Ircserver¶
Purpose¶
This system provides the CAcert IRC service for private communications, allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday chat, meetings, and general support.
Application Links¶
- https://irc.cacert.org/
HTTPS secured Web based IRC access
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
IRC server |
|
IRC services |
|
Votebot |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:9a:79:ca:b1
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
irc.cacert.org. |
IN A |
213.154.225.233 |
irc.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::14 |
irc.cacert.org. |
IN SSHFP |
1 1 39b6c81b9fe76bd3c112f891ad3198f7a6102f4c |
irc.cacert.org. |
IN SSHFP |
1 2 30c1fce412955bb4947bbcb25a395d8e5820403eddb5746ecced578d97f46567 |
irc.cacert.org. |
IN SSHFP |
2 1 90fcff63476f93d5e4f5d634ba1407445323d3fe |
irc.cacert.org. |
IN SSHFP |
2 2 734a6729a077d77c79af0e8f45187f88c25d7cd102c34aee1e753d9644c965bc |
irc.cacert.org. |
IN SSHFP |
3 1 5b9191613e743082fd4aa64e1f3a4601ed77f366 |
irc.cacert.org. |
IN SSHFP |
3 2 b88f898cd5251b2b6e315a2e266873747b7cd237c0f92458916af938e4694f96 |
irc.cacert.org. |
IN SSHFP |
4 1 866a42ee920b7f38a86ca9f3b07af808aae9768c |
irc.cacert.org. |
IN SSHFP |
4 2 68d44bc21d05550c8aab62163b9257c85b9bcf0a4cab1c96ad2ca674b803601c |
ircserver.intra.cacert.org. |
IN A |
172.16.2.14 |
See also
Operating System¶
Debian GNU/Linux 12 Bookworm
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
reverse proxy for kiwiirc |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
6667/tcp |
ircd |
ANY |
IRC |
7000/tcp |
ircd |
ANY |
IRC (SSL) |
7001/tcp |
ircd |
local |
IRC (services) |
7778/tcp |
kiwiirc |
local |
kiwiirc process |
8080/tcp |
irc-services |
ANY |
IRC services |
irc opens a random UDP port.
The following port forwarding is setup on Infra02
Intranet IP |
Port |
Target |
---|---|---|
172.16.2.14 |
13022 |
10.0.0.130:22 |
172.16.2.14 |
13080 |
10.0.0.130:80 |
172.16.2.14 |
13443 |
10.0.0.130:443 |
172.16.2.14 |
13667 |
10.0.0.130:6667 |
172.16.2.14 |
13700 |
10.0.0.130:7000 |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
atheme-services |
IRC services |
systemd unit |
cron |
job scheduler |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
inspircd |
IRC daemon |
systemd unit |
kiwiirc |
IRC web client |
systemd unit |
nginx |
Reverse proxy for kiwiirc |
systemd unit |
nftables |
nftables firewall |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
votebot |
CAcert vote bot |
systemd unit |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
User |
Purpose |
---|---|
votebot |
used to run the votebot |
kiwiirc |
used to run the Kiwi IRC web client |
Non-distribution packages and modifications¶
Votebot¶
The Votebot is a custom developed IRC daemon that is packaged as a self contained executable Spring-Boot jar archive. The bot is started via init.
Kiwi IRC¶
Kiwi IRC is a nodejs based IRC web client. The software has been installed via Github and npm as described in https://kiwiirc.com/docs/installing and https://kiwiirc.com/docs/installing/proxies. The software is running on the local loopback interface and Internet access is provided by an nginx reverse proxy that also provides https connectivity. NodeJS and npm have been installed from Debian packages.
Risk assessments on critical packages¶
Votebot is a Java based application and therefore Java security patches should be applied as soon as they become available.
Kiwi IRC is nodejs based and uses some third party npm packages. The application is kept behind a reverse proxy but it is advisable to make sure that available updates are applied.
Todo
implement some update monitoring for Kiwi IRC
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of ircserver to Puppet code
Keys and X.509 certificates¶
Certificate for CN irc.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/irc.cacert.org.crt.pem
private key in file /etc/ssl/private/irc.cacert.org.key.pem
inspircd configuration¶
Inspircd is installed from a Debian package. It is configured via files in
/etc/inspircd/
. The main configuration file is inspircd.conf
.
atheme-services configuration¶
Atheme-services is installed from a Debian package. It is configured via
/etc/atheme/atheme.conf
.
Kiwi IRC configuration¶
Kiwi IRC configuration is kept in /home/kiwiirc/KiwiIRC/config.js
. When
the configuration is changed it can be applied by running:
sudo -s -u kiwi
cd ~/KiwiIRC
./kiwi reconfig
nginx configuration¶
The nginx configuration for reverse proxying Kiwi IRC is stored in
/etc/nginx/sites-available/default
. The same certificate and private
key are used for inspirced and nginx.
votebot configuration¶
Votebot is configured via spring-boot mechanisms. The current configuration file
is /home/votebot/cacert-votebot-0.3.0-SNAPSHOT.conf
and configures
Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and
#vote. Channels could be changed in an application.properties
file in
/home/votebot
. The available property names can be found in the
CAcert Git repository cacert-votebot in
src/main/resources/application.properties
.
Tasks¶
Planned¶
None
Changes¶
Nothing planned
Additional documentation¶
References¶
- Atheme services website
- Inspircd wiki
- Kiwi IRC documentation
- nginx documentation