-- Leo's gemini proxy
-- Connecting to gmi.noulin.net:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
date: 2022-07-08 23:24:44
categories: linux
firstPublishDate: 2022-07-08 23:24:44
I setup the newsgroup server `snews://comments.noulin.net` to let my readers comment the articles on my blog.
In this article, I show how to setup private newsgroup servers:
with public access without account and password, like `snews://comments.noulin.net`
requiring a username and password
I use the
because it is stable, flexible and the documentation is good.
Some reasons for using Newsgroups:
very good for discussion with many people
each client has an archive
it works offline
it is simpler to setup than mailing lists. Mailing lists need a mailing list manager to handle subscriptions, send mails and an archiving system. With newsgroup servers, there are no subcriptions and the archive is in the server without additional setup
the server doesn't take much resources
inn2 is stable, scalable and available. Many servers can feed each other which make newgroups very available
In contrast, web forums have single point of failure (the web server/service), there is no archive, you have to be online to do anything.
I use slrn to access newgroups so I show how to setup slrn to post comments on `snews://comments.noulin.net`. In my article
, I list other newsgroup clients and how to access the public big 8 newsgroups.
Install slrn:
apt-get install slrn zcat /usr/share/doc/slrn/examples/slrn.rc.gz > ~/.slrnrc
Add server address in configuration:
vi ~/.slrnrc server "snews://comments.noulin.net" ".jnewsrc-noulinblog"
Execute srln to connect:
# first time slrn -f ~/.jnewsrc-noulinblog --create -h snews://comments.noulin.net # press s to subscribe to the blog.comments newsgroup # then slrn -h snews://comments.noulin.net
To post a comment, type:
p (subject) (message) y
In this setup, the article size is limited to 16kb to reduce resource requirements and the client/server connection is encrypted with TLS.
Install inn2 and change the configuration:
apt-get install inn2 vi /etc/news/inn.conf organization: example-organization pathhost: news.example.com domain: example.com htmlstatus: false # limit article size maxartsize: 16384 noreader: true tlscapath: /etc/news tlscertfile: /etc/news/cert.pem tlskeyfile: /etc/news/key.pem
`pathhost` can be an ip address when the server is in a local network without dns name.
Create groups:
ctlinnd newgroup blog.comments
The newsgroup in which the comments are posted is `blog.comments`.
Add group desciption in /var/lib/news/newsgroups (keep the tabs):
vi /var/lib/news/newsgroups blog.comments Blog comments
Enable world access, add the lines below between `auth localhost` and `access localhost`:
vi /etc/news/readers.conf auth "world" { hosts: "*" default: "<world>" } access "world" { users: "<world>" newsgroups: "blog.comments" access: RPA }
I use a self-signed certificate for simplicity, a let's encrypt certificate could be used as well. For let's encrypt certificate the cert and key paths have to be changed and the `nnrpd` daemon has to be restarted when the certificate is updated (every 3 months).
Generate certificate:
umask 077 openssl req -new -x509 -nodes -out /etc/news/cert.pem -days 10000 -keyout /etc/news/key.pem -subj "/CN=comments.noulin.net" -newkey rsa:4096 chown news:news /etc/news/cert.pem chmod 640 /etc/news/cert.pem chown news:news /etc/news/key.pem chmod 600 /etc/news/key.pem
Restart inn and start nnrpd as a daemon:
/etc/init.d/inn2 restart /usr/lib/news/bin/nnrpd -D -p 563 -S
Test the TLS setup:
openssl s_client -connect 192.168.1.2:563 -tls1_2
Then the server is ready to use.
If you do this setup in AWS EC2, go to EC2 instance security group and open port 563.
In this setup, an account with password is required to access the server, the article size is unlimited and the client/server connection is encrypted with TLS. Rsyslog is setup to direct the innd and nnrpd logs to `/var/log/news/innd.log`. Fail2ban is setup to slow down brute force attacks.
