I was once in need of an IRC server, for some internal communications. However, all write-ups I could find were lacking or non-functional. So I struggled my way through setting up and getting it to work with SSL and password-protected logins.
Because of this, I have written this guide to help you getting your own IRC server up and running.
This guide will cover installation, configuration and the setup for SSL. It is written with the assumption that you already have basic knowledge of Linux and IRC.
This guide is written for Void Linux, however, the guide should work for other Linux distributions too. Please notice that the package manager and packages may vary for each distribution. We will be using InspIRCd as the IRC server. InspIRCd is a modular Internet Relay Chat (IRC) server written in C++ for Linux, BSD, Windows and macOS systems1.
The specific version of InspIRCd that I will be using is 2.0.29, it should be noted that InspIRCd version 2 have End-Of-Life (meaning it will no longer receive patches for security vulnerabilities) as of the 1st June 2020. I would therefore not recommend using InspIRCd v2, but you should upgrade to InspIRCd v3. The main focus for the configuration of InspIRCd outlined here is security and simplicity.
If you are to follow this guide step-by-step you will require these things:
Firstly you will need to install some packages. The following packages are needed and recommended:
IRC Server runtime dependencies:
The packages can be installed by running the following command:
sudo xbps-install -Sy runit-iptables gnutls gnutls-tools
sudo xbps-install -Sy gnutls-devel pkg-config g++ wget tar make lsof
For security reasons, we wouldn’t want to run the IRC server as root nor should it have sudo access. Therefore I highly recommend creating a new user that will run the IRC server.
This can be done like this:
sudo useradd -m -s /bin/bash -U -G users,input inspircd
Note:
The user does not have the user group 'wheel' meaning it will not be able to escalate to root.
Optionally you can give your new user inspircd a password by
sudo passwd inspircd
We want the server to be able to communicate with the outside world, but only for what we permit it. For that, a good firewall configuration is needed.
Our IRC server will be using TCP/6697, meaning the protocol TCP and the port 6697. Port 6697 is an unofficial but widely used standard port for IRC SSL.
We will be configuration our firewall rules with IPTables, it is pre-installed in nearly all Linux distributions and it is really powerful.
sudo iptables -A INPUT -p tcp --dport 6697 -j ACCEPT
The command above will allow incoming traffic using the TCP protocol on port 6697. If you find this command confusing read more about iptables using man iptables or consult ExplainShell for this command.
Note: If you are ssh'ed into the server or are planning to use SSH on the server. Run the following command, this allows SSH traffic. If this command is not run you will be disconnected from the server with the next step.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
IPTables will not automatically restart on bootup, therefore we installed runit-iptables this adds a service that can be started on bootup. Please be sure your firewall is set up correctly before running this command as it may prove difficult to recover a remote server from. Run this command to automatically start IPTables on bootup:
sudo ln -s /etc/sv/iptables /var/service
I like to have my IRC server located in /opt/ however you can have it wherever you like. Firstly we most get the latest version of InspIRCd the best way is to get it from their GitHub and download the latest v2 release. Alternatively, you can wget it like this:
wget https://github.com/inspircd/inspircd/archive/v2.0.29.tar.gz
The package can then be decompressed like this
tar xzvf inspircd-2.0.29.tar.gz
Now I will create and move the InspIRCd files to /opt/irc
sudo mkdir /opt/irc
sudo mv inspircd-2.0.29/* /opt/irc/
Now all the files are in /opt/irc however all the files are now owned by root. Therefore we will change the owner of the files to the inspircd user:
sudo chown -R inspircd:inspircd /opt/irc
With the pre-setup completed, we can now switch to our new user.
su - inspircd
cd /opt/irc
Now we are ready to start installing InspIRCd.
Firstly we must make sure that InspIRCd will be configured to use GnuTLS
./configure --enable-extras=m_ssl_gnutls.cpp
Now we must configure InspIRCd
./configure
It will start by asking for installations directories, you should leave them be, by default it will take the current directory as base install point eg. /opt/irc for all the directory related question press Enter
If asked to enable Epoll enter y and press enter.
When asked to enable SSL Support enter y and press enter.
When asked to use SSL with m_ssl_gnutls enter y and press enter.
When asked to use SSL with m_ssl_openssl enter n and press enter.
When asked to check for updates to third-party modules enter n and press enter.
When asked if you want to generate an SSL certificate now enter y and press enter (Only if you do not already have a certificate).
Fill in the appropriate data. When asked for the hostname I like to enter something like irc.gejr.dk or chat.example.com.
Now the configuration is complete, you now need to make the program.
Use the following command to make the program:
make
This will take some time, so go make a cup of coffee or tea in the meantime.
