1. Change the superadmin password to a harder password*

2. Limit the amount of SA's to people you fully trust and use harder passwords*

3. Revoke the ability for SA's to login Via the Web and TCP server

4. Revoke the ability for SA's to Grant SA's and revoke SA's

5. Disable the ability for SA's to remove a users registration or delete players

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

7. Add more characters to the DisAllowedClientNameChars in the server.ini
DisAllowedClientNameChars=()[]{}`~!@#$%^&*_-+=|\'";:<>,./?

8. Enable all logging to catch them if the try again

Also turn on logging and cut down on the commands per second in your server.ini


[log]
access_r=1
access_u=1
channel_registerred=1
channel_unregisterred=1
sa=1
chat=1
kick_server=1
kick_channel=1
[Spam]
max_commands=10
in_seconds=10



*Harder Password are:
- 8 to 20 characters
- Contain Upper and Lower case characters
- Contain embedded numbers
- Contain embedded non-Alphanumeric characters


If you have any more suggestions, please post them here.


(If it still gets hacked and messed up be sure to backup the server.ini file and the server.dbs file so you can reset the server back to its last backup)

4, 5 and 6 are very good things to do, but what does 7 have to do with anything?

4, 5 and 6 are very good things to do, but what does 7 have to do with anything?

7 was an attempt to be a pain in the but for what I have seen the hackers in thier attacks use for names, nothing more.

I would also recommend, depending on how paranoid you are and who you are trying to serve with your server, just changing the ports. Script-kiddies love default settings. As a general rule, you should change as many of them as possible. This is especially easy for linux because chances are, you already have iptables installed.

If you are super paranoid, and worried that a compromised TS server can get them access to your box, think about using something Xen. If you think running TS in a chroot is a chore, don't try this. It is a major system overhaul. http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

Finally, there's going all the way "outside the box," which I intend to do, soon. I will post my scripts so that others can make use of them, but it essentially works this way: Someone wanting to use your server must register their IP address. Essentially, you point them at a URL, which the same box serves. You log their IP address and then amend your iptables rules to allow them into teamspeak. Only give the URL to those you want on the server. It's essentially a quick-and-dirty port knocker. I've done this for other things on my server (like phpmyadmin) so that I have to validate my access before the firewall will open to me. Then, of course, you have to validate with your long SA password, too, right?

I know all that sounds like a lot of work, but until TS3 hits the streets, everything we do is a workaround.

^^^^ changing ports does not do anything. You can change your ports all you want I can scan the box and have the new ports in a matter of minutes. That only slow's them down for about 2 to 3 minutes.

^^^^ changing ports does not do anything. You can change your ports all you want I can scan the box and have the new ports in a matter of minutes. That only slow's them down for about 2 to 3 minutes.

Don't be so sure, man. You would not find any ports on my TS-server, because nearly all ports (including those of TS) are hidden. Port-knocking does the trick of opening them. In my case, it is ~60000^12 combinations. Happy scanning! :-)

IMHO, the best way for TS would be to use it with xinetd and its connection-rate limiting feature. That would stop each password-guessing attempts. Unfortunatelly, afaik TS does not work with xinetd...

[log]
access_r=1
access_u=1
channel_registerred=1
channel_unregisterred=1
sa=1
chat=1
kick_server=1
kick_channel=1
[Spam]
max_commands=10
in_seconds=10




what does the special code do i know what the spam does but not the log

what does the special code do i know what the spam does but not the log
It enables logging of those events.

access_r=1 : Logs access to the server by registered users
access_u=1 : Logs access to the server by unregistered users
channel_registerred=1 : Logs Channel switches and configurations changes for registered channels
channel_unregisterred=1 :Logs Channel switches and configurations changes for unregistered channels
sa=1 : Logs Server Admins acctions
chat=1 : Logs Chat
kick_server=1 : Logs kick from the server
kick_channel=1 : Logs kicks from the channel


max_commands=10
in_seconds=10

These two commands make it so some one can only send 10 commands to the server per ten secconds

Another Point,

Always be suspicios of anyone that comes into your server that you do not know, if you have never spoken to them and they get hevily into talking with you (or sit there silently) they could be about to pop a question that you willingly do for them.
If they ever ask you about your server and what ports your using if you have webadmin, this is a given but don't take it lightly, kick them if you think necacery.
5x out of 10 just kicking someone will send them away for good, as long as they don't think your an easy crack.

Key to this post is, ALWAYS have your wits about you.

Another thing if someone asks for you to click on their name and then hit Ctrl-E, don't do it. This will give them SA rights.

