To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

HardeningTest: Difference between revisions

From ZNC
Jump to navigation Jump to search
DoctorD90 (talk | contribs)
No edit summary
DoctorD90 (talk | contribs)
No edit summary
Line 12: Line 12:




* client-znc: [[Certauth|CertAuth]] - Sasl - Nickserv
* client-znc: [[Certauth|CertAuth]] - [[Sasl]] - [[Nickserv]]
* znc-server: [[Cert]]
* znc-server: [[Cert]]


* ONLY SSL enabled
* ONLY SSL enabled
* fail2ban module
* [[Fail2ban]] module
* ufw rules
* ufw rules
* Discussion about Public and Private CA
* Discussion about Public and Private CA
* schat module
* [[Schat]] module
 
 


# Hardening the Security
# Hardening the Security

Revision as of 00:44, 19 August 2021

Configuration

SSLCiphers= TLSv1.2+TLSv1.3 'ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:!DSS' TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 TLSv1.3 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'

SSLProtocols = All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

PrivateKey = ECC only


  • ONLY SSL enabled
  • Fail2ban module
  • ufw rules
  • Discussion about Public and Private CA
  • Schat module


  1. Hardening the Security


The ZNC acts as proxy for the irc connection, so the ZNC will manage 2 kind of connections: - IRC client <-> ZNC - ZNC <-> IRC Server

To increase our security we want that both of them use SSL layer; otherwise the information will be securized only on the side with the SSL in use and totally undecure on the other side, and this means: garbage in - garbage out.

Before to proceed we have to be sure that the ZNC has been compiled with SSL support.

To do this (ask..)

    1. ZNC Config

As reported in the Configuration we have a couple of security options.

(Ask if split pem or keep it single)

Another important configuration is the keyxchange. The defaults are perfectly fine but if you are security paranoid and your clients support latest EC (elliptic curve) algos, you can push them yo accept only XXXX

    1. Certificate

Copy the certificate instructions

    1. IRC Client connection

As first connection we are going to manage the IRC Client <-> ZNC one. First step is the enabling of the SSL port directly on first configuration. Otherwise we can proceed enabling via WebAdmin panel or via command line.

      1. Web Admin Page

Screenshot

      1. Command line

Run this command (Check command)

Now we have to configure our clients to use the SSL on connection. The second optional step is to use the Cert