When the make command is finished run this command to install the program and don't worry this won't take that long.
make install
With InspIRCd now begins the fun but challenging part.
There are two ways to go about this. You can either copy the provided example config file and start editing in that or copy my provided example config file. Either way is completely valid however I recommend you read the documentation on InspIRCd v2 website so you know what you are editing.
All configuration files related to InspIRCd is located by default in ${base-install}/run/conf if you have followed this guide the full is, therefore /opt/irc/run/conf.
cd /opt/irc/run/conf
If you desire to use the official config file use this command:
cp /opt/irc/docs/conf/inspircd.conf.example /opt/irc/run/conf
You can now edit to your hearts content.
Alternatively, you can use my example config file.
Use your favourite editor to copy-paste and edit my config file.
vim /opt/irc/run/conf/inspircd.conf
And paste the following:
<config format="xml">
<define name="bindip" value="1.2.2.3">
<define name="localips" value="&bindip;/24">
####### SERVER CONFIGURATION #######
<server
name="irc.example.com"
description="Example Description"
id="97K"
network="irc.example.com">
####### ADMIN INFO #######
<admin
name="Lorem Ipsum"
nick="Dolor"
email="example@example.com">
####### PORT CONFIGURATION #######
<bind
address=""
port="6697"
type="clients"
ssl="gnutls">
<module name="m_ssl_gnutls.so">
<gnutls certfile="/opt/irc/run/conf/cert.pem" keyfile="/opt/irc/run/conf/key.pem" priority="NORMAL:-MD5" hash="sha1">
<bind
address=""
port="7000"
type="servers">
####### DIE and RESTART CONFIGRATION #######
<power
diepass="mypassword"
restartpass="mypassword">
####### CONNECT CONFIGURATION #######
<connect deny="3ffe::0/32" reason="The 6bone address space is deprecated">
<connect
name="main"
allow="*"
#maxchans="30"
timeout="10"
pingfreq="120"
hardsendq="1M"
softsendq="8192"
recvq="8K"
threshold="10"
commandrate="1000"
fakelag="on"
localmax="10"
globalmax="10"
useident="no"
limit="5000"
modes="+x">
####### CIDR CONFIGURATION #######
<cidr
ipv4clone="32"
ipv6clone="128">
####### INCLUDE FILE #######
<include file="/opt/irc/run/conf/opers.conf">
<include file="/opt/irc/run/conf/links.conf">
<include file="/opt/irc/run/conf/modules.conf">
####### MISCELLANEOUS CONFIGURATION #######
<files motd="/opt/irc/run/conf/motd.txt" rules="/opt/irc/run/conf/rules.txt">
####### MAXIMUM CHANNELS #######
<channels
users="20"
opers="60">
####### PID FILE #######
<pid file="/opt/irc/inspircd.pid">
####### BANLIST LIMITS #######
<banlist chan="#largechan" limit="128">
<banlist chan="*" limit="69">
####### SERVER OPTIONS #######
<options
prefixquit="Quit: "
suffixquit=""
prefixpart="""
suffixpart="""
syntaxhints="no"
cyclehosts="yes"
cyclehostsfromuser="no"
ircumsgprefix="no"
announcets="yes"
allowmismatch="no"
defaultbind="auto"
hostintopic="yes"
pingwarning="15"
serverpingfreq="60"
defaultmodes="nt"
moronbanner="You're banned! Email example@example.com with the ERROR line below for help."
exemptchanops="nonick:v flood:o"
invitebypassmodes="yes"
nosnoticestack="no"
welcomenotice="yes">
####### PERFORMANCE CONFIGURATION #######
<performance
netbuffersize="10240"
somaxconn="128"
limitsomaxconn="true"
softlimit="12800"
quietbursts="yes"
nouserdns="no">
####### SECURITY CONFIGURATION #######
<security
announceinvites="dynamic"
hidemodes="eI"
hideulines="no"
flatlinks="no"
hidewhois=""
hidebans="no"
hidekills=""
hidesplits="no"
maxtargets="20"
customversion=""
operspywhois="no"
restrictbannedusers="yes"
genericoper="no"
userstats="Pu">
####### LIMITS CONFIGURATION #######
<limits
maxnick="31"
maxchan="64"
maxmodes="20"
maxident="11"
maxquit="255"
maxtopic="307"
maxkick="255"
maxgecos="128"
maxaway="200">
####### LOGGING #######
<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="logs/ircd.log">
####### WHOWAS OPTIONS #######
<whowas
groupsize="10"
maxgroups="100000"
maxkeep="3d">
####### BAN OPTIONS #######
<badip
ipmask="192.0.2.69"
reason="No porn here thanks.">
<badnick
nick="ChanServ"