Install inn2 and change the configuration:
apt-get install inn2 vi /etc/news/inn.conf organization: example-organization pathhost: news.example.com domain: example.com htmlstatus: false # limit article size maxartsize: 0 noreader: true tlscapath: /etc/news tlscertfile: /etc/news/cert.pem tlskeyfile: /etc/news/key.pem
Create groups:
ctlinnd newgroup example.news
Add group desciption in /var/lib/news/newsgroups (keep the tabs):
vi /var/lib/news/newsgroups example.news Example newgroups
Generate certificate:
umask 077 openssl req -new -x509 -nodes -out /etc/news/cert.pem -days 10000 -keyout /etc/news/key.pem -subj "/CN=comments.noulin.net" -newkey rsa:4096 chown news:news /etc/news/cert.pem chmod 640 /etc/news/cert.pem chown news:news /etc/news/key.pem chmod 600 /etc/news/key.pem
Enable world access with authentication, add the lines below between `auth localhost` and `access localhost`:
vi /etc/news/readers.conf auth "world" { hosts: "*" auth: "ckpasswd -f /var/lib/news/newsusers" auth: "ckpasswd -s" } access "world" { users: "*" newsgroups: "example.news" access: RPA }
I use `ckpasswd` from the inn2 package to verify the credentials.
Create an account with username `user` and password `pass`:
htpasswd -nbd user pass > /var/lib/news/newsusers chown news.news /var/lib/news/newsusers chmod 600 /var/lib/news/newsusers
`htpasswd` is in the apache2 package, it is also possible to generate the password hash with perl as described in `man ckpasswd`.
Test the account:
(echo 'ClientAuthname: user' ; echo 'ClientPassword: pass') | /usr/lib/news/bin/auth/passwd/ckpasswd -f /var/lib/news/newsusers
Setup rsyslog, at the end of the conf file, add:
vi /etc/rsyslog.conf innd /var/log/news/innd.log
Add innd jail:
vi /etc/fail2ban/jail.d/innd.conf [innd] enabled = true port = 563 logpath = /var/log/news/innd.log
Add filter:
vi /etc/fail2ban/filter.d/innd.conf # Fail2ban filter for inn2 nnrpd authentication # # for ckpasswd # # Log file usually in /var/log/news/innd.log [INCLUDES] before = common.conf [Definition] # Example matching lines: # Jul 6 09:04:31 debian nnrpd[7610]: 172.16.43.163 auth: program error: ckpasswd: invalid password for user user # Jul 7 04:34:11 debian nnrpd[29912]: 172.16.43.163 auth: program error: ckpasswd: user qweqwe unknown # Jul 7 04:34:05 debian nnrpd[29907]: 172.16.43.163 no_success_auth # ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$ failregex = ^%(__prefix_line)s<HOST> auth: program error: ckpasswd: invalid password for user .* ^%(__prefix_line)s<HOST> auth: program error: ckpasswd: user .* unknown ^%(__prefix_line)s<HOST> no_success_auth ignoreregex = # Author: Remy Noulin
Reload the fail2ban configuration:
fail2ban-client reload
When the server is running, generate some failed login with a client and check the fail2ban filter regex with:
fail2ban-regex --print-all-matched /var/log/news/innd.log /etc/fail2ban/filter.d/innd.conf |less
To check the fail2ban status, use these commands:
fail2ban-client get innd failregex # > to check if the regexes are loaded fail2ban-client status # > to check the innd jail is enabled fail2ban-client status innd # > to check if IPs are banned correctly
Restart rsyslog, fail2ban, inn and start nnrpd as a daemon:
/etc/init.d/rsyslog restart /etc/init.d/fail2ban restart /etc/init.d/inn2 restart /usr/lib/news/bin/nnrpd -D -p 563 -S
Test the TLS setup:
openssl s_client -connect 192.168.1.2:563 -tls1_2
Then the server is ready to use.
I have had small issues installing the inn2 package with apt in some debian version:
debian 8 jessie (update openssl)- there were some missing files in /var/lib/news/
ubuntu 18.04 - there were some missing file in /var/lib/news/
debian 9 stretch - ok, no problem
debian 11 bullseye - after first install, I was getting `rc.news[2368933]: INND: No active file!`, I installed again with `apt-get install inn2`, then it was ok.
Tags: #newsgroup #forum #inn
-- Response ended
-- Page fetched on Wed May 22 03:29:10 2024