How to link Unrealircd servers

This page explains how to link two (or more) UnrealIRCd servers securely so you have a multi-server network.

IMPORTANT: This page assumes both servers run UnrealIRCd 5.0.6 or newer.

Step 1: open up a dedicated server port

You probably have opened up port 6667 for clients on your server already. You should open up a dedicated servers-only SSL port as well.

This can be as simple as:

listen *:6900 { options { tls; serversonly; }; };

Or, if you use a shell provider then you may have to specify the IP that got assigned to you:

listen 1.2.3.4:6900 { options { tls; serversonly; }; };

If you use the example configuration file then you should already have this.

IMPORTANT: If you have a firewall then be sure to open up this port 6900 as well, just like you did with 6667!

Step 2: set up a special server class

If you haven't done already then set up a class { } block for your servers now, like:

class servers
{
    pingfreq 60;
    connfreq 30;
    maxclients 10;
    sendq 20M;
};

Note that the example configuration file already contains this.

Step 3: grab the SPKI fingerprint of your servers

The SPKI fingerprint is an unique hash of the SSL/TLS key of your server. We need this in step 4, so do this on both servers and write them down.

Run the following command on the shell. In UnrealIRCd 4 you run this from the ~/unrealircd directory (or wherever you installed UnrealIRCd to):

./unrealircd spkifp

This will output something like:

The SPKI fingerprint for certificate /home/irc/unrealircd/conf/ssl/server.cert.pem is:
AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=

You normally add this password on the other side of the link as:
password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };

If instead you see an error like this:

Usage: unrealircd start|stop|rehash|restart|mkpasswd|version|croncheck|gencloak|reloadtls|upgrade-conf

Step 4: setting up link blocks

In the example below we assume you have two servers. One is named irc.sisrv.net and the other one is called irc1.sisrv.net. Simply replace the names with the actual names of your server.

UnrealIRCd 5

In the unrealircd.conf on irc1.sisrv.net you add a link block to link with irc.sisrv.net:

link irc.sisrv.net {
    incoming {
        mask *;
    };
    outgoing {
        bind-ip *; 
        hostname irc.sisrv.net-IP; 
        port 6900; 
        options { ssl; autoconnect; };
    };
    password "hknVtRqmZ1B9+BdXM5j/SN2wrOpSFdt9KGEV2lkx" { spkifp; };
    hub *;
    class servers;
};

Similarly, on irc.sisrv.net you add a link block to link with irc1.sisrv.net:

link irc1.sisrv.net {
    incoming {
        mask *;
    };
    outgoing {
        bind-ip *; 
        hostname irc1.sisrv.net-IP; 
        port 6900; 
        options { ssl; autoconnect; };
    };
    password "R9xka9F6IL/ppy78gOdtouwiWsxS8S8MPyhhL" { spkifp; };
    hub *;
    class servers;
};

[!] Note that it is a common mistake to put the wrong password (wrong fingerprint) in the link block. If you SSH to irc.sisrv.net and are editing the unrealircd.conf, more precisely the link irc1.sisrv.net { block, then you should put the spkifp password of irc1.sisrv.net in there and not the one of irc.sisrv.net.

Autoconnect

In the example of above we added autoconnect (in link::outgoing::options) in irc.sisrv.net's config. This means test1 will automatically try to link to test every class::connfreq seconds (configured in step 3: every 30 seconds). You can also choose to autoconnect the other way around or not to autoconnect at all. While it's also possible to autoconnect from both sides we generally don't recommend it.

Step 5: Rehash

Rehash both servers (or restart them if you are lazy and you have no users on them). We recommend to rehash a server as IRCOp by executing '/REHASH' on IRC.

If you restarted or did the '/REHASH' as an IRCOp you should see directly if there are any warnings or errors in your configuration. If so, fix them now.

Step 6: Link!

In step 4 we added 'autoconnect'. If everything works well then you should see the servers automatically linking (they will try every 30 seconds, based on class::connfreq).

You can see if the other server is linked by executing the IRC command '/MAP' to see the network map.

As an IRCOp you will be informed when servers try to link and if there are any errors.

