Ircserver

Purpose

This system provides the CAcert IRC service for private communications, allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday chat, meetings, and general support.

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

IRC server

Jan Dittberner

IRC services

Jan Dittberner

Votebot

Jan Dittberner

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.233

IP Intranet

172.16.2.14

IP Internal

10.0.0.130

IPv6

2001:7b8:616:162:2::14

MAC address

00:ff:9a:79:ca:b1 (eth0)

See also

See Network

DNS

Name

Type

Content

irc.cacert.org.

IN A

213.154.225.233

irc.cacert.org.

IN AAAA

2001:7b8:616:162:2::14

irc.cacert.org.

IN SSHFP

1 1 39b6c81b9fe76bd3c112f891ad3198f7a6102f4c

irc.cacert.org.

IN SSHFP

1 2 30c1fce412955bb4947bbcb25a395d8e5820403eddb5746ecced578d97f46567

irc.cacert.org.

IN SSHFP

2 1 90fcff63476f93d5e4f5d634ba1407445323d3fe

irc.cacert.org.

IN SSHFP

2 2 734a6729a077d77c79af0e8f45187f88c25d7cd102c34aee1e753d9644c965bc

irc.cacert.org.

IN SSHFP

3 1 5b9191613e743082fd4aa64e1f3a4601ed77f366

irc.cacert.org.

IN SSHFP

3 2 b88f898cd5251b2b6e315a2e266873747b7cd237c0f92458916af938e4694f96

irc.cacert.org.

IN SSHFP

4 1 866a42ee920b7f38a86ca9f3b07af808aae9768c

irc.cacert.org.

IN SSHFP

4 2 68d44bc21d05550c8aab62163b9257c85b9bcf0a4cab1c96ad2ca674b803601c

ircserver.intra.cacert.org.

IN A

172.16.2.14

Operating System

  • Debian GNU/Linux 9.4

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

reverse proxy for kiwiirc

5666/tcp

nrpe

monitor

remote monitoring service

6667/tcp

ircd

ANY

IRC

7000/tcp

ircd

ANY

IRC (SSL)

7001/tcp

ircd

local

IRC (services)

7778/tcp

kiwiirc

local

kiwiirc process

8080/tcp

irc-services

ANY

IRC services

irc opens a random UDP port.

The following port forwarding is setup on Infra02

Intranet IP

Port

Target

172.16.2.14

13022

10.0.0.130:22

172.16.2.14

13080

10.0.0.130:80

172.16.2.14

13443

10.0.0.130:443

172.16.2.14

13667

10.0.0.130:6667

172.16.2.14

13700

10.0.0.130:7000

Running services

Service

Usage

Start mechanism

atheme-services

IRC services

init script /etc/init.d/atheme-services

cron

job scheduler

init script /etc/init.d/cron

Exim

SMTP server for local mail submission

init script /etc/init.d/exim4

inspircd

IRC daemon

init script /etc/init.d/inspircd

kiwiirc

IRC web client

start script /home/kiwiirc/KiwiIRC/kiwi started by user kiwiirc

nginx

Reverse proxy for kiwiirc

init script /etc/init.d/nginx

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Puppet agent

configuration management agent

init script /etc/init.d/puppet

rsyslog

syslog daemon

init script /etc/init.d/syslog

votebot

CAcert vote bot

init script (spring-boot) /etc/init.d/cacert-votebot

Connected Systems

Outbound network connections

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc, MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db

DSA

SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw, MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39

ECDSA

SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y, MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21

ED25519

SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw, MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5

Dedicated user roles

User

Purpose

votebot

used to run the votebot

kiwiirc

used to run the Kiwi IRC web client

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Votebot

The Votebot is a custom developed IRC daemon that is packaged as a self contained executable Spring-Boot jar archive. The bot is started via init.

Votebot

The vote bot is a Java based IRC bot developed at https://git.cacert.org/gitweb/?p=cacert-votebot.git and built at https://jenkins.cacert.org/job/cacert-votebot/. The bot is started automatically via its init script.

Kiwi IRC

Kiwi IRC is a nodejs based IRC web client. The software has been installed via Github and npm as described in https://kiwiirc.com/docs/installing and https://kiwiirc.com/docs/installing/proxies. The software is running on the local loopback interface and Internet access is provided by an nginx reverse proxy that also provides https connectivity. NodeJS and npm have been installed from Debian packages.

Todo

setup init script for kiwiirc

Risk assessments on critical packages

Votebot is a Java based application and therefore Java security patches should be applied as soon as they become available.

Kiwi IRC is nodejs based and uses some third party npm packages. The application is kept behind a reverse proxy but it is advisable to make sure that available updates are applied.

Todo

implement some update monitoring for Kiwi IRC

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of Ircserver to Puppet code

Keys and X.509 certificates

  • Certificate for CN irc.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/irc.cacert.org.crt

    • private key in file /etc/ssl/private/irc.cacert.org.key

inspircd configuration

Inspircd is installed from a Debian package. It is configured via files in /etc/inspircd/. The main configuration file is inspircd.conf.

atheme-services configuration

Atheme-services is installed from a Debian package. It is configured via /etc/atheme/atheme.conf.

Kiwi IRC configuration

Kiwi IRC configuration is kept in /home/kiwiirc/KiwiIRC/config.js. When the configuration is changed it can be applied by running:

sudo -s -u kiwi
cd ~/KiwiIRC
./kiwi reconfig

nginx configuration

The nginx configuration for reverse proxying Kiwi IRC is stored in /etc/nginx/sites-available/default. The same certificate and private key are used for inspirced and nginx.

votebot configuration

Votebot is configured via spring-boot mechanisms. The current configuration file is /home/votebot/cacert-votebot-0.1.0-SNAPSHOT.conf and configures Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and #vote. Channels could be changed in an application.properties file in /home/votebot. The available property names can be found in the git repository.

Tasks

Planned

  • None

Changes

  • Nothing planned

Additional documentation

References

Atheme services website

https://atheme.github.io/atheme.html

Inspircd wiki

https://wiki.inspircd.org/

Kiwi IRC documentation

https://kiwiirc.com/docs/

nginx documentation

http://nginx.org/en/docs/