Another thing if someone asks for you to click on their name and then hit Ctrl-E, don't do it. This will give them SA rights.
Actually, all you need to do is right-click their name and press E.

Actually if you follow what I recomend, you couldn't even do that.

Best way to get secure? Don't use SA. Change it so that R has all the powers you need and only allow your admins to register. That way even if they get access to an admins account they still cant use the html web based controls. Of course its not an option if you have some elaborate ranking system, but they have never been my preference - Tink

I considered this once, but like you said if someone has an elaborate ranking system it isn't very helpful. For example there is no point in having Op or CA anymore. And then I can't give anyone partial power like over one particular channel because they wont get it back next time they log in unless they are registered. So it'll end up like this: ME (and maybe a select few others) have SA. People I trust enough for kicking and banning and channel editing and stuff are R. And everyone else is U. another thing is (please correct me if i am wrong) registered users cannnot talk in voice channels, but i guess they can give themselves auto voice if they wanted. But thats just one little problem that can be overcome. <-"The straw that broke the camel's back." :)

Best way to get secure? Don't use SA. Change it so that R has all the powers you need and only allow your admins to register. That way even if they get access to an admins account they still cant use the html web based controls.

The easiest way to prevent SA's from getting into the web console is to follow the steps I listed in the first post and disable that ability for that level of administration. If people are to follow what you suggest then what is the point of having any level of administration at all?

You might as well let Guest (Unregistered) full control. I say that because it is just as easy to crack at Registered account that is an SA account if registered have the same rights.


I considered this once, but like you said if someone has an elaborate ranking system it isn't very helpful. For example there is no point in having Op or CA anymore. And then I can't give anyone partial power like over one particular channel because they wont get it back next time they log in unless they are registered. So it'll end up like this: ME (and maybe a select few others) have SA. People I trust enough for kicking and banning and channel editing and stuff are R. And everyone else is U. another thing is (please correct me if i am wrong) registered users cannnot talk in voice channels, but i guess they can give themselves auto voice if they wanted. But thats just one little problem that can be overcome. <-"The straw that broke the camel's back." :)
The system currently in-place is not that elaborate, very few levels of administration available.

I believe to get auto-voice you must be registered (i.e. logging in with a specific name/password), correct me if I am wrong. Also remove any/all privileges from Anonymous players so they are motivated to register :-)

Sgtbenc, those are the implications and you are perfectly right, except AV does require registered.

Secondly, you could disable webaccess for SA but then you have lost the ability to give that control to others. Using R as an inchannel SA gives you 3 tiers of control, and gives less admins SA meaning there are less opportunities for passwords to be guessed, thus lowering risk. Since you can also give these select few R accounts for use on the server the SA account need not ever enter the TS server meaning hackers need to guess the name AND password. So yes it is more secure with the obvious problems of CA V O etc. It would be remiss of you to look at securing a server and not look at limiting webaccess to as few people as possible since it allows you to delete the accounts of offline members. This is one of the only ways to gain complete control over a teamspeak server without the requirement for all the SA to be online at the time of takeover.

You might as well let Guest (Unregistered) full control. I say that because it is just as easy to crack at Registered account that is an SA account if registered have the same rights.

Simply because I have a different opinion to you pilot, gives you no right to attack with such stupid arguments. Suggesting that making R equivalent to SA is in anyway similar to giving an unregistered user full admin is complete bullshit assuming you limit access to R. Sure you can crack a R account as easily as a SA account, but an UNREGISTERED account is completely unpassworded, that is its nature. If you are going to get paranoid about security then limiting the amount of access to the website by limiting access is beneficial. Since passwords are passed uncoded and can be captured limiting the amount of them being sent is surely a sensible idea. If you are going to argue don't lower the tone. - Tink

Change permissions of all server files so that only owners can read or write to them. Especially ini, dbs, and log.

Sgtbenc, those are the implications and you are perfectly right, except AV does require registered.

Secondly, you could disable webaccess for SA but then you have lost the ability to give that control to others. Using R as an inchannel SA gives you 3 tiers of control, and gives less admins SA meaning there are less opportunities for passwords to be guessed, thus lowering risk. Since you can also give these select few R accounts for use on the server the SA account need not ever enter the TS server meaning hackers need to guess the name AND password. So yes it is more secure with the obvious problems of CA V O etc. It would be remiss of you to look at securing a server and not look at limiting webaccess to as few people as possible since it allows you to delete the accounts of offline members. This is one of the only ways to gain complete control over a teamspeak server without the requirement for all the SA to be online at the time of takeover.

