ZNC /

Daily Maintenance for ZNC

(redirected from Openbsd.ZNCAdmin)

Every admin should use his team's bouncer to make sure it works. Eat your own dog food. See connection instructions for your IRC client.

Each day, you should check for errors with your znc.

$ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log

Scroll to the bottom by typing G.

[2021-01-25 03:12:52] [user/network] disconnected from IRC
[2021-01-25 03:15:29] [user/network] disconnected from IRC
[2021-01-25 03:19:21] [user/network] disconnected from IRC
[2021-01-25 03:23:12] [user/network] disconnected from IRC

If you see these repeating messages "disconnected from IRC", it means that znc is attempting to connect to a network but failing. This is a network error that you must fix.

WARNING: If you do not fix this problem, your ZNC will throttle all of its users, slowing down reconnections for everyone!

G-lined

Use less? to search through znc.log to find error messages like the following:

[2021-01-25 03:55:25] [user1/network] disconnected from IRC: irc.example.com [:Closing link: (user@fruit.ircnow.org) [G-Lined: This connection is not authorized on IRC Network - (ID: VL0GY6RV79)]]

This shows that the network has G-lined fruit.ircnow.org from connecting. Because the vhost is fruit.ircnow.org and not unique (it's not user.fruit.ircnow.org), this address is most likely an IPv4 address that has been glined. You can either write to the admins to request an iline or you can attempt to switch over to an IPv6 address and hope that is not banned.

If that does not work, you can disconnect the user. Connect to the bouncer (you must be an admin on ZNC), then issue the command:

/msg *controlpanel disconnect user network

Fixing a Network Configuration Error

Sometimes a disconnection error in znc.log is caused by bad network configuration:

[2021-01-25 03:06:24] [user/network] disconnected from IRC
[2021-01-25 03:14:09] [user/network] disconnected from IRC

Let's investigate the cause through the web panel:

  1. Log in to the web panel to troubleshoot: https://bnc.fruit.ircnow.org/
    Attach:znc1.png Δ
  2. Click on the Manage Users link
    Attach:znc2.png Δ
  3. Click on the Edit link next to user1
    Attach:znc3.png Δ
  4. Scroll down and click on the Edit link next to the network globalirc-it:
    Attach:znc4.png Δ
  5. Check Servers of this IRC network:
    1. The server may be improperly configured. Check the hostname and port is correct. A port without a + sign is in plaintext, which is usually port 6667. A port with a + in front uses SSL, which is usually on port 6697. If the user tries to use SSL on plaintext port 6667, or plaintext on SSL-encrypted port 6697, ZNC will fail to connect. Please fix this for the user.
    2. The user may be connecting to a server that lacks an iline. You will want to use the server addresses on the networks page to get the servers with ilines. You can test if your IP has been glined by using irssi.
    3. The user may be attempting to use an IPv4 address when we should prefer an IPv6 address. Some networks will disallow IPv4 connections. Run $ host irc.example.com to see if it returns an IPv4 address or only an IPv6 address. You will want to consult the networks list for IPv6-only hostnames.
    4. The user may be glined from the network for abuse. In this case, see the section on stopping abuse.
    5. The SSL cert may be expired. There are two solutions: manually add the SSL fingerprint to the SHA-256 fingerprint of trusted SSL certificates or Trust All Certs by clicking on Disable certificate validation. Trusting all certs is less secure but less work than manually adding, so I recommend trusting all certs.
      Attach:znc5.png Δ
      # Click on Save and Continue
      Attach:znc6.png Δ

You should soon see a line similar to below in znc.log:

[2021-01-25 03:15:08] [user/network] connected to IRC: irc.example.com

This indicates that user successfully connected to network.

Forcing IPv6

Whenever possible, you should force your users to connect to an IRC network using IPv6 rather than IPv4. Benefits include:

  1. Users get to pick a unique vhost which they enjoy
  2. The unique vhost helps to reduce ban evasion and abuse
  3. Innocent users sharing the same IPv4 address won't get GLINEd if an abuser gets banned
  4. IPv6 ddos attacks are less common

For these reasons and more, it is important to ensure that your ZNC users are forced to use IPv6 wherever possible.

Oftentimes, major networks will have servers that are exclusively used for IPv6. For example, dalnet offers both IPv4 and IPv6 for irc.dal.net, and the IPv6-only irc6.dal.net.

Here's one quick way to scan to see which servers are being used:

$ doas grep 'irc.dal.net' /home/znc/home/znc/.znc/moddata/adminlog/znc.log
[2021-01-29 09:23:33] [user1/dalnet] connected to IRC: irc.dal.net
[2021-01-29 09:26:50] [user2/dalnet] connected to IRC: irc.dal.net
[2021-01-29 09:26:51] [user3/2600net] connected to IRC: irc.dal.net
[2021-01-29 09:28:12] [user4/2600net] connected to IRC: irc.dal.net
...

This is a quick way to spot which need to be forced to irc6.dal.net. You can then follow instructions above to edit his network's server to irc6.dal.net.

Dealing with Abuse