It would be a neat option to have the names on the "Super Admins" list exempt from getting kicked or banned. there has been a problem with people getting SA and banning other SA's and deleting channels. I think anyone that is listed as "Super Admins" should be exempt. And the only way it could get edited would be either through the web admin or server.ini maybe even bind the exempt list to those peoples IP's (full IP or wild card) if possible.

usualy you just shouldnt give SA to anybody that you dont trust 100%. If people "get SA" and you dont know why, download a b46 release, and turn on all logging capabilities - and you should be able to figure out whats happening.

Originally posted by pwk.linuxfan
usualy you just shouldnt give SA to anybody that you dont trust 100%. If people "get SA" and you dont know why, download a b46 release, and turn on all logging capabilities - and you should be able to figure out whats happening.

The problem is that 2 of my clans servers got hijacked by people we never gave SA to. One of the servers this happened to twice! This is not an isolated case either. Look in your own forums and you will see. Somehow, someway these people got SA and banned the other SA's. They also created accounts and granted SA to those other accounts. All I am saying is there should be a safeguard for the "Super Admins" I know that "Super Admin" only applies to admining the server settings and stuff through the web browser, but don't you think that there should be a safeguard for those on that list through TS itself?

What if out of the blue one of your SA"s gets pi$$ed off and decided to go rogue on you? It would be nice to be protected in your own server and not have to go through the BS of deleting your your name from your own servers ban list the hard way.

b46 isn't the answer to every problem out there. It would be nice to have an exempt/protected setting for people of my choosing.

Well,


about the "issue" that I am supposed to be able to find in "your own forums", the webserver list tells me there are currently about 15000 (!) TeamSpeak Server online. We have maybe 10 reports over the last year or so...do the maths :). There has not been one proven exploit of teamspeak security to gain ServerAdmin.
There have been some claims of users their server were hacked, but it seems 90% of those reports are people that have a nickname containing (R SA), and the admins are fooled by this, and think the user realy has admin.
Then the "rights fakers" usualy say "Weeee I have SA, I bet you cant revoke it", and when the admin hits "ServerAdmin" in the player-menu, he is not revoking, but he is granting SA. Thats when the kicking/baning part starts.
The other 10% seem to be users that leak passwords (for example by leaving around a TeamSpeak.Conf file that contains admin passwords), or users choosing passwords like "1234" or "password".

Bout this exempt list: A ServerAdmin cannot do anything against the superadmin. So, nobody can shoot down your server, you can always revoke his rights with superadmin, make yourself new accounts, and put all right again.

Just DONT give ServerAdmin to people you dont trust. Usualy nobody except you on clan servers. Your members dont need SA to be "cool". If you want you can also just disalow ServerAdmins to do stuff like revoke registration and ban users.

Originally posted by pwk.linuxfan
Well,


about the "issue" that I am supposed to be able to find in "your own forums", the webserver list tells me there are currently about 15000 (!) TeamSpeak Server online. We have maybe 10 reports over the last year or so...do the maths :). There has not been one proven exploit of teamspeak security to gain ServerAdmin.
There have been some claims of users their server were hacked, but it seems 90% of those reports are people that have a nickname containing (R SA), and the admins are fooled by this, and think the user realy has admin.
Then the "rights fakers" usualy say "Weeee I have SA, I bet you cant revoke it", and when the admin hits "ServerAdmin" in the player-menu, he is not revoking, but he is granting SA. Thats when the kicking/baning part starts.
The other 10% seem to be users that leak passwords (for example by leaving around a TeamSpeak.Conf file that contains admin passwords), or users choosing passwords like "1234" or "password".

Bout this exempt list: A ServerAdmin cannot do anything against the superadmin. So, nobody can shoot down your server, you can always revoke his rights with superadmin, make yourself new accounts, and put all right again.

Just DONT give ServerAdmin to people you dont trust. Usualy nobody except you on clan servers. Your members dont need SA to be "cool". If you want you can also just disalow ServerAdmins to do stuff like revoke registration and ban users.

