Ngircd Install Guide
In this guide, we'll setup ngircd, a free, portable, lightweight IRC server.
- The source code is written in modern, portable C.
- The code compiles easily on all BSDs, Linux, and other platforms.
- The code is easy to fork to add new features such as spam filters
- The server has a very simple, easy-to-understand configuration
- Documentation is short and easy to understand
- The server is a clean implementation which was written from scratch
- The lead developer po||ux actively hangs out on the IRC server barton.ngircd.de on #ngircd
Docs and references
Installing from OpenBSD packages
$ doas pkg_add ngircd
Copy the sample configuration file:
$ doas cp /usr/local/share/examples/ngircd/sample-ngircd.conf /etc/ngircd/ngircd.conf
ngIRCd v26.1 provided by OpenBSD 6.9 ports does not have ident support. On a production server, ident support is essential, so we will need to compile from source (described below). You will want to do this after installing from packages, so that rc.d scripts are created automatically.
Installing from source
Pull the codebase from IRCNow's file servers, extract the code, and install it
$ ftp https://ircnow.org/software/ngircd.tgz $ tar xvzf ngircd.tgz $ cd ngircd-26.1/ $ sh build.sh
Note: Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line if that is desired.
Typically, ";" precedes a line of code that has been commented, while a "#" precedes an actual note that should not be uncommented.
[Global] Name = irc.example.com AdminInfo1 = Example Network AdminInfo2 = Planet Earth AdminEMail = firstname.lastname@example.org Info = irc.example.com
- Name: Use your server's domain name.
- Info: Use your server's domain name.
Listen = 127.0.0.1,192.168.1.1,2001:db8::
Uncomment this line and provide every single IP address you want ngircd to listen on. This includes localhost (127.0.0.1), and our public IPv4 and IPv6 addresses. Keep 127.0.0.1 but replace 192.168.1.1 and 2001:db8:: with your real public IPs. If you are hosting a public service, avoid listing IPs that are not DDoS-filtered. IRC servers are heavily DDoSed and using an unfiltered IP will get you nullrouted.
Note: if you do not uncomment on this line, you will listen to all IPs by default, which is probably a mistake.
MotdFile = /etc/ngircd/ngircd.motd Network = ExampleNet
Motdfile stands for "Message of the Day"; we will create this file later on. Network: Your network name.
Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667 ServerGID = _ngircd ServerUID = _ngircd
It's recommended to provide ports besides the standard 6667 to allow users to bypass network firewalls.
NOTE: Make sure to set the ServerUID and ServerGID to _ngircd. Otherwise, it runs as the user nobody by default.
[Limits] MaxConnectionsIP = 0 MaxJoins = 300 MaxNickLength = 16 MaxListSize = 1000 PingTimeout = 300 PongTimeout = 300
MaxNickLength: must be identical to all servers on the network. On IRCNow, MaxNickLength is
[Options] AllowRemoteOper = no ChrootDir = /var/ngircd CloakHost = %x CloakHostSalt = <abcdefghijklmnopqrstuvwxyz> DefaultUserModes = i NoticeBeforeRegistration = yes OperChanPAutoOp = no RequireAuthPing = yes SyslogFacility = daemon
For security reasons, we do not want to allow remote opers. Each team appoints their own opers, so you might not trust an oper on another server.
We want to chroot to /var/ngircd to prevent a security compromise.
We will cloak the host using a unique salt; contact another sysadmin for the exact salt. If not linking to a network, you can leave it commented for a random salt each time it runs or you can provide your own random salt.
User mode +i keeps the user invisible so that /whois does not show all channels a user has joined. This helps reduce stalking and harassment.
This entire block should be commented. When you are ready to set up SSL/TLS encryption, un-comment the entire block.
WARNING: Do not send passwords or sensitive data over this server until SSL is set up.
You may have as many Operator Blocks as you like, one for each Operator.
[Operator] Name = username Password = password
Please use a long, random string for your password.
If you uncomment Mask, your hostmask must match the operator hostmask in order for the /OPER command to be accepted. If it differs at all, then your /OPER command will be rejected. If you don't want to check the hostmask, leave Mask commented out.
For more security, you can uncomment Mask and have it match your vhost. However, please be aware that this will make it impossible to authenticate if you ever have to connect from a different IP address.
The server block is used to connect to other servers to form a network. You can have multiple server blocks. See: Link your ngircd
You are finished editing ngircd.conf
Create the Message of the Day in /etc/ngircd/ngircd.motd. Here is a suggested template:
All log messages from ngircd should go to
/var/log/ngircd.log . Insert these three lines starting at line 3 (at the top) in
!!ngircd *.* /var/log/ngircd.log !*
This directs all logs from ngircd to go straight to /var/log/ngircd.log.
Next, create the file /var/log/ngircd.log and restart syslogd:
$ doas touch /var/log/ngircd.log $ doas rcctl restart syslogd
We need to set up the chroot for ngircd. Let's copy the files into the chroot:
$ doas mkdir /var/ngircd/etc/ $ doas cp /etc/resolv.conf /var/ngircd/etc/ $ doas cp -R /etc/ngircd /var/ngircd/etc/ $ doas chown -R _ngircd:_ngircd /var/ngircd/ $ doas rm -r /etc/ngircd $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd $ doas mkdir -p /var/ngircd/usr/local/share/doc/ $ doas cp -R /usr/local/share/doc/ngircd/ /var/ngircd/usr/local/share/doc/ $ doas chown -R _ngircd:_ngircd /var/ngircd/usr/local/share/doc/ngircd/
This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.
To start ngircd via rcctl:
doas rcctl enable ngircd doas rcctl start ngircd
Next, use your IRC client to connect to the server. Join a few channels and chat inside.
If you run into any errors, you can test to see if your configuration file has errors:
$ doas ngircd -t
To run ngircd in debug mode:
$ doas ngircd -n
/var/log/ngircd.log to see if ngircd is listening on the correct IP addresses and ports. Connect to those ports using your IRC client to verify that the server is working as intended.
Remember, if you are connecting using port 6667 without SSL, any eavesdropper can read all your text, including your passwords. Don't send any sensitive information until you have upgraded to SSL.
Reloading and Restarting ngIRCd
After you edit
/etc/ngircd/ngircd.conf for a running ngircd server, you will need to reload the configuration file:
$ doas rcctl reload ngircd
Alternatively, you can run:
$ doas pkill -HUP ngircd
Reloading a configuration file will not disconnect any active connections. So, try to reload the configuration where possible instead of restarting the service.
To restart the ircd:
$ doas rcctl restart ngircd
WARNING: Restarting the ircd will disconnect all existing connections. So, try to restart ngircd only when absolutely necessary.
WARNING: ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.
- Configure SSL for ngircd to ensure secure connections
- Link your ngircd with another server to create a network
- Install anope to provide services
- Install achurch to test achurch services
- Configure hopm, an open proxy monitor to stop spammers.
- Configure acopm?, a minimalist open proxy monitor to stop spammers.