The official ezine of the DALnet IRC Network August/Sept, 2002 Issue.

Letter from the Editor DALnet People - User Interview - Freddie_mercury - IRCop Interview - Raditz - DALneter of the Month - Music to IRC To The Moving Pen Amaranthine - Poem Escape - Poem Moon - Poem Sea - Poem Silence - Poem Water - Poem Fun Stuff - Miss_Star's Astrology - Family Unfortunates - Doh! - Squawks - The Confessional In Real Life - Tea For Anyone? - What If? - The Perfect Body – Thinness and Slim Techie's Corner - IRC's Birthday - Looking into Lindows - Adding SSL to ircd - Securing NON-SSL aware Network Daemons using OpenSSL and Stunnel Past Issues - Past Issues

Securing ircd ( with a emphasis on Bahamut ) using OpenSSL and Stunnel. The ircd file All IRC Daemons ( ircd ) come with a ircd.conf file. With this file, you designate which ports the ircd will spawn on. Typically, these ports will be 6000 thru 6667, and sometimes 7000. To add some SSL functionality to ircd, you really dont want to make all ports SSL aware because then you will HAVE to connect to your ircd with a client that is doing SSL. What you can do is leave ports 6000 thru 6667 in place as Non-SSL aware, and spawn the Daemon on 3 extra ports such as 7002, 7003, and 7004. Then, you can do: Adding SSL to ircd We will be assuming OpenSSL and Stunnel are installed on the server running ircd stunnel -o /var/log/stunnel.log -N sircd1 -d 8002 -r name.ircd.server:7002 -p /path/to/stunnel.pem stunnel -o /var/log/stunnel.log -N sircd2 -d 8003 -r name.ircd.server:7003 -p /path/to/stunnel.pem stunnel -o /var/log/stunnel.log -N sircd3 -d 8004 -r name.ircd.server:7004 -p /path/to/stunnel.pem Then, in /etc/hosts.allow, you would add: sircd1 : ALL : allow sircd2 : ALL : allow sircd3 : ALL : allow Then, you would restart inetd to see the changes: killall -HUP inetd This will make your ircd accept Non-SSL aware irc clients on ports 6000 thru 6667, and for those that want to identify to Nickserv, Chanserv, or send a memo via Memoserv from a potentially insecure network such as a Internet Cafe, or University setting can do so via en encrypted tunnel using the SSL-aware ports 8002 thru 8004. Your firewall/router that is protecting the ircd will have to be changed to allow the TCP/IP traffic on ports 8002 thru 8004 while 7002, 7003, and 7004 remain firewalled, as these ports dont need to be connected to directly and simply function as the forward ports for 8002, 8003, and 8004. Your IRCops who " oper up " with their passwords would also probably appreciate the extra security measure when sending their oper password over the wiRe to the ircd. Your irc clients Last I checked, the UNIX IRC Client BitchX is the * only * irc client that supports SSL, and you still have to compile this feature in when you are building it. At the time of this writing, I know mIRC does * NOT * have SSL capability ( correct me if I'm wrong please as its been over 3 years since I've even seen mIRC ) in its client, so those desiring to use SSL will have to follow the technique as outlined in my previous article regarding Installing OpenSSL on windows. Now, I realize on the large networks like DALnet, probably 95 % of the clients conecting are running mIRC on windows, and have no thoughts of securing their traffic to the network. But, I bet there are some on windows and UNIX who would use this feature if it was advertised either on the IRC networks website, or via a listserv the network has running. I'm pretty sure the IRCops who use windows in a insecure setting would appreciate using this service. And, who knows, maybe after a year or so of educating users, it will become a standard and YOUR IRC netork can go down in the history books as being to first to use SSL in securing IRC traffic Again, of the 95 % or so users on say DALnet who use mIRC, probably 95 % of those have no idea how to compile OpenSSL in Windows. If you will recall in my previous article, a windows box only needs libssl32.dll and libeay32.dll in c:\windows\system to do SSL tunneling. Since most IRC junkies trust their favorite IRC admin with their life ( LOL! ), the network could provide these two files after a windows Guru built OpenSSL on windows and made them available for download via the Networks website. You most likely will have to provide a short HOWTO for most users. Making the client to server connection using stunel and a IRC Client Lets use liberty.dal.net as an example If liberty.dal.net had a SSL aware daemon running on port 8002, a client would simply use stunnel to connect to the server and do port forwarding: stunnel -c -d 6667 -r liberty.dal.net:8002 The client could then connect to the liberty.dal.net server via an encrypted tunnel using: /server 127.0.0.1 6667 Qusestions? Comments? /msg VipOrX on DALnet Back to the Main Article Have Fun! ©Vip0rx 2002