Ircserver

Purpose

This system provides the CAcert IRC service for private communications, allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday chat, meetings, and general support.

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

IRC server

Jan Dittberner

IRC services

Jan Dittberner

Votebot

Jan Dittberner

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.233

IP Intranet:

172.16.2.14

IP Internal:

10.0.0.130

IPv6:

2001:7b8:616:162:2::14

MAC address:

00:ff:9a:79:ca:b1 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for ircserver.infra.cacert.org

DNS

Name

Type

Content

irc.cacert.org.

IN A

213.154.225.233

irc.cacert.org.

IN AAAA

2001:7b8:616:162:2::14

irc.cacert.org.

IN SSHFP

1 1 39b6c81b9fe76bd3c112f891ad3198f7a6102f4c

irc.cacert.org.

IN SSHFP

1 2 30c1fce412955bb4947bbcb25a395d8e5820403eddb5746ecced578d97f46567

irc.cacert.org.

IN SSHFP

2 1 90fcff63476f93d5e4f5d634ba1407445323d3fe

irc.cacert.org.

IN SSHFP

2 2 734a6729a077d77c79af0e8f45187f88c25d7cd102c34aee1e753d9644c965bc

irc.cacert.org.

IN SSHFP

3 1 5b9191613e743082fd4aa64e1f3a4601ed77f366

irc.cacert.org.

IN SSHFP

3 2 b88f898cd5251b2b6e315a2e266873747b7cd237c0f92458916af938e4694f96

irc.cacert.org.

IN SSHFP

4 1 866a42ee920b7f38a86ca9f3b07af808aae9768c

irc.cacert.org.

IN SSHFP

4 2 68d44bc21d05550c8aab62163b9257c85b9bcf0a4cab1c96ad2ca674b803601c

ircserver.intra.cacert.org.

IN A

172.16.2.14

Operating System

  • Debian GNU/Linux 12 Bookworm

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

reverse proxy for kiwiirc

5666/tcp

nrpe

monitor

remote monitoring service

6667/tcp

ircd

ANY

IRC

7000/tcp

ircd

ANY

IRC (SSL)

7001/tcp

ircd

local

IRC (services)

7778/tcp

kiwiirc

local

kiwiirc process

8080/tcp

irc-services

ANY

IRC services

irc opens a random UDP port.

The following port forwarding is setup on Infra02

Intranet IP

Port

Target

172.16.2.14

13022

10.0.0.130:22

172.16.2.14

13080

10.0.0.130:80

172.16.2.14

13443

10.0.0.130:443

172.16.2.14

13667

10.0.0.130:6667

172.16.2.14

13700

10.0.0.130:7000

Running services

Service

Usage

Start mechanism

atheme-services

IRC services

systemd unit atheme-services.service

cron

job scheduler

systemd unit cron.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

inspircd

IRC daemon

systemd unit inspircd.service

kiwiirc

IRC web client

systemd unit kiwiirc.service

nginx

Reverse proxy for kiwiirc

systemd unit nginx.service

nftables

nftables firewall

systemd unit nftables.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

votebot

CAcert vote bot

systemd unit cacert-votebot.service

Connected Systems

Outbound network connections

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc, MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db

DSA

SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw, MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39

ECDSA

SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y, MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21

ED25519

SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw, MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5

Dedicated user roles

User

Purpose

votebot

used to run the votebot

kiwiirc

used to run the Kiwi IRC web client

Non-distribution packages and modifications

Votebot

The Votebot is a custom developed IRC daemon that is packaged as a self contained executable Spring-Boot jar archive. The bot is started via init.

Kiwi IRC

Kiwi IRC is a nodejs based IRC web client. The software has been installed via Github and npm as described in https://kiwiirc.com/docs/installing and https://kiwiirc.com/docs/installing/proxies. The software is running on the local loopback interface and Internet access is provided by an nginx reverse proxy that also provides https connectivity. NodeJS and npm have been installed from Debian packages.

Risk assessments on critical packages

Votebot is a Java based application and therefore Java security patches should be applied as soon as they become available.

Kiwi IRC is nodejs based and uses some third party npm packages. The application is kept behind a reverse proxy but it is advisable to make sure that available updates are applied.

Todo

implement some update monitoring for Kiwi IRC

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of ircserver to Puppet code

Keys and X.509 certificates

  • Certificate for CN irc.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/irc.cacert.org.crt.pem

    • private key in file /etc/ssl/private/irc.cacert.org.key.pem

inspircd configuration

Inspircd is installed from a Debian package. It is configured via files in /etc/inspircd/. The main configuration file is inspircd.conf.

atheme-services configuration

Atheme-services is installed from a Debian package. It is configured via /etc/atheme/atheme.conf.

Kiwi IRC configuration

Kiwi IRC configuration is kept in /home/kiwiirc/KiwiIRC/config.js. When the configuration is changed it can be applied by running:

sudo -s -u kiwi
cd ~/KiwiIRC
./kiwi reconfig

nginx configuration

The nginx configuration for reverse proxying Kiwi IRC is stored in /etc/nginx/sites-available/default. The same certificate and private key are used for inspirced and nginx.

votebot configuration

Votebot is configured via spring-boot mechanisms. The current configuration file is /home/votebot/cacert-votebot-0.3.0-SNAPSHOT.conf and configures Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and #vote. Channels could be changed in an application.properties file in /home/votebot. The available property names can be found in the CAcert Git repository cacert-votebot in src/main/resources/application.properties.

Tasks

Planned

  • None

Changes

  • Nothing planned

Additional documentation

References

Atheme services website

https://atheme.github.io/atheme.html

Inspircd wiki

https://wiki.inspircd.org/

Kiwi IRC documentation

https://kiwiirc.com/docs/

nginx documentation

http://nginx.org/en/docs/