reason="Reserved For Services">
<badnick nick="NickServ" reason="Reserved For Services">
<badnick nick="OperServ" reason="Reserved For Services">
<badnick nick="MemoServ" reason="Reserved For Services">
<badhost
host="*@banneduser.example.net">
<badhost host="root@*" reason="Don't IRC as root!">
<badhost host="*@198.51.100.0/24" reason="This subnet is bad.">
# exception: Hosts that are exempt from [kgz]lines.
<exception
host="*@ircop.example.com"
reason="Oper's hostname">
####### INSANE BAN OPTIONS #######
<insane
hostmasks="no"
ipmasks="no"
nickmasks="no"
trigger="95.5">
You will now need to edit the above config file. The specific blocks you'll need to edit is as follows:
openssl or gnutls. But we have disabled OpenSSL in the configuration step. Therefore you'll most likely want to leave it at the default.If you desire to use the official config file use this command:
cp /opt/irc/docs/conf/opers.conf.example /opt/irc/run/conf/opers.conf
You can now edit to your hearts content.
Alternatively, you can use my example config file.
Use your favourite editor to copy-paste and edit my config file.
vim /opt/irc/run/conf/opers.conf
And paste the following
<class
name="Shutdown"
commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE"
usermodes="*"
chanmodes="*">
<class name="SACommands" commands="SAJOIN SAPART SANICK SAQUIT SATOPIC SAKICK SAMODE OJOIN">
<class name="ServerLink" commands="CONNECT SQUIT RCONNECT RSQUIT MKPASSWD ALLTIME SWHOIS JUMPSERVER LOCKSERV UNLOCKSERV" usermodes="*" chanmodes="*" privs="servers/auspex">
<class name="BanControl" commands="KILL GLINE KLINE ZLINE QLINE ELINE TLINE RLINE CHECK NICKLOCK NICKUNLOCK SHUN CLONES CBAN CLOSE" usermodes="*" chanmodes="*">
<class name="OperChat" commands="WALLOPS GLOBOPS" usermodes="*" chanmodes="*" privs="users/mass-message">
<class name="HostCloak" commands="SETHOST SETIDENT SETIDLE CHGNAME CHGHOST CHGIDENT" usermodes="*" chanmodes="*" privs="users/auspex">
<type
name="NetAdmin"
classes="SACommands OperChat BanControl HostCloak Shutdown ServerLink"
vhost="netadmin.inspircd.co"
modes="+s +cCqQ">
<type name="GlobalOp" classes="SACommands OperChat BanControl HostCloak ServerLink" vhost="ircop.inspircd.co">
<type name="Helper" classes="HostCloak" vhost="helper.inspircd.co">
####### OPERATOR CONFIGURATION #######
<oper
name="example"
password="mypassword"
host="example@dialup1.isp.lorem.com *@localhost *@example.com *@*"
type="NetAdmin">
You will now need to edit the above config file. The specific blocks you'll need to edit is as follows:
*@*.If you desire to use the official config file use this command:
cp /opt/irc/docs/conf/links.conf.example /opt/irc/run/conf/links.conf
You can now edit to your hearts content.
Alternatively, you can use my example config file.
Use your favourite editor to copy-paste and edit my config file.
vim /opt/irc/run/conf/links.conf
And paste the following
<link name="services.inspircd.co"
ipaddr="127.0.0.1"
port="7000"
sid="3AX"
allowmask="127.0.0.0/8"
sendpass="iamalive"
recvpass="iamalive">
<uline server="services.inspircd.co" silent="yes">
The module config file is a little different. I will not be providing an example, I will, however, be noting which modules you should enable.
Start by copying the provided example config file
cp /opt/irc/docs/conf/modules.conf.example /opt/irc/run/conf/modules.conf
Use your favourite editor to edit the config file and uncomment the following modules
m_md5 - line 37
m_sha256 - line 49
m_ripemd160 - line 56
m_alias - line 65
m_chghost - line 467
m_customprefix - line 636
m_globops - line 826
m_hidechans - line 857
m_password_hash - line 1368
m_services_account - line 1665
m_svshold - line 1825
m_spanningtree - line 1932
I will not be providing an example for a MOTD or Rules. A quick search will provide more than enough inspiration for some cool MOTD's.
You can get InspIRCd's MOTD and Rules examples like this.
cp /opt/irc/docs/conf/motd.txt.example /opt/irc/run/conf/motd.txt
cp /opt/irc/docs/conf/rules.txt.example /opt/irc/run/conf/rules.txt
You can now edit the MOTD and the Rules as your heart's content.
The IRC server configuration is now completed and should be ready to run.
