Home Explore Help
Register Sign In
EPuters_Mirrors
/
almanack_mirror
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
almanack_mir...
/
wiki.d
/
Openbsd.ZNCAdmin

Openbsd.ZNCAdmin 13 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435 
  1. version=pmwiki-2.2.130 ordered=1 urlencoded=1
    2. 

  2. agent=w3m/0.5.3+git20210102
    3. 

  3. author=jrmu
    4. 

  4. charset=UTF-8
    5. 

  5. csum=
    6. 

  6. ctime=1611914466
    7. 

  7. host=38.87.162.8
    8. 

  8. name=Openbsd.ZNCAdmin
    9. 

  9. rev=7
    10. 

  10. targets=Debate.Dogfooding,Bouncer.Bouncer,Openbsd.Less,Openbsd.Ilines,Openbsd.Irssi,Ircnow.Networks,Openbsd.Vhost,Openbsd.Ddos
    11. 

  11. text=(:redirect ZNC.Admin:)%0a(:title Daily Maintenance for ZNC:)%0a%0aEvery admin should use his team's bouncer to make sure it works. [[debate/dogfooding|Eat your own dog food]]. See [[bouncer/bouncer|connection instructions]] for your IRC client.%0a%0aEach day, you should check for errors with your znc.%0a%0a[@%0a$ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a@]%0a%0aScroll to the bottom by typing G.%0a%0a[@%0a[2021-01-25 03:12:52] [user/network] disconnected from IRC%0a[2021-01-25 03:15:29] [user/network] disconnected from IRC%0a[2021-01-25 03:19:21] [user/network] disconnected from IRC%0a[2021-01-25 03:23:12] [user/network] disconnected from IRC%0a@]%0a%0aIf you see these repeating messages "disconnected from IRC", it means that znc is attempting to connect to a network but failing. This is a network error that you must fix.%0a%0a'''WARNING''': If you do not fix this problem, your ZNC will throttle all of its users, slowing down reconnections for everyone!%0a%0a!! G-lined%0a%0aUse [[openbsd/less|less]] to search through znc.log to find error messages like the following:%0a%0a[@%0a[2021-01-25 03:55:25] [user1/network] disconnected from IRC: irc.example.com [:Closing link: (user@fruit.ircnow.org) [G-Lined: This connection is not authorized on IRC Network - (ID: VL0GY6RV79)]]%0a@]%0a%0aThis shows that the network has G-lined fruit.ircnow.org from connecting. Because the vhost is fruit.ircnow.org and not unique (it's not user.fruit.ircnow.org), this address is most likely an IPv4 address that has been glined. You can either write to the admins to [[openbsd/ilines|request an iline]] or you can attempt to switch over to an IPv6 address and hope that is not banned.%0a%0aIf that does not work, you can disconnect the user. Connect to the bouncer (you must be an admin on ZNC), then issue the command:%0a%0a[@%0a/msg *controlpanel disconnect user network%0a@]%0a%0a!! Fixing a Network Configuration Error%0a%0aSometimes a disconnection error in znc.log is caused by bad network configuration:%0a%0a[@%0a[2021-01-25 03:06:24] [user/network] disconnected from IRC%0a[2021-01-25 03:14:09] [user/network] disconnected from IRC%0a@]%0a%0aLet's investigate the cause through the web panel:%0a%0a# Log in to the web panel to troubleshoot: https://bnc.fruit.ircnow.org/\\%0aAttach:znc1.png%0a# Click on the Manage Users link\\%0aAttach:znc2.png%0a# Click on the Edit link next to user1\\%0aAttach:znc3.png%0a# Scroll down and click on the Edit link next to the network globalirc-it:\\%0aAttach:znc4.png%0a# Check @@Servers of this IRC network@@:%0a  # The server may be improperly configured. Check the hostname and port is correct. A port without a + sign is in plaintext, which is usually port 6667. A port with a + in front uses SSL, which is usually on port 6697. If the user tries to use SSL on plaintext port 6667, or plaintext on SSL-encrypted port 6697, ZNC will fail to connect. Please fix this for the user.%0a  # The user may be connecting to a server that lacks [[openbsd/ilines|an iline]]. You will want to use the server addresses on the [[ircnow/networks]] page to get the servers with ilines. You can test if your IP has been glined by using [[openbsd/irssi|irssi]].%0a  # The user may be attempting to use an IPv4 address when we should prefer an IPv6 address. Some networks will disallow IPv4 connections. Run @@$ host irc.example.com@@ to see if it returns an IPv4 address or only an IPv6 address. You will want to consult the [[ircnow/networks|networks list]] for IPv6-only hostnames.%0a  # The user may be glined from the network for abuse. In this case, see the section on stopping abuse.%0a  # The SSL cert may be expired. There are two solutions: manually add the SSL fingerprint to the @@SHA-256 fingerprint of trusted SSL certificates@@ or @@Trust All Certs@@ by clicking on @@Disable certificate validation@@. Trusting all certs is less secure but less work than manually adding, so I recommend trusting all certs.\\%0aAttach:znc5.png\\%0a# Click on @@Save and Continue@@\\%0aAttach:znc6.png%0a%0aYou should soon see a line similar to below in znc.log:%0a%0a[@%0a[2021-01-25 03:15:08] [user/network] connected to IRC: irc.example.com%0a@]%0a%0aThis indicates that @@user@@ successfully connected to @@network@@.%0a%0a!! Forcing IPv6%0a%0aWhenever possible, you should force your users to connect to an IRC network using IPv6 rather than IPv4. Benefits include:%0a%0a# Users get to pick a [[openbsd/vhost|unique vhost]] which they enjoy%0a# The [[openbsd/vhost|unique vhost]] helps to reduce ban evasion and abuse%0a# Innocent users sharing the same IPv4 address won't get GLINEd if an abuser gets banned%0a# IPv6 [[openbsd/ddos|ddos attacks]] are less common%0a%0aFor these reasons and more, it is important to ensure that your ZNC users are forced to use IPv6 wherever possible.%0a%0aOftentimes, major networks will have servers that are exclusively used for IPv6. For example, dalnet offers both IPv4 and IPv6 for irc.dal.net, and the IPv6-only irc6.dal.net.%0a%0aHere's one quick way to scan to see which servers are being used:%0a%0a[@%0a$ doas grep 'irc.dal.net' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a[2021-01-29 09:23:33] [user1/dalnet] connected to IRC: irc.dal.net%0a[2021-01-29 09:26:50] [user2/dalnet] connected to IRC: irc.dal.net%0a[2021-01-29 09:26:51] [user3/2600net] connected to IRC: irc.dal.net%0a[2021-01-29 09:28:12] [user4/2600net] connected to IRC: irc.dal.net%0a...%0a@]%0a%0aThis is a quick way to spot which need to be forced to irc6.dal.net. You can then follow instructions above to edit his network's server to irc6.dal.net.%0a%0a!! Dealing with Abuse%0a%0a
    12. 

  12. time=1627452880
    13. 

  13. title=Daily Maintenance for ZNC
    14. 

  14. author:1627452880=jrmu
    15. 

  15. diff:1627452880:1611919083:=1d0%0a%3c (:redirect ZNC.Admin:)%0a
    16. 

  16. host:1627452880=38.87.162.8
    17. 

  17. author:1611919083=jrmu
    18. 

  18. diff:1611919083:1611918685:=85,101d84%0a%3c %0a%3c For these reasons and more, it is important to ensure that your ZNC users are forced to use IPv6 wherever possible.%0a%3c %0a%3c Oftentimes, major networks will have servers that are exclusively used for IPv6. For example, dalnet offers both IPv4 and IPv6 for irc.dal.net, and the IPv6-only irc6.dal.net.%0a%3c %0a%3c Here's one quick way to scan to see which servers are being used:%0a%3c %0a%3c [@%0a%3c $ doas grep 'irc.dal.net' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c [2021-01-29 09:23:33] [user1/dalnet] connected to IRC: irc.dal.net%0a%3c [2021-01-29 09:26:50] [user2/dalnet] connected to IRC: irc.dal.net%0a%3c [2021-01-29 09:26:51] [user3/2600net] connected to IRC: irc.dal.net%0a%3c [2021-01-29 09:28:12] [user4/2600net] connected to IRC: irc.dal.net%0a%3c ...%0a%3c @]%0a%3c %0a%3c This is a quick way to spot which need to be forced to irc6.dal.net. You can then follow instructions above to edit his network's server to irc6.dal.net.%0a
    19. 

