Setting up a newsgroup server (inn2) for blog comments
I setup the newsgroup server snews://comments.noulin.net to let my readers comment the articles on my blog.
In this article, I show how to setup private newsgroup servers:
- with public access without account and password, like
snews://comments.noulin.net - requiring a username and password
I use the inn2 newsgroup server because it is stable, flexible and the documentation is good.
Some reasons for using Newsgroups:
- very good for discussion with many people
- each client has an archive
- it works offline
- it is simpler to setup than mailing lists. Mailing lists need a mailing list manager to handle subscriptions, send mails and an archiving system. With newsgroup servers, there are no subcriptions and the archive is in the server without additional setup
- the server doesn't take much resources
- inn2 is stable, scalable and available. Many servers can feed each other which make newgroups very available
In contrast, web forums have single point of failure (the web server/service), there is no archive, you have to be online to do anything.
Slrn client setup
I use slrn to access newgroups so I show how to setup slrn to post comments on snews://comments.noulin.net.
In my article 2021-10-02 Newsgroups on usenet, I list other newsgroup clients and how to access the public big 8 newsgroups.
Install slrn:
apt-get install slrn
zcat /usr/share/doc/slrn/examples/slrn.rc.gz > ~/.slrnrc
Add server address in configuration:
vi ~/.slrnrc
server "snews://comments.noulin.net" ".jnewsrc-noulinblog"
Execute srln to connect:
# first time
slrn -f ~/.jnewsrc-noulinblog --create -h snews://comments.noulin.net
# press s to subscribe to the blog.comments newsgroup
# then
slrn -h snews://comments.noulin.net
To post a comment, type:
p (subject) (message) y
Public newsgroup server setup
In this setup, the article size is limited to 16kb to reduce resource requirements and the client/server connection is encrypted with TLS.
Configure inn2
Install inn2 and change the configuration:
apt-get install inn2
vi /etc/news/inn.conf
organization: example-organization
pathhost: news.example.com
domain: example.com
htmlstatus: false
# limit article size
maxartsize: 16384
noreader: true
tlscapath: /etc/news
tlscertfile: /etc/news/cert.pem
tlskeyfile: /etc/news/key.pem
pathhost can be an ip address when the server is in a local network without dns name.
Create groups:
ctlinnd newgroup blog.comments
The newsgroup in which the comments are posted is blog.comments.
Add group desciption in /var/lib/news/newsgroups (keep the tabs):
vi /var/lib/news/newsgroups
blog.comments Blog comments
Enable world access, add the lines below between auth localhost and access localhost:
vi /etc/news/readers.conf
auth "world" {
hosts: "*"
default: "<world>"
}
access "world" {
users: "<world>"
newsgroups: "blog.comments"
access: RPA
}
TLS setup
I use a self-signed certificate for simplicity, a let's encrypt certificate could be used as well. For let's encrypt certificate the cert and key paths have to be changed and the nnrpd daemon has to be restarted when the certificate is updated (every 3 months).
Generate certificate:
umask 077
openssl req -new -x509 -nodes -out /etc/news/cert.pem -days 10000 -keyout /etc/news/key.pem -subj "/CN=comments.noulin.net" -newkey rsa:4096
chown news:news /etc/news/cert.pem
chmod 640 /etc/news/cert.pem
chown news:news /etc/news/key.pem
chmod 600 /etc/news/key.pem
Restart inn and start nnrpd as a daemon:
/etc/init.d/inn2 restart
/usr/lib/news/bin/nnrpd -D -p 563 -S
Test the TLS setup:
openssl s_client -connect 192.168.1.2:563 -tls1_2
Then the server is ready to use.
If you do this setup in AWS EC2, go to EC2 instance security group and open port 563.
Private newsgroup server with restricted access
In this setup, an account with password is required to access the server, the article size is unlimited and the client/server connection is encrypted with TLS.
Rsyslog is setup to direct the innd and nnrpd logs to /var/log/news/innd.log.
Fail2ban is setup to slow down brute force attacks.