You just do not get it. Do you? You talk to me like I am some kind of idiot. I have been running "Build 46" and the logs show nothing helpful. Do you understand how gaming clans work? The leaders of the clans get the "server administrator" levels and then the other levels go to people that do specific duties for the clan. We do not hand out SA as if they were candy.

Explain to me how these people that put "(R SA)" next to their name can kick and ban when no one gave them the privilege to do so? I would say that the developers should have something to say about this to. It would be nice to have a safeguard against it and you are basically telling me that you all don't care about the owners of the servers. TeamSpeak is a good product but there is room for security improvements and you just want to ignore or blow off a suggestion claiming it is nonsense. Your refusal to even consider a security feature like this shows your mind is closed on anything that may improve the security of this product.

Oh... Having Super Serveradmin doesn't protect you when you log on to the server via the TS Client, so you still can get banned if it does get hijacked.

Guten Tag und auf Wiedersehen
~K9

:mad:

I can honestly tell you that the last time it happened to us, nobody had time to click on their names. They logged in as unregistered SA, and kicked 6 or 7 people before any of us had time to react.

As we tried to log in to kick them out, we were banned from the server before they could get kicked. Their is an exploit that is being used. We know the person that knows the exploit, but do you think he is going to tell you, or any of us what it is? Then he wouldn't be able to use it anymore.

give me the logs and stop babbeling without backing up with facts.

I hope that “pwk.linuxfan” can provide the stats that he has quoted above to prove that no TeamSpeak server has ever been hacked and that all the users are not too bright or use password for a password (some do I will admit but 10% is a bit much) and 90% of people being stupid enough to not know who they have give admin rights to is again a little bit beyond the realms of belief

If and I say IF he is one of TeamSpeak’s coders then I’ll be looking for an alternative program ASAP.

Any real programmer would listen to reports of hacking and look into it with an open mind not just get on his high horse and blame the user. It’s the biggest excuse out there and in some cases a valid one but 2 people with the same problem saying the same things should be looked at.

To add a .ini type file to make a list of users immune to kick or ban and get TS2 to read it is not rocket science and should be easy to code into any future release.

It would a helpful addition to help stop the above problems once they occur but finding the security hole and plugging it to stop this happening would be preferable.

And by the way the server webadmin page can be hacked as it has no lockout feature for incorrect password attempts tried it the other day and gave up around 35 failed attempts and it still let me in. A 3 strikes and timed lockout feature would be a good security addition as well and if you say do not use it, then it would mean that some poor sod has wasted time programming it for nothing and should not be apart of TS2.

I beleve that there are TS server out there that were hacked.

The question is how did they get hacked?
Was it a general flaw in the TS program (except that the passwords are transfered in cleartext).

Or was it just careless usage of the passwords/careless choosing of the passwords.
In the latter case the TS team cannot do a thing about it.

Also: No one ever did give a proove or hint how his server got hacked (bute force, line snooping, his own stupidity). So there is nothing that the TS Team can fix.

Originally posted by Dummer Sack
I beleve that there are TS server out there that were hacked.

The question is how did they get hacked?
Was it a general flaw in the TS program (except that the passwords are transfered in cleartext).

Or was it just careless usage of the passwords/careless choosing of the passwords.
In the latter case the TS team cannot do a thing about it.

Also: No one ever did give a proove or hint how his server got hacked (bute force, line snooping, his own stupidity). So there is nothing that the TS Team can fix.

Like I said up top, an "Exempt List" that is part on the .ini and not the webadmin would be best. That way it can only be edited right off the computer.

I did find one issue that could have been the problem with one of the instances that happened (not on my personal server but the main clan one) When you grant someone SuperAdmin you NEED to enter a password for them. That registered persons password does NOT follow him to the SuperAdmin list. If you leave it blank it basically is an open invite. I think the main owner of my old clans TS listed his name as a SuperAdmin but didn't enter a PW thinking it carried over. I also found that if 2 or more people join at the server at the same time, their joining of the server doesn't always get logged.

My overall thought is that there may be a way for someone to "Bruteforce" themselves to the SuperAdmin page and grant SA's do their crap and then delete the granted SA's and themselves.

