This guide provides a steps for setting up a unified shell chat proxy & client running in a persistent screen session. The following steps are covered:
- Server operating system & packages will be updated.
- Timezone will be updated.
- Hosts will be configured correctly.
- OpenSSH will be secured.
- A restrictive firewall policy will be configured and enabled.
- Sendmail will be installed.
- Fail2ban will be blocking brute-force ssh attacks and sending notifications via email using sendmail.
- Byobu will be installed and enabled by default.
- Bitlbee running as a service.
- Bitlbee will be connected to google talk, facebook, twitter, and private jabber servers.
- Weechat running in a persistent screen session wrapped with byobu.
- Weechat connected to irc networks and bitlbee gateway.
- Weechat will be configured to authenticate to freenode securely, with SSL & SASL.
- Weechat logging will be properly configured.
- Weechat configured to automatically set you as away when you haven't been active for 15 minutes.
- Weechat configured to automatically set you as away when you detach from the screen session.
- Weechat configured to forward messages to your phone via prowl when you are away.
The following guide documents my process for setting up a secure unified shell chat proxy & client on Digital Ocean running Ubuntu 13.10 x64. I'm using DigitalOcean because it's cheap - 5$/month and takes ~ 30 minutes to provision and configure this server.
If you get value out of this guide, feel free to sign up using my referral link to get me an extra 10$: Digital Ocean Referral Link.
I use Ubuntu 13.10 x64 because it's easy. Setting this up with Arch is not as straight forward and takes a bit more effort that I simply didn't want to bother with (I'm lazy) for running something so simple.
Prior to migrating to this setup, I had to run multiple applications on different systems for work and personal use to for communications. This became cumbersome and tedious and monitoring all these different applications took more time than I was willing to invest.
This system pulls all these different protocols into a single interface, allowing all communications to be monitored and logged via a single system, standardized and unified. Away status is automatically set and conversations are automatically logged.
OAuth is used for authentication with services, so your passwords will not be stored "in the cloud" (unless your authenticating against a jabber server that doesn't support oauth, as in my case). This doesn't concern me as the server is locked down tight and I don't have access to any data that would warrant the level of effort required to gain unauthorized access, pull my bitlbee password, decrypt the oauth tokens, and use them to gain unauthorized access to my other accounts.
In order to lock down the server, we enable ssh-key based authentication with strong keys and disable password authentication. Root logins through SSH are disabled and the SSH port is moved to a non-standard high-level psuedo-random port to discourage brute force attacks.
An iptables firewall is configured with a restrictive inbound policy with an exclusion for this one port.
Fail2ban is configured to monitor logs for brute-force attacks, automatically ban attempts by their address and email notifications to the owner.
This guide is still in progress and some parts may be currently broken.
I'd love some ideas for ways to fix/improve this. All input is very welcome.
- Add SMS integration
- Add Skype integration
- Add Steam integration
- Add Email integration
- Fix weechat logging
- Add some ircbot automation
- Add steps for setting up zsh
- Better logging and security auditing
- Resolve Jabber MUC channel configuration issues
Log in through the control panel and provision a new Ubuntu 13.10x64 server. Log in to your DNS control panel (where ever it is hosted and create a new a record for your shell server).
SSH to your server, log in & create user account
ssh $USERNAME@$ADDRESS
Create your new user account.
adduser $USERNAME
usermod -a -G sudo $USERNAME
Logout.
Set up secure authentication.