Configure inn2
Install inn2 and change the configuration:
apt-get install inn2
vi /etc/news/inn.conf
organization: example-organization
pathhost: news.example.com
domain: example.com
htmlstatus: false
# limit article size
maxartsize: 0
noreader: true
tlscapath: /etc/news
tlscertfile: /etc/news/cert.pem
tlskeyfile: /etc/news/key.pem
Create groups:
ctlinnd newgroup example.news
Add group desciption in /var/lib/news/newsgroups (keep the tabs):
vi /var/lib/news/newsgroups
example.news Example newgroups
Generate certificate:
umask 077
openssl req -new -x509 -nodes -out /etc/news/cert.pem -days 10000 -keyout /etc/news/key.pem -subj "/CN=comments.noulin.net" -newkey rsa:4096
chown news:news /etc/news/cert.pem
chmod 640 /etc/news/cert.pem
chown news:news /etc/news/key.pem
chmod 600 /etc/news/key.pem
Enable world access with authentication, add the lines below between auth localhost and access localhost:
vi /etc/news/readers.conf
auth "world" {
hosts: "*"
auth: "ckpasswd -f /var/lib/news/newsusers"
auth: "ckpasswd -s"
}
access "world" {
users: "*"
newsgroups: "example.news"
access: RPA
}
I use ckpasswd from the inn2 package to verify the credentials.
Create an account with username user and password pass:
htpasswd -nbd user pass > /var/lib/news/newsusers
chown news.news /var/lib/news/newsusers
chmod 600 /var/lib/news/newsusers
htpasswd is in the apache2 package, it is also possible to generate the password hash with perl as described in man ckpasswd.
Test the account:
(echo 'ClientAuthname: user' ; echo 'ClientPassword: pass') | /usr/lib/news/bin/auth/passwd/ckpasswd -f /var/lib/news/newsusers
Setup rsyslog, at the end of the conf file, add:
vi /etc/rsyslog.conf
innd /var/log/news/innd.log
Setup fail2ban
Add innd jail:
vi /etc/fail2ban/jail.d/innd.conf
[innd]
enabled = true
port = 563
logpath = /var/log/news/innd.log
Add filter:
vi /etc/fail2ban/filter.d/innd.conf
# Fail2ban filter for inn2 nnrpd authentication
#
# for ckpasswd
#
# Log file usually in /var/log/news/innd.log
[INCLUDES]
before = common.conf
[Definition]
# Example matching lines:
# Jul 6 09:04:31 debian nnrpd[7610]: 172.16.43.163 auth: program error: ckpasswd: invalid password for user user
# Jul 7 04:34:11 debian nnrpd[29912]: 172.16.43.163 auth: program error: ckpasswd: user qweqwe unknown
# Jul 7 04:34:05 debian nnrpd[29907]: 172.16.43.163 no_success_auth
# ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
failregex = ^%(__prefix_line)s<HOST> auth: program error: ckpasswd: invalid password for user .*
^%(__prefix_line)s<HOST> auth: program error: ckpasswd: user .* unknown
^%(__prefix_line)s<HOST> no_success_auth
ignoreregex =
# Author: Remy Noulin
Reload the fail2ban configuration:
fail2ban-client reload
When the server is running, generate some failed login with a client and check the fail2ban filter regex with:
fail2ban-regex --print-all-matched /var/log/news/innd.log /etc/fail2ban/filter.d/innd.conf |less
To check the fail2ban status, use these commands:
fail2ban-client get innd failregex
# > to check if the regexes are loaded
fail2ban-client status
# > to check the innd jail is enabled
fail2ban-client status innd
# > to check if IPs are banned correctly
Restart rsyslog, fail2ban, inn and start nnrpd as a daemon:
/etc/init.d/rsyslog restart
/etc/init.d/fail2ban restart
/etc/init.d/inn2 restart
/usr/lib/news/bin/nnrpd -D -p 563 -S
Test the TLS setup:
openssl s_client -connect 192.168.1.2:563 -tls1_2
Then the server is ready to use.
Install problems
I have had small issues installing the inn2 package with apt in some debian version:
- debian 8 jessie (update openssl)- there were some missing files in /var/lib/news/
- ubuntu 18.04 - there were some missing file in /var/lib/news/
- debian 9 stretch - ok, no problem
- debian 11 bullseye - after first install, I was getting
rc.news[2368933]: INND: No active file!, I installed again withapt-get install inn2, then it was ok.
Tags: #newsgroup #forum #inn