To help eliminate simple PW's the computers at my wifes work require that the passwords contain atleast 2 #'s, both UPPERCASE and lowercase letters and br 8 charactors to be valid. ex. 12dlEOmN

Maybe TS needs to evaluate some kind of measures kind of like that (1 # and 1 UC in the PW)

Originally posted by ATWadmin
I hope that “pwk.linuxfan” can provide the stats that he has quoted above to prove that no TeamSpeak server has ever been hacked and that all the users are not too bright or use password for a password (some do I will admit but 10% is a bit much) and 90% of people being stupid enough to not know who they have give admin rights to is again a little bit beyond the realms of belief


Well, I would like you to read my post with a bit more care if you are going to criticise it. Not only do I state that these stats are just what it "seems" to me - I am not classifying 90% or 10% of ALL TeamSpeak ServerAdmins, I am classifying those 10 (more or less) reports I have heard of TeamSpeak Servers being hacked. So 90% results in 9 server being hacked and reported to this board due to fooled admins. And 10% results to 1 server. Please note I have not done extra research to verify these numbers, but I have taken every "hack" report seriously, and have talked to the involved admins, and got the impression about how things had happened.


If and I say IF he is one of TeamSpeak’s coders then I’ll be looking for an alternative program ASAP.

Any real programmer would listen to reports of hacking and look into it with an open mind not just get on his high horse and blame the user. It’s the biggest excuse out there and in some cases a valid one but 2 people with the same problem saying the same things should be looked at.


First off, no I am NOT a developer. But (again) I would like to ask you to take a bit more time reading what I say. Not only am I taking every post about a security breach seriously, I am also offering my help in finding out how it happened (-> i request the logfiles). What I refuse to help on is the creation of a "auto-retaliate" script that should protect certain users. The reason is: IF there is any security hole that leads to admin rights (or similar), then I want that hole fixed, and I am particularly unwilling to "ease the pain" of a hole that I get absolutely no details on (log files etc.).

Edit: About you K9Trooper - I was not aware that some users might think in the way you outlined (password will be used for superadmin automatically), but you can expect the next server version to require you to enter stuff to the password field in webadmin :) - Maybe for the final we can include some "password strength" algorithm that will warn users that choose to simple passwords.

Originally posted by K9Trooper
I also found that if 2 or more people join at the server at the same time, their joining of the server doesn't always get logged.If that is true then this should be fixed.
If you can reproduce that please report it in mantis (mantis.teamspeak.org).

Ok for the first time last night i open up our ts2 server and with in 2 hrs i had the same problems as mentioned above.

I use a random password program to generate an 8 digit alpha numeric password changed every month for the 4 server admins all of whom I know personally and trust. I am the only person that will give out admin status the other admins will only give out channel admin rights we had someone come in to the server telling us he was going to kick us out.
1 of the server admins spoke to him while I went to ban him a system we’d setup when we set ts2 up I saw his name with a (U) after it change to (R SA) and no server admin did this he banned the admin that was speaking to him before I banned him.
That was on the 2.0.19.40 version server so sorry no logs.

This morning I have updated to .46 and enabled the logs as you are well aware this is still a use at your own risk dev version not a public release so most people will not use it and as a result you won’t get the logs to prove it for now.

The main reason for my criticism was more for the tone and attitude in which you addressed the other posts in this thread it was very off handed.

You will also note that I agreed with you that some people do use stupid passwords.

I also strongly disagree with the “auto-retaliate” idea, it's not a road i would like to go down and is not what any one here was asking for.

What was asked for was a way to STOP the server admins from being kicked which, as I said is not to hard to write in to the program.
It already has a bad name file that is read why not a file so that the server doesn’t kick/ban it’s own admins.
This is not auto-retaliate program it’s and admin protection file that should only be accessible to the superserveradmins and manually edited so only trusted (real) server admins are in it.

I am pleased that you have changed your tone and approach in this thread and given a better explanation of where you stand on this matter if it happens again to me I will have the logs for you as it only took 2 hours from going public last night, I might give it another go tonight :D