Start the IRC server by running this command:
/opt/irc/run/inspircd start
Now exit from the IRC user inspircd by typing exit
exit
If you want to check that InspIRCd is listening on the correct ports you can use this command to check, you should see an output like this:
sudo lsof -i -P -n | grep LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inspircd 30042 inspircd 7u IPv6 749604 0t0 TCP *:6697 (LISTEN)
inspircd 30042 inspircd 8u IPv6 749605 0t0 TCP *:7000 (LISTEN)
Now we will try to connect to the server to check everything works. For this, I will be using the IRC client irssi it is a terminal-based client, but if you are more comfortable with a GUI-based client like HexChat or Pidgin feel free to use that.
Start by installing your desired IRC client and then open it
sudo xbps-install -Sy irssi
You should see the Irssi interface fill the entire terminal
irssi
Irssi v1.2.2 - https://irssi.org
00:00 -!- ___ _
00:00 -!- |_ _|_ _ _____(_)
00:00 -!- | || '_(_-<_-< |
00:00 -!- |___|_| /__/__/_|
00:00 -!- Irssi v1.2.2 - https://irssi.org
...
[00:00] [] [1]
[(status)]
Join your server by entering the connection information into the command bar:
/connect -ssl <ip/hostname> <port> <password> <nickname>
For this example server, the command would be:
/connect -ssl 127.0.0.1 6697
This will assume your nick is your computers Hostname, if this is not desired you can use
/connect -ssl 127.0.0.1 6697 1234 ExampleNick
Since you do not have a password, simply enter anything in the password field.
If you have connected successfully, you should see your MOTD be displayed following:
00:00 -!- irc.example.com *** You are connected using SSL cipher "ECDHE-RSA-AES-256-GCM-AEAD"
00:00 -!- Mode change [+i] for user ExampleNick
Now try becoming Oper
/oper
This will assume your nickname is the same the oper you are trying to become. If your nickname is different from the oper you defined in /opt/irc/run/conf/opers.conf
If you want to go oper as another nick, the specific nick can be parsed afterwards.
/oper nick
Once you have confirmed the IRC server is properly working I strongly encourage you to change all the stored passwords. You are currently storing them in plain-text this is extremely bad practice and insecure. To mitigate this problem the IRC server has a module to create hashed passwords. To create a hashed password use the following command while connected to your IRC server.
/quote mkpasswd hmac-sha256 mypassword
Your IRC server should respond with the following
00:00 -!- irc.example.com hmac-sha256 hashed password for mypassword is Pf2VC3PN$inAc8AZZuv3zzWyLdKJnrwjj8wLNj8Xn7pm+T6YnPrw`}
Copy the hashed password and replace the plain-text passwords with your new hashed password. It is also recommended to specify what hashing algorithm should be used.
For example, the oper configuration block would look like this:
<oper
name="example"
hash="hmac-sha256"
password="Pf2VC3PN$inAc8AZZuv3zzWyLdKJnrwjj8wLNj8Xn7pm+T6YnPrw"
host="example@dialup1.isp.lorem.com *@localhost *@example.com *@*"
type="NetAdmin">
Every place you have a plain-text password is it recommended you change it for a hashed version and that you specify the hash type like in the example above.
Note:
Only use the /mkpasswd command on servers you trust with your plain-text password, as an IRC-server may be logging the commands.
After this change you can restart your server by running this command:
/opt/irc/run/inspircd restart
You can make your IRC-server even more secure by requiring a password to even be able to connect. This can be done by once again using the /mkpasswd command.
/quote mkpasswd hmac-sha256 connection-password
Now edit your inspircd.conf
vim /opt/irc/run/conf/inspircd.conf
Now change the connect configuration block to include a password and a hash field. Like this:
<connect
name="main"
allow="*"
hash="hmac-sha256"
password="LTHI6+va$vxiEZqxLh1S9ohnRFWTSTSDi+xSM8LpfF8T1BDhRt/c"
#maxchans="30"
timeout="10"
pingfreq="120"
hardsendq="1M"
softsendq="8192"
recvq="8K"
threshold="10"
commandrate="1000"
fakelag="on"
localmax="10"
globalmax="10"
useident="no"
limit="5000"
modes="+x">
Change the hashed password with your own. The hash in this example is connection-password.
Congratulations you now have a pretty good base for a great IRC-server. How can you continue and improve on this base? You should start off by reading the documentation and experimenting with more options in the config files. From there I would recommend you start upgrading your InspIRCd IRC-server to version 3, as version 2 soon will have End-of-Life. Plus version 3 has many more cool features and is performance-wise much better.
You can also look at integrating Anope or Atheme. They are both widely used services packages, and they are pretty easy to set up and to get working with your InspIRCd server. I might make a write-up on this topic, one day.
I hope this write-up helped you.
As stated on InspIRCd’s website: https://www.inspircd.org/↩︎