Simply because I have a different opinion to you pilot, gives you no right to attack with such stupid arguments. Suggesting that making R equivalent to SA is in anyway similar to giving an unregistered user full admin is complete bullshit assuming you limit access to R. Sure you can crack a R account as easily as a SA account, but an UNREGISTERED account is completely unpassworded, that is its nature. If you are going to get paranoid about security then limiting the amount of access to the website by limiting access is beneficial. Since passwords are passed uncoded and can be captured limiting the amount of them being sent is surely a sensible idea. If you are going to argue don't lower the tone. - Tink


Your are right, I didn't fully understand your security scheme until I have re-read this a few times.

So you have created a few registered accounts that have full server right (basically an SA) and those account rarely login which is a method of security through obscurity (a valid scheme).

I come from a network administrators background, so multiple levels of security groups is natural for me. I wish I could require password complexity through TS, but I am doing that manually by assigning my SA's their passwords. The only remote management tool I have enabled it the WebSite management which is on a different IP than the server and only the SuperAdmin accounts I have created can log in here to do management.

Change permissions of all server files so that only owners can read or write to them. Especially ini, dbs, and log.
I don't believe this has any effect on TS Security and I'm not really sure what advantage this would give you, unless someone logged into your server that was not an administrator of the machine.

Well, this will all be much better in TS3. (Totally customizable permissions.)

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

Hello,

I am starting up a server for the first time and I wanted to make it more secure. However, I don't know what every line in the server.ini file means and I don't know what line represents the use of the web-interface and the tcpquery-port. Can someone please explain me what to alter in that file in order to do that?

Thanks in advance.

It is a good idea to change the TCP Query port and the Web Interface port to something otehr then the default. Or for even more protection, just close those port with your router. Here are the lines in the "server.ini" file that you should change:

HTTPServer Port=14534
TCPQueryPort=51234

Just change them to anything not already being used.

If you want to disable others from using your web interface then change the value on this line:

HTTPServer Enabled=1

to 0

Yes, but how do you disable the TCP Query port? Can you just set the value to blank and have it not work?

Yes, but how do you disable the TCP Query port? Can you just set the value to blank and have it not work?

I set mine to 0 and I think it disabled it (or it set it to a port not available)

I set mine to 0 and I think it disabled it (or it set it to a port not available)
I know of no other way to do what you ask. So I believe that is the best course of action.

Why can't TS just be made secure on the front end? Not a blast, but a serious question. If all these hacks and troubles are known, why not make the next version secure from the install? Make complex password rules a matter of setup.

why not make the next version secure from the install?
Maybe the are making the next version more secure. I think the reason they are not really updating TS2 is because they are getting too much preasure to finish TS3.

TS3 is what I was refering to. Perhaps they can set it up so that it is impossible to have an unsecure server?

I would rather them take another year or two and get it right, than rush from pressure.

Well, it is rather simple to make your server secure. But, I do see your point.

Thanks to all for the help, also the group that hacked us were from skullzclan.com (pk3 - is the tag name):)They are some nasty folks, they don't play by the rules... :)

How about commands so you can do them in a chatbox like IRC, and also, block the possibility of a SERVER ADMIN (ROOT/Owner) to be banned or edit, only normal server admins should be killed, not the owner like I did! That needs to be fixed in your next version also time bas and other commands that are not there.

How about commands so you can do them in a chatbox like IRC, and also, block the possibility of a SERVER ADMIN (ROOT/Owner) to be banned or edit, only normal server admins should be killed, not the owner like I did! That needs to be fixed in your next version also time bas and other commands that are not there.
There is no way to do any of those things in TS2.

If I could add something, I'd say that disallowing Bans would help out, because it kind of saved me from having to go through the hassle of deleting the server and making a new one.

Why dont you just put ur computer behind a rounter and not all connections on the web interface and the TCP. Thats was I do. I guess if you want to be safe you could also change the superadmin passwords. Of course only give SA to people who u really trust, like ur friends.

There is a program called "networkactiv" that you can use to host websites. I will let how you go about this to you, but you can use networkactive (and certain other servers, don't know which ones) to log ips. The idea will be to force people to use that as the HTTP server to access your webadmin. That way, you can log who's trying to get who's passowrd and stuff. And ban them before they reak havoc on your teamspeak server. It will allow you to see what ip is attempting to view what file. Good luck!

3. Revoke the ability for SA's to login Via the Web and TCP server

4. Revoke the ability for SA's to Grant SA's and revoke SA's

5. Disable the ability for SA's to remove a users registration or delete players

How can I do these steps 'before' starting my TS server?
My TS Server is a local machine at my home, and I would like to know how to have very secure settings prior to starting it up, but still allow me to admin it locally, not via the webinterface if this is possible.
Would it be possible to add 3, 4, and 5 to my server.ini file?