# if you don't already have ssh keys to use, generate them with:
ssh-keygen -q -b 2048 -t rsa -N $PASSPHRASE -C $COMMENT $f .ssh/id_rsa
# ensure ssh-agent is managing the key:
ssh-add
# copy keys up to the server
scp ~/.ssh/id_rsa.pub $USER@$ADDRESS:/tmp/id_rsa.pub
# add them to the authorized_keys file
ssh $USER@$ADDRESS "mkdir -p ~/.ssh;chmod 700 ~/.ssh;touch ~/.ssh/authorized_keys;cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys"
# log into your server and verify ssh authentication is working
ssh $USER@ADDRESS
# update server
sudo apt-get -y update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade
# install some basic packages
sudo apt-get install build-essential git linux-headers-$(uname -r) python-software-properties rsync ufw vim
# reboot to complete upgrade
sudo reboot
Configure the timezone:
sudo dpkg-reconfigure tzdata
First, ensure your hostname is configured appropriately:
sudo vi /etc/hostname
Next, add proper configure to your hosts files:
sudo vi /etc/hosts
127.0.0.1 $HOSTNAME $FQDN localhost localhost.localdomain
sudo vim /etc/ssh/sshd_config
Modify the configuration to match the following:
Port $SSH_PORT
Protocol 2
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
Banner /etc/issue.net
sudo service ssh restart
ssh $USER@ADDRESS -p $PORT
UFW is an iptables wrapper that impliments some best practices by default. Since we only need a very simple iptables configuration, we can use it instead of configuring iptables directly.
# verify ufw is installed
sudo ufw status
# allow ssh inbound on non-standard port
sudo ufw allow $SSH_PORT
# deny all inbound connections besides ssh
sudo ufw default deny incoming
# allow all outbound connections
sudo ufw default allow outgoing
# enable the firewall
sudo ufw enable
We need sendmail installed so fail2ban can send notifications when it blocks an address.
sudo apt-get install sendmail
Fail2ban monitors log files and automatically generates iptables rules to block bruteforce attempts.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# edit the configuration file
sudo vim /etc/fail2ban/jail.local
# in the default section, configure the address to receive email alerts
destemail = $EMAIL_ADDRESS
# ensure sendmail is configured as the MTA agent
mta = sendmail
# in the [ssh] configuration section, update the port
port = $SSH_PORT
# restart fail2ban
sudo service fail2ban restart
Byobu is a screen wrapper for linux. It's very stable on Ubuntu but in my experience has issues on archlinux and cygwin.
sudo apt-get -y install byobu
# add the following to your tmux configuration to enable mouse support in byobu
vim ~/.byobu/.tmux.conf
set -g mouse-select-pane on
set -g mouse-select-window on
set -g mouse-resize-pane on
set -g mouse-utf8 on
# enable byobu
byobu-enable
The default screen key-bindings will work, however byobu sets up commonly used bindings with mappings to function keys (with modifiers). Pressing F9 will enter the bybou configuration and cheatsheet interfaces.
Glances is a console application for monitoring server status.
sudo apt-get install glances
Bitlbee is an irc proxy that connects to other protocols, allowing you to pull use protocols like jabber, twitter & AIM in an IRC client.
Bitlbee provides a repository for debian-based operating systems that contains a the most current stable bitlbee release.