  19. host:1611919083=125.231.24.226
    20. 

  20. author:1611918685=jrmu
    21. 

  21. diff:1611918685:1611918411:=83c83%0a%3c # Innocent users sharing the same IPv4 address won't get GLINEd if an abuser gets banned%0a---%0a> # Innocent users sharing the same IPv4 address won't get GLINEd if [[openbsd/police|an abuser]] gets banned%0a86,87c86%0a%3c !! Dealing with Abuse%0a%3c %0a---%0a> !! Dealing with Abuse%0a\ No newline at end of file%0a
    22. 

  22. host:1611918685=125.231.24.226
    23. 

  23. author:1611918411=jrmu
    24. 

  24. diff:1611918411:1611918378:=83c83%0a%3c # Innocent users sharing the same IPv4 address won't get GLINEd if [[openbsd/police|an abuser]] gets banned%0a---%0a> # Innocent users sharing the same IPv4 address won't get GLINEd if an abuser gets banned%0a
    25. 

  25. host:1611918411=125.231.24.226
    26. 

  26. author:1611918378=jrmu
    27. 

  27. diff:1611918378:1611918254:=81,82c81%0a%3c # Users get to pick a [[openbsd/vhost|unique vhost]] which they enjoy%0a%3c # The [[openbsd/vhost|unique vhost]] helps to reduce ban evasion and abuse%0a---%0a> # Users get a unique vhost which helps to reduce ban evasion and abuse%0a84c83%0a%3c # IPv6 [[openbsd/ddos|ddos attacks]] are less common%0a---%0a> # %0a
    28. 

  28. host:1611918378=125.231.24.226
    29. 

  29. author:1611918254=jrmu
    30. 

  30. diff:1611918254:1611914466:=76,83d75%0a%3c %0a%3c !! Forcing IPv6%0a%3c %0a%3c Whenever possible, you should force your users to connect to an IRC network using IPv6 rather than IPv4. Benefits include:%0a%3c %0a%3c # Users get a unique vhost which helps to reduce ban evasion and abuse%0a%3c # Innocent users sharing the same IPv4 address won't get GLINEd if an abuser gets banned%0a%3c # %0a
    31. 

  31. host:1611918254=125.231.24.226
    32. 

  32. author:1611914466=jrmu
    33. 

  33. diff:1611914466:1611914466:=1,77d0%0a%3c (:title Daily Maintenance for ZNC:)%0a%3c %0a%3c Every admin should use his team's bouncer to make sure it works. [[debate/dogfooding|Eat your own dog food]]. See [[bouncer/bouncer|connection instructions]] for your IRC client.%0a%3c %0a%3c Each day, you should check for errors with your znc.%0a%3c %0a%3c [@%0a%3c $ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c @]%0a%3c %0a%3c Scroll to the bottom by typing G.%0a%3c %0a%3c [@%0a%3c [2021-01-25 03:12:52] [user/network] disconnected from IRC%0a%3c [2021-01-25 03:15:29] [user/network] disconnected from IRC%0a%3c [2021-01-25 03:19:21] [user/network] disconnected from IRC%0a%3c [2021-01-25 03:23:12] [user/network] disconnected from IRC%0a%3c @]%0a%3c %0a%3c If you see these repeating messages "disconnected from IRC", it means that znc is attempting to connect to a network but failing. This is a network error that you must fix.%0a%3c %0a%3c '''WARNING''': If you do not fix this problem, your ZNC will throttle all of its users, slowing down reconnections for everyone!%0a%3c %0a%3c !! G-lined%0a%3c %0a%3c Use [[openbsd/less|less]] to search through znc.log to find error messages like the following:%0a%3c %0a%3c [@%0a%3c [2021-01-25 03:55:25] [user1/network] disconnected from IRC: irc.example.com [:Closing link: (user@fruit.ircnow.org) [G-Lined: This connection is not authorized on IRC Network - (ID: VL0GY6RV79)]]%0a%3c @]%0a%3c %0a%3c This shows that the network has G-lined fruit.ircnow.org from connecting. Because the vhost is fruit.ircnow.org and not unique (it's not user.fruit.ircnow.org), this address is most likely an IPv4 address that has been glined. You can either write to the admins to [[openbsd/ilines|request an iline]] or you can attempt to switch over to an IPv6 address and hope that is not banned.%0a%3c %0a%3c If that does not work, you can disconnect the user. Connect to the bouncer (you must be an admin on ZNC), then issue the command:%0a%3c %0a%3c [@%0a%3c /msg *controlpanel disconnect user network%0a%3c @]%0a%3c %0a%3c !! Fixing a Network Configuration Error%0a%3c %0a%3c Sometimes a disconnection error in znc.log is caused by bad network configuration:%0a%3c %0a%3c [@%0a%3c [2021-01-25 03:06:24] [user/network] disconnected from IRC%0a%3c [2021-01-25 03:14:09] [user/network] disconnected from IRC%0a%3c @]%0a%3c %0a%3c Let's investigate the cause through the web panel:%0a%3c %0a%3c # Log in to the web panel to troubleshoot: https://bnc.fruit.ircnow.org/\\%0a%3c Attach:znc1.png%0a%3c # Click on the Manage Users link\\%0a%3c Attach:znc2.png%0a%3c # Click on the Edit link next to user1\\%0a%3c Attach:znc3.png%0a%3c # Scroll down and click on the Edit link next to the network globalirc-it:\\%0a%3c Attach:znc4.png%0a%3c # Check @@Servers of this IRC network@@:%0a%3c   # The server may be improperly configured. Check the hostname and port is correct. A port without a + sign is in plaintext, which is usually port 6667. A port with a + in front uses SSL, which is usually on port 6697. If the user tries to use SSL on plaintext port 6667, or plaintext on SSL-encrypted port 6697, ZNC will fail to connect. Please fix this for the user.%0a%3c   # The user may be connecting to a server that lacks [[openbsd/ilines|an iline]]. You will want to use the server addresses on the [[ircnow/networks]] page to get the servers with ilines. You can test if your IP has been glined by using [[openbsd/irssi|irssi]].%0a%3c   # The user may be attempting to use an IPv4 address when we should prefer an IPv6 address. Some networks will disallow IPv4 connections. Run @@$ host irc.example.com@@ to see if it returns an IPv4 address or only an IPv6 address. You will want to consult the [[ircnow/networks|networks list]] for IPv6-only hostnames.%0a%3c   # The user may be glined from the network for abuse. In this case, see the section on stopping abuse.%0a%3c   # The SSL cert may be expired. There are two solutions: manually add the SSL fingerprint to the @@SHA-256 fingerprint of trusted SSL certificates@@ or @@Trust All Certs@@ by clicking on @@Disable certificate validation@@. Trusting all certs is less secure but less work than manually adding, so I recommend trusting all certs.\\%0a%3c Attach:znc5.png\\%0a%3c # Click on @@Save and Continue@@\\%0a%3c Attach:znc6.png%0a%3c %0a%3c You should soon see a line similar to below in znc.log:%0a%3c %0a%3c [@%0a%3c [2021-01-25 03:15:08] [user/network] connected to IRC: irc.example.com%0a%3c @]%0a%3c %0a%3c This indicates that @@user@@ successfully connected to @@network@@.%0a%3c %0a%3c !! Dealing with Abuse%0a\ No newline at end of file%0a
    34. 

  34. host:1611914466=125.231.24.226
    35. 

  35.