Is it also possible to make my TS server a registered user only entrance, for private useage? If so, how?

It is a good idea to change the TCP Query port and the Web Interface port to something otehr then the default. Or for even more protection, just close those port with your router. Here are the lines in the "server.ini" file that you should change:

HTTPServer Port=14534
TCPQueryPort=51234

Just change them to anything not already being used.

If you want to disable others from using your web interface then change the value on this line:

HTTPServer Enabled=1

to 0

When I set mine like this

HTTPServer Enabled=0

My TS server won't even start ( administration is also greyed out on the local machine running the TS server)
So if the TS channel doesn't start with this setting, how do I get this to work?

Also, when I set the BoundToIp1=127.0.0.1 in my server.ini file the even registered users cant login

Don't be so sure, man. You would not find any ports on my TS-server, because nearly all ports (including those of TS) are hidden. Port-knocking does the trick of opening them. In my case, it is ~60000^12 combinations. Happy scanning! :-)

OTOH, a port knocking implementation is a totally different beast than a simple change of ports as was originally posited. You're comparing apples to oranges. :)

well i can't wait until TS3 is released...

i am tired of coming home everyday reconstructing everything these kids mess up. I have take just about every step possible to make it secure except the "knocking" option as mentioned before...

there are toooooooo many websites that have people making hack programs to screw with TS...
For example... ***** & nox

They have their own little utilities that give the power to a (u) user to create an admin account.... they have all kinds of tricky little programs that do other things as well... i discovered them by googling teamspeak hacks...

they have sites devoted to doing this type of stuff... i dont understand what things are motivated to do this... they need role models...

i was on my server along with my other members and i heard someone talking... but i couldn't see them... they have a program that makes them invisible... then they started spamming by making over 1000 channels and by having about 1000 users with the same name log on...

i really hope TS3 rids the world of these exploits! Come on guys/gals... I love TS... i know you can do it... make us proud!

1. Change the superadmin password to a harder password*

2. Limit the amount of SA's to people you fully trust and use harder passwords*

3. Revoke the ability for SA's to login Via the Web and TCP server

4. Revoke the ability for SA's to Grant SA's and revoke SA's

5. Disable the ability for SA's to remove a users registration or delete players

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

7. Add more characters to the DisAllowedClientNameChars in the server.ini
DisAllowedClientNameChars=()[]{}`~!@#$%^&*_-+=|\'";:<>,./?

8. Enable all logging to catch them if the try again

Also turn on logging and cut down on the commands per second in your server.ini


[log]
access_r=1
access_u=1
channel_registerred=1
channel_unregisterred=1
sa=1
chat=1
kick_server=1
kick_channel=1
[Spam]
max_commands=10
in_seconds=10



*Harder Password are:
- 8 to 20 characters
- Contain Upper and Lower case characters
- Contain embedded numbers
- Contain embedded non-Alphanumeric characters


If you have any more suggestions, please post them here.


(If it still gets hacked and messed up be sure to backup the server.ini file and the server.dbs file so you can reset the server back to its last backup)







How do I go about setting up No 8. I've not done this before an I don't want to mess it up.:)

If you read #8 you can see exactly how to do it: goto the server.ini and edit those last lines to look like the code section of the post you quoted.

I have followed every security suggestion that I can find. The only port I have open is the one needed to make Teamspeak work. SA's can only kick, ban and grant registration. Everyone else can do nothing. I also have the Flood Daemon running and yet I have been "Owned" twice this week.
Obviously TeamSpeak has a wide open front door security problem. Any program that allows a "Guest" to fully access the server database and do what ever they want to it totaly sucks.
What the hell drugs were the programmers on when they included complete access to the server by anyone?
What's the purpose of assigning rights and privaliges when anyone can do that themselves with the access that TeamSpeak gives them?

It's a great for online chatting but it just makes no sense to me why they added the extra functions to leave the barn door wide open to terrorists.:(

OK. Let me summarize this.


You have been "Owned" but you don't tell us in which way.
You say TeamSpeak has a wide open front door security problem, but you won't tell us what kind of problem.
TeamSpeak allows a "Guest" to fully access the server database, but you have no type of evidence for this. You didn't even attach a log file or anything that could help us investigating the issue you are having.
TeamSpeak sucks, because of point 3.
Our programmers intentionally "included" complete access to the server by anyone.
Our programmers where on drugs while doing so.


Do you think that this is the correct attitude? Do you think that anyone here still wants to help you after reading that?

I have been operating 14 free TeamSpeak servers for over 3 years now. I have had ONE hacked and that was because one of my admins incorrectly configured the firewall rules for that one server.

