Pages: 1

#1 2015-01-17 05:37:55

cs
Member
Registered: 2015-01-16
Posts: 4

How to build & install latest ZNC, run it as daemon, enable fail2ban

Hi guys,
the ZNC package available for Debian is not the latest one and it is highly recommended to upgrade in order to avoid security issues or software bugs. Darknyan posted this guide (http://forum.lowendspirit.com/viewtopic.php?id=485) showing how to install it using the Debian package, however I will explain below how to build latest znc from the source, install the ZNC service script to run ZNC as daemon and protect it using fail2ban.

The first optional but recommended step to install ntp which will give you correct timestamps and will ensure that the SSL configuration works properly.

sudo apt-get update
sudo apt-get install ntp

Then configure your timezone to make sure your timestamps within ZNC are in the right timezone.

sudo dpkg-reconfigure tzdata

Install the required packages as root:

sudo apt-get install build-essential libssl-dev libperl-dev

Download and extract the source:
Navigate to the folder where you want to download the file (e.g. /opt) and execute the following:

sudo -i
wget http://znc.in/releases/znc-latest.tar.gz
tar -xzf znc-latest.tar.gz
cd znc-*

Compile the source, still as root:

./configure --with-openssl
make
make install

Create the file /etc/init.d/znc and paste the following content:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          znc
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: ZNC IRC bouncer
# Description:       ZNC is an IRC bouncer
### END INIT INFO
 
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ZNC daemon"
NAME=znc
DAEMON=/usr/local/bin/$NAME
DATADIR=/var/lib/znc
DAEMON_ARGS="--datadir=$DATADIR"
PIDDIR=/var/run/znc
PIDFILE=$PIDDIR/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
USER=znc
GROUP=znc

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
	# Return
	#   0 if daemon has been started
	#   1 if daemon was already running
	#   2 if daemon could not be started
	if [ ! -d $PIDDIR ]
	then
		mkdir $PIDDIR
	fi
	chown $USER:$GROUP $PIDDIR
	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
}

#
# Function that stops the daemon/service
#
do_stop()
{
	# Return
	#   0 if daemon has been stopped
	#   1 if daemon was already stopped
	#   2 if daemon could not be stopped
	#   other if a failure occurred
	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
	RETVAL="$?"
	[ "$RETVAL" = 2 ] && return 2
	# Wait for children to finish too if this is a daemon that forks
	# and if the daemon is only ever run from this initscript.
	# If the above conditions are not satisfied then add some other code
	# that waits for the process to drop all resources that could be
	# needed by services started subsequently.  A last resort is to
	# sleep for some time.
	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
	[ "$?" = 2 ] && return 2
	# Many daemons don't delete their pidfiles when they exit.
	rm -f $PIDFILE
	return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
	return 0
}

case "$1" in
  start)
	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	case "$?" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
  stop)
	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	case "$?" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
  status)
	status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
	;;
  reload)
	log_daemon_msg "Reloading $DESC" "$NAME"
	do_reload
	log_end_msg $?
	;;
  restart)
	log_daemon_msg "Restarting $DESC" "$NAME"
	do_stop
	case "$?" in
	  0|1)
		do_start
		case "$?" in
			0) log_end_msg 0 ;;
			1) log_end_msg 1 ;; # Old process is still running
			*) log_end_msg 1 ;; # Failed to start
		esac
		;;
	  *)
		# Failed to stop
		log_end_msg 1
		;;
	esac
	;;
  *)
	echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
	exit 3
	;;
esac

Make it executable:

sudo chmod 755 /etc/init.d/znc

Insert the script into the boot sequence:

sudo update-rc.d znc defaults

Create the ZNC user

useradd -m -s /bin/bash -d /var/lib/znc --comment "ZNC daemon/user" --user-group znc

You can login now as ZNC and navigate to user's home directory:

su znc
cd ~

Configure ZNC as ZNC user, go through the questions and use as listening port one of those assigned to your system:

znc -d /var/lib/znc --makeconf

Start the service:

service znc start

or 

/etc/init.d/znc start

Replace start with stop/restart to stop/restart ZNC daemon.

In case you want to protect ZNC with fail2ban, there is a Global module you need to enable.
There are several ways to do it, the manual way is adding this following line in /var/lib/znc/configs/znc.conf while znc service does not run:

LoadModule = fail2ban 10 2

You can add this line between the Listener section and User section.
The numbers above mean that an IP will be blocked for 10 minutes after it fails to login 2 times. Feel free to modify these values.
By default fail2ban allows two failed logins in one minute and timeout is reset after each failed login.

Any comments are welcome! Enjoy!
/cs

Last edited by cs (2015-01-17 05:43:48)

Offline

#2 2015-02-22 12:22:31

Pulec
Trusted Member
Registered: 2015-02-18
Posts: 3

Re: How to build & install latest ZNC, run it as daemon, enable fail2ban

Thank you for the guide, this should be sticky.

But I would add to libicu-dev the needed dependencies for charset support (otherwise clients at znc can't read unicode text).

I tried building znc with python support, I have python3 and python3-dev installed, ./configure went okay but it crashes in make, I just found that other people have same problems. - http://pastebin.com/knTLuYUC

[email protected]:~/znc# make
Packing man page znc.1.gz...
Packing man page znc-buildmod.1.gz...
Building ZNC python bindings library...
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-4.7/README.Bugs> for instructions.
make[1]: *** [modpython/_znc_core.o] Error 4
make: *** [modules] Error 2

I gave up and made configured just --with-openssl again, but I would like to have modpython support.

This is on Debian7 x64 minimal, I think I am just missing some python library or something, but which?
I wonder how complicated this would be on CentOS....

Last edited by Pulec (2015-02-22 12:22:53)

Offline

#3 2015-02-23 18:40:06

MHjort
Member
Registered: 2015-02-15
Posts: 2

Re: How to build & install latest ZNC, run it as daemon, enable fail2ban

Sounds like your out of memory.

Offline

Pages: 1

Board footer

Powered by FluxBB NL