echo "deb http://code.bitlbee.org/debian/devel/squeeze/amd64/ ./" > /etc/apt/sources.list.d/bitlbee.list
sudo apt-key add - << EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
mQGiBEv++B4RBACR8PCXpBRByIPMY2DxbqUP8LfVNRfgg7X2P4Z0e+zeYHujB0hJ
P6vOW/QmeYSuDzFVH3oOJsC+kaTExf2Rl0/Bm3X4GRkw6XJME/3HR7P0rNCCvqgD
QYOlhmP4qYEi0z6q9WslhqeYzilB/opsQTR/11zUjw5TGp1P/4rcCa0/6wCg87c/
BOP6XR64zQBD5rBcCzNeL0cD/iFE97JFAYIRHOiYjpgq0/pZ/PoMrULpiyq6+BPo
8YdcuRYdFYDC5Ghmmk0VDIf5knDdsSIA5+tJTHTiKpuHZ7JKx3aJ/HzuAHlG3RaV
eLTl0HvkxWis/ORsjyvztlVtbHy0vVVRaWriVq76MicpdIqY1tcRvmm38j7X+Ois
mcO1A/wNYgJyr0pHvj52T2iosKUHu2TFqVf9sWV0n+kFI1g/aG4oHWbevcrsnbtW
+3t80BNbWAA5zlN6Bdv1MRrFJzogyJK5ao1/Y2uF4wvD64EEKgA91riHKnOSuKo2
wCccja/CqLovaAN6dvNQ5OapuH+xuc+4IsPxPNCOUQ4TL0V6vbQ9Qml0bEJlZSBu
aWdodGx5IGJ1aWxkcyAuZGVicyBzaWduaW5nIGtleSA8YnVpbGRkQGJpdGxiZWUu
b3JnPohgBBMRAgAgAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAk/B55cACgkQ
lO6h8sflBDZMOgCfc+ayGdn90HWe8hDm+xiUcjnQgeEAn1Y0iF3Tu9a+kcPq1L83
4Izk4INeiEYEEBECAAYFAkv++0YACgkQeYWXmuMwQFExdQCdHbhFwQJ44HUdjxPZ
lPOt3iH9MZ8AoKm88QvS4dCuYmMt9KZ6oDKyCD5l
=LQ+N
-----END PGP PUBLIC KEY BLOCK-----
EOF
sudo apt-get -y install bitlbee
In order to get the latest version of weechat, we need to add the PPA.
sudo add-apt-repository ppa:nesthib/weechat-stable
sudo apt-get -y update && sudo apt-get -y install weechat ca-certificates python-xmpp
Bitlbee configuration is performed through the weechat client. This section contains configuration instructions for both bitlbee & weechat.
Start the weechat client:
weechat
Weechat configuration settings are not saved unless you issue a /save command. Do this periodically while configuring. Bitlbee configuration settings are automatically saved. To force a save use 'save' in the &bitlbee buffer.
# set server buffers to independent
/set irc.look.server_buffer independent
# enable mouse support
/mouse enable
# with the mouse enabled, you won't be able to highlight text without first disabling the mouse
# to temporarily disable the mouse use /disable mouse
# enable smart filter (keep join/part/quit from users who spoke recently):
/set irc.look.smart_filter on
/filter add irc_smart * irc_smart_filter *
# install buffers.pl to make initial configuration easier
/script install buffers.pl
# check if users are away every 5 minutes
/set irc.server_default.away_check 5
# only check away status on channels with less than 25 users
/set irc.server_default.away_check_max_nicks 25
# set the default part messages
/set irc.server_default.default_msg_part = "WeeChat %v"
/set irc.server_default.default_msg_quit = "WeeChat %v"
# connect via SSL
/set irc.server.freenode.addresses chat.freenode.net/7000
/set irc.server.freenode.ssl on
/set irc.server.freenode.ssl_dhkey_size 1024
# sasl authentication
/set irc.server.freenode.sasl_mechanism dh-blowfish
/set irc.server.freenode.sasl_username $USERNAME
/set irc.server.freenode.sasl_password $PASSWORD
# user settings
/set irc.server.freenode.realname $USERNAME
/set irc.server.freenode.username $USERNAME
/set irc.server.freenode.nicks $NICKS
# autoconnect
/set irc.server.freenode.autoconnect on
/set irc.server.freenode.autoreconnect on
/set irc.server.freenode.autoreconnect_delay 60
/set irc.server.freenode.
