Encrypt SERVER.DB all passwords are in clear text, and a tip for those who get hacked

[whatsamatau]

It would be very wise to encrypt the server.dbs database file.
All passwords are clear text including superadmin. Simply open the SERVER.DBS file in any text editor. The user names & passwords are at the bottom. This is also useful if a member forgot their password. Simply use find to find there login name, the password is right next to it.
We have (with permission) remotely "obtained" read write access to the database file, obtained the superadmin password and took control through web admin.
This is a fundamental security flaw on many levels, that should be patched. And, as others have posted the password transfer needs to be secured.

Another security Flaw/Fix....
No limit on login tries, toped off with default admin and superadmin user names toped off with only 6 digit alpha numeric default passwords. You have to at least fix one or the other. It is a cake walk to program a auto login to brute force the admin passwords. Make it server side and flexible to kill logging attempts after like 3 or 5 bad retries and limit it to 30 min increments to allow logging in. Try modeling some UNIX security standards.

Encrypted voice channels would be the bomb too. Like along the lines of speak freely.

A tip to those that get hacked....
Always keep a current backup of your entire TS-server folder. If you get hacked and vandalized the recovery is two seconds to delete, copy, and paste, then immediately change admