To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.
HardeningTest
In this page we will discuss about multiple topics on how to hardening your ZNC instance.
Paranoid notes will be placed to highlight security settings pushed to the edge of security paranoids.
SSL
Enable
Generate SSL files
Public CA Signed or Self Signed Certificate
ZNC Configuration File
Modules
Fail2Ban
SChat
Hardening the Server
TODO
SSLCiphers= TLSv1.2+TLSv1.3 'ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:!DSS' TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 TLSv1.3 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
In the Configuration file there are 2 important parameters that could be setup:
- SSLCiphers
- SSLProtocols
By default, the current version of the ZNC at the moment of writing, uses the rigth trade-off between compaatibility and security.
The default value are:
SSLCiphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 SSLProtocols = All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
In the case you want to push the security and you dont care about compatibility, you can use those values:
SSLCiphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 SSLProtocols = All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +TLSv1.3
Warning: Be aware that above settings affect not only the Clients<->ZNC connections, but also ZNC<->Servers; this means if an IRC Server will not be configured to support TLSv1.3, you will not be able to connect.
PrivateKey = ECC only
ProtectWebSessions
- ONLY SSL enabled
- Fail2ban module
- ufw rules
- Discussion about Public and Private CA
- Schat module
- Set CTCP Replies (Ex: FINGER/VERSION/PING)
- Hardening the Security
The ZNC acts as proxy for the irc connection, so the ZNC will manage 2 kind of connections:
- IRC client <-> ZNC
- ZNC <-> IRC Server
To increase our security we want that both of them use SSL layer; otherwise the information will be securized only on the side with the SSL in use and totally undecure on the other side, and this means: garbage in - garbage out.
Before to proceed we have to be sure that the ZNC has been compiled with SSL support.
To do this (ask..)
- ZNC Config
As reported in the Configuration we have a couple of security options.
(Ask if split pem or keep it single)
Another important configuration is the keyxchange. The defaults are perfectly fine but if you are security paranoid and your clients support latest EC (elliptic curve) algos, you can push them yo accept only XXXX
- Certificate
Copy the certificate instructions
- IRC Client connection
As first connection we are going to manage the IRC Client <-> ZNC one. First step is the enabling of the SSL port directly on first configuration. Otherwise we can proceed enabling via WebAdmin panel or via command line.
- Web Admin Page
Screenshot
- Command line
Run this command (Check command)
Now we have to configure our clients to use the SSL on connection. The second optional step is to use the Cert