It is clear to me that many people who "operate" TeamSpeak servers:

A) Do not read the instructions, the FAQs or the forums to learn how to operate a server correctly
B) Think that free software should be perfect
C) Have no idea how to properly ask questions to resolve issues
D) Have no idea how to gather the information needed to help identify the problem(s) they are experiencing and
E) Would rather rant and flame about a problem likely caused by their own ignorance or apathy rather than provide the necessary information to identify what they did incorrectly to cause their issue in the first place.

While I believe I started this thread, I don't feel I have been rude or insulting to the developers or support staff. If I appear to have been, I apologize.

Bob, before you post here again, I ask you to walk around the block to regain your composure and try to provide useful information so the people here can actually provide you help.

Walkabout

I have been operating 14 free TeamSpeak servers for over 3 years now. I have had ONE hacked and that was because one of my admins incorrectly configured the firewall rules for that one server.

It is clear to me that many people who "operate" TeamSpeak servers:

A) Do not read the instructions, the FAQs or the forums to learn how to operate a server correctly
B) Think that free software should be perfect
C) Have no idea how to properly ask questions to resolve issues
D) Have no idea how to gather the information needed to help identify the problem(s) they are experiencing and
E) Would rather rant and flame about a problem likely caused by their own ignorance or apathy rather than provide the necessary information to identify what they did incorrectly to cause their issue in the first place.

While I believe I started this thread, I don't feel I have been rude or insulting to the developers or support staff. If I appear to have been, I apologize.

Bob, before you post here again, I ask you to walk around the block to regain your composure and try to provide useful information so the people here can actually provide you help.

Walkabout

I will back up that post anyday!

1. You have been "Owned" but you don't tell us in which way.

If I knew which way then I might know how to fix it! :mad:

They made themselves an SA then turned on all SA privilages, created about 300 SA users, wiped out all rooms and created about 300 rooms with all the same name "Owned".
My SA's can only kick, ban, text message, allow registration and move but they were able to make themselves an SA then they connected again and then turned on all permissions and took over the server.
I have all logging turned on but it shows nothing about how they did it except for a couple of failed sql commands.
Apparently they have full access to the server database and the log does not record sucessful sql scripts.

Also I have seen hackers with a long space at the begining of their name and a right click on them generates an error message before I can ban them.
Now they have a new trick. They do something to their "Guest" login so that an SA or CA can't do anything to them. If I right click on them all options are grayed out and I have no way to remove them.

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

These ports are not open on my router and cannot be accessed from the Internet.

"Do you think that this is the correct attitude? Do you think that anyone here still wants to help you after reading that?"

I'm sorry if I don't have a "correct attitude" but after having to start over and set up my server a number of times with the rooms, descriptions, re-register users, etc. I have a tendency to be a little upset. (pissed off).
It's not a matter of helping me, it's helping everyone as anyone's TS server could be their next conquest.

Many of the problems you describe (like not being able to kick a user, and getting an error (RichEdit error I'm betting) ) have been fixed in the latest server versions.

Try downloading the latest version 2.0.23.15 for starters.

Secondly, if that in and of itself doesn't solve your problem, make sure that each an every person on your server who has (SA) rights is using a nice, strong passphrase. "money" "sex" or "1337" are NOT good passwords.

"T34mSp34kIsK3wl" on the other hand, would be pretty hard to "hack".

Lastly - yes, it's upsetting to have to start over, but there are several things you can do right to avoid that kind of problem. The first would be to make regular backups of your server.dbs and server.ini file. Someone hacks your server? Shut it down, restore those files, and BLAM, in 60 seconds you're right back to normal.

What you should NOT do, is start posting in a forum, half-cocked, angry at the wrong people, for problems that are, frankly, as likely to be your own as they are anyone else's.

Remember - we learn from our mistakes. The catch is, you can learn one of two things - that "it isn't my fault, so I've got nothing to learn" or "what can I do to stop this happening again".

The choice is yours.

I hope you're happy with whichever one you choose.

It's sad when my friends come to me asking to help them get their server back under their control. Their providers are stupid. The provider does not realize that they would not have those problems if they had only upgraded from their 2.0.20.1!

I heard you could incript a certain file on the server and no one could take over the server. Has anyone heard of this technique? or is it blah blah blah

I heard you could incript a certain file on the server and no one could take over the server. Has anyone heard of this technique? or is it blah blah blah

blah blah blah

Keep it updated and do not fall for the tricks and no one can take over the server.

Stupid that logging all channels and users are default enabled.
i didnt know that it was possible.
and i am admin my self now for some years.

Moving this post.

I would like if it became possible to set a password on a sub-channel.