn

Thanks to the ratbox developers we now have all the required parts for VoidNet within the actual ratbox code, so there is no need for our patches anymore.

Now we need to configure that source, obviously you should work out what options you actually want here, I will setup an VoidNet IRCd here.

$ ./configure --enable-small-net --enable-services --enable-ssl \
 --disable-dependency-tracking --enable-sslonly-channels \
 --with-nicklen=10
.... output ....
Compiling libratbox devel

Installing into: /usr/local/ircd
IPv6 support ................... yes
Assert debugging ............... no
Block allocator ................ yes
OpenSSL ........................ yes


Compiling ircd-ratbox devel

Installing into: /usr/local/ircd
Ziplinks ....................... yes
OpenSSL ........................ yes
Modules ........................ shared
IPv6 support ................... no
IO Debugging hooks ............. no
Assert debugging ............... no
Small network .................. yes
ratbox-services compatibility .. yes

Configured limits:
NICKLEN ................. 10

You must confirm that the OpenSSL is marked as yes. If you find it isn't then it is possible that you are missing openssl from your system (or the -dev/-devel packages). Install those and run the configure again. Then we can continue and make:

$ make
.... output ....

And it should continue to build fine at which point you can install the IRCd with:

$ make install
.... output ....

Now you should go away and setup the ratbox ircd.conf and make your ratbox work without SSL. This will ensure you have a working configuration before we attempt to add SSL to it.

SSL Preparation

OK, so now we have a working IRCd and wish to add SSL clients to it. We need to prepare a certificate first. If you are on VoidNet you need to speak to me to get a valid certificate, this is just for others!

$ mkdir /usr/local/ircd/etc/ssl
$ cd /usr/local/ircd/etc/ssl
$ openssl req -new -nodes -out req.pem
.... Fill in the details for the certificate ....
$ openssl req -x509 -days 3650 -in req.pem -key privkey.pem -out cert.pem
$ openssl dhparam -out dh.pem 2048
.... LOTS of output ....
$ mv privkey.pem rsa.key
$ chmod og-rwx req.pem cert.pem rsa.key

Now we have all the bits in place, all we need to do is setup the IRCd to use it. Edit your ircd.conf then within the serverinfo { } section, add:

    ssl_private_key = "etc/ssl/rsa.key";
    ssl_cert = "etc/ssl/cert.pem";
    ssl_dh_params = "etc/ssl/dh.pem";
    ssld_count = 1;

And again in your ircd.conf but within the listen { } block add in your SSL port to listen on:

    sslport = 6697;

Start up your IRCd again and you should now have a working SSL port :)

If you want to link two servers with SSL, then use the ssl port to link on and add ssl to the flags for the server link.

I would like to offer thanks to AndroSyn, who gave me the information I needed to get this working. He has also responded to all our queries and fixed all the bugs we have come across! I also owe thanks to remorse who created the original +S patches for us. For anyone who is interested, you can connect to VoidNet via SSL on irc.trance.net:6697 :)

Using stty

There is several functions that can be done by typing in a particular character in your shell. The stty function can be used to find out what character and to set/unset that character as well (as I demonstrated with removing the 'stop').

Getting the current characters

This is simple enough, simply type:

$ stty -a
speed 38400 baud; rows 44; columns 111; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = ;
eol2 = ; start = ^Q; stop = ^S;
susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1;
time = 0;
-parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl
ixon -ixoff -iuclc -ixany -imaxbel
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0
bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop
-echoprt echoctl echoke

So you can see for example, intr = ^C. The ^C represents a 'control character'. So in this case holding down the 'Ctrl' key and the 'c' key will produce ^C. This is, of course, the interrupt to stop a program from running. Note that the shift key has no effect on control characters, ^c and ^C are the same.

So lets just run through all the various items:

erase: The erase function is probably one that you use all the time. It will delete the last character you typed. If you have ^? like I do above, then the key Delete will work. Another common one for erase is ^H which is the Backspace key.
werase: The word erase will erase the last word that you typed. In this case my terminal has that set to ^W.
kill: This is a line kill, it will delete all the text in the current line of the shell. In this case ^U is for my terminal. In some setups this is ^K or even @.
intr: The interrupt key will abort the current running command. Some setups will use the Delete key for that and therefore you will see ^?.
stop: The stop function will cease the flow of the terminal, it is intended for when you have text is flowing very quickly, too quick to read. Then you can stop it, and start it again. In this case ^S is set.
susp: The suspend function, will stop a job being run but instead of aborting it will just freeze the job. You can then use the fg or bg commands to start the job again.

Assigning Characters

If you find that the characters that are set aren't to your liking or maybe don't fit your keyboard very well then you can use stty to set your prefered characters.

For example you can do this:

$ stty intr ^c

That will set the interrupt function to the Ctrl and c key press.

stty gives you the power to setup your terminal in the manner you wish.

Using FTP

FTP is one of the quickest ways to move files between computers, some of you might have already used it to transfer files with your browser. I will point out that if you are the only person moving files around ask yourself "Do I really need FTP?". This is because FTP is not a secure method of transfer and your user/pass is sent to the server in "plain text" (i.e. it is not encrypted). A better method for transfering files is to use sftp or scp, both of which are a part of SSH.

However, if you are managing serveral users, or if you wish to provide an anonymous download for your userbase, then FTP is by far the best method.

There is a lot of choice for FTP servers out there, as with most things, each has their own positives and negatives. I am going to choose vsftpd for two reasons: it is an very secure (in the sense of someone breaking the server) ftpd, it is a very easy server to setup and run.

Here is an example vsftpd.conf, you can uncomment one of the three sections below to set the server up in distinct manners:

##### Only allow LOCAL users, no ANONymous.
## !!! RECONSIDER SFTP/SCP FAR BETTER !!!
#local_enable=YES
#write_enable=YES
#anonymous_enable=NO
#nopriv_user=ftp
#chroot_local_user=YES

##### Only ANONymous.
local_enable=NO
write_enable=NO
anonymous_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chown_uploads=NO

##### ANONymous downloads - LOCAL uploads
## !!! ONCE MORE RECONSIDER SFTP/SCP !!!
#local_enable=YES
#write_enable=YES
#anon_upload_enable=NO
#anon_mkdir_write_enable=NO
#chown_uploads=NO
#chroot_local_user=YES
#nopriv_user=ftp

##### Don't comment these out, you can fiddle with the options though
data_connection_timeout=120
idle_session_timeout=600
dirmessage_enable=YES
ascii_upload_enable=NO
ascii_download_enable=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
chroot_list_enable=NO
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
ftpd_banner=---[[[ ZNXifed vsftpd ]]]---
background=YES
listen=YES
ls_recurse_enable=NO

Now you need to prepare a user for the ftpd to run as.

# adduser ftp

Now this user is only for running a service, it is not meant as a login. Therefore we should ensure that is it cannot be used as such.

# passwd -l ftp
# chsh -s /bin/nologin

If you don't have /bin/nologin then use /bin/false in its place. The first line "locks" the password out, meaning that the password could never be guessed, the second edits the shell so that the nologin binary will refuse entry. This will be enough to secure the user.

That's it, we now have a server that can allow anonymous downloads. Obviously if you wish to enable uploads (as user or as anonymous) you will be leaving a large security issue please think long about this. SFTP and SCP are better replacements, check out FileZilla or WinSCP.

Navigation

Misc

Friends

Gentoo

Irssi

Bugs
Irssi

Kutzooiv2