# channels
/set irc.server.freenode.autojoin "$CHANNELS"
/set irc.server.freenode.autorejoin on
/set irc.server.freenode.autorejoin_delay 60
Configure weechat to automatically connect and authenticate with bitlbee:
# add the bitlbee server, enable autoconnect
/server add bitlbee localhost/6667 -autoconnect
# set realname, username & nicks
/set irc.server.bitlbee.realname $REALNAME
/set irc.server.bitlbee.username $USERNAME
/set irc.server.bitlbee.nicks $NICKS
# connect to the server and register your account
/connect bitlbee
register $PASSWORD
/set irc.server.bitlbee.command "/msg &bitlbee identify $PASSWORD"
Depending on your security settings, this process will differ.
account add jabber $JID $PASSWORD
account gtalk set nick_source full_name
account gtalk set oauth on
account gtalk on
At this point, another buffer should open containing a link to a gtalk oauth verification page. Log into your gtalk account and a code will be provided. Copy this code, return to the weechat buffer and paste this code. Authentication should now be complete.
Your facebook $JID will be [email protected].
account add jabber $JID
account fb set tag facebook
account facebook set nick_source full_name
account facebook set oauth on
account facebook on
At this point, another buffer should open containing a link to a facebook oauth verification page. Log into your facebook account and a code will be provided. Copy this code, return to the weechat buffer and paste this code. Authentication should now be complete.
Bitlbee provides twitter integration out of the box, utilizing oauth authentication.
account add twitter $USERNAME
account twitter on
At this point, an auth buffer should open containing a link to a twitter oauth authentication page. Log into your twitter account and a code will be provided. Copy this code, return to the weechat buffer and paste this code. Authentication should now be complete.
Bitlbee & Weechat is extremely picky. Be extremely careful that you use the correct JID, or MUC's will not work. In my case, everyone signs into my employer's jabber server using their email address - and this works with almost all clients - except it doesn't work at all with this setup. Reading through the logs, I found the the jabber server allows logins with an email address, but then returns a response that identifies the JID is different. I found that I can login with the JID, instead of my email, and that things will work mostly right.
I'm currently working through another issue where the account/alias name is always removed for each chat room on restart. While the channels themselves persist (and review of the raw configuration shows the correct values) in the client itself, the values are erased.
# Add the jabber account with password
acc add jabber $JID $PASSWORD
# set a meaningful name for the account
acc jabber set tag $ALIAS
# set the address of the server used for connecting
acc $ALIAS set server $ADDRESS
# repeat as necessary for all MUCs
chat add $ACCOUNT $NAME $ALIAS
channel $ALIAS set auto_join true
# connect account
account $ALIAS on
Plugins and scripts in weechat are different. Plugins are c modules that come bundled. Scripts are written in perl, python, tcl, or ruby.
Aspell provides spell checking.
/set aspell.check.enabled on
/set aspell.check.real_time on
/set aspell.check.default_dict en
/set aspell.check.suggestions 3
Set better file name for log files.
/set logger.mask.core "$plugin/%Y.%m.%d.log"
/set logger.mask.irc "$plugin/$server/$channel/%Y.%m.%d.log"
Two options currently existing for script management: script (included in new versions of weechat) weeget (can be installed)
When I started using weechat, I didn't know about the included /script plugin, so I used weeget. Using weeget resulted in lots of errors I had difficulty resolving, and I eventually identified script existed and started using it. No problems with it so far.
This script will automatically set you away after a specific amount of time.
/script install auto_away.py
/set plugins.var.python.auto_away.idletime 15
/set plugins.var.python.auto_away.message 'away.auto.idle'
This script adds an additional window which contains a list of all buffers. Extremely useful.
/script install buffers.pl
Automatically sets you as away when you detach from your screen session.
/script install screen_away.py
/set plugins.var.python.screen_away.message 'away.auto.detached'
/set plugins.var.python.screen_away.interval 5
/set plugins.var.python.screen_away.set_away on
Forwards messages to your phone via prowl.
/script install weeprowl.py
/set plugins.var.python.weeprowl.prowl_api_key $API_KEY
/set plugins.var.python.weeprowl.notify_focused_away on
/set plugins.var.python.weeprowl.notify_unfocused_away on
/set plugins.var.python.weeprowl.notify_focused_active off
/set plugins.var.python.weeprowl.notify_unfocused_active off