You can always tell UnrealIRCd to try to link the servers right now by executing (as IRCOp) /CONNECT name.of.other.server. This can be used if you disabled autoconnect, or simply if you don't want to wait ;)

Step 7: Restricting by IP (optional)

What if someone manages to read all contents of your unrealircd/conf directory? Your configuration file would be exposed, your SSL private key, etc. Or maybe you made a backup (good!) and forgot to restrict access to it (bad!). Such a breach of security would be a real problem. Among other things, it would allow the hacker / stealer to link up a server to your network and acquire all sensitive information and become IRCOp.. etc...

It's possible to enhance security by restricting from which IP the server may link in.

Earlier we configured the link block like this:

link irc.sisrv.net {
    incoming {
        mask *;
    };

The mask *; here specifies that any IP is permitted. You can change this to an IP like mask 1.2.3.4; or an IP range like mask 1.2.*;

We consider this step optional as it's basically security-in-depth.

Step 8: Impose topology restrictions (optional)

In our examples we permit any server to introduce other servers. If this is not what you want, for example if you want to be absolutely sure that a remote link is always 'alone' and has no servers behind it (this is called a leaf) then you can impose this restriction.

If you have a small standard network with just two servers plus a services server and trust each other then this isn't terribly important.

Linking servers (genlinkblock)

If you are linking two UnrealIRCd 6 servers *NIX (not on Windows) then linking is very easy. Using ./unrealircd genlinkblock all configuration is done for you. Follow the instructions below.

NOTE: The process below is quick and easy and mostly automatic. If you don't want this and prefer to learn everything about linking then read above steps.

Run the command ./unrealircd genlinkblock on the shell of server A (irc1.example.org in this case):

irc@irc1.sisrv.net:~/unrealircd$ ./unrealircd genlinkblock

Add the following link block to the unrealircd.conf on the OTHER side of the link
(so NOT in the unrealircd.conf on THIS machine). Here it is, just copy-paste:
################################################################################
link irc1.sisrv.net {
    incoming {
        mask *;
    }
    outgoing {
        hostname irc1.sisrv.net;
        port 6900;
        options { tls; autoconnect; }
    }
    password "..." { spkifp; }
    class servers;
}
################################################################################

Do what it says and copy-paste the link block to server B (so the other server!)

NOTE: If the hostname in link::outgoing::hostname (hostname irc1.sisrv.net;) does not actually exist in your case (eg: because you have not bought or registered the domain yet), then you may have to modify it to be the IP address of server A, like: hostname 198.51.100.1;

On side B

Run the same command on the shell of server B:

irc@irc2.sisrv.net:~/unrealircd$ ./unrealircd genlinkblock

Add the following link block to the unrealircd.conf on the OTHER side of the link
(so NOT in the unrealircd.conf on THIS machine). Here it is, just copy-paste:
################################################################################
link irc2.sisrv.net {
    incoming {
        mask *;
    }
    outgoing {
        hostname irc2.sisrv.net;
        port 6900;
        options { tls; autoconnect; }
    }
    password "..." { spkifp; }
    class servers;
}
################################################################################

And copy-paste the outputted link block to server A (so to the server from the previous step).

NOTE: Again, here too. If the hostname in link::outgoing::hostname (hostname irc2.sisrv.net;) does not actually exist in your case (eg: because you have not bought or registered the domain yet), then you may have to modify it to be the IP address of server B, like: hostname 198.51.100.2;

Rehash

Now REHASH both servers. .

  • link unrealircd, link UnrealIRCd 5, unrealircd link block, genlinkblock, link unrealircd 6
  • 322 Utenti hanno trovato utile questa risposta
Hai trovato utile questa risposta?

Articoli Correlati

Upgrading from UnrealIRCd 4 to UnrealIRCd 5

Upgrading from UnrealIRCd 4.x to UnrealIRCd 5.x is really easy, there are almost no configuration...

How to install UnrealIRCd modules

UnrealIRCd has a module manager which allows you to install, update and uninstall 3rd party...

UnrealIRCd FAQ

Is UnrealIRCd suitable for me? UnrealIRCd is a highly advanced and customizable IRC daemon. It...

How to install UnrealIRCd 5

To install UnrealIRCd on Linux, FreeBSD, OpenBSD, OS X and other *NIX systems you generally...

Using Let's Encrypt with UnrealIRCd

Let's Encrypt is an initiative which allows you to get a real certificate for your server. That...

Powered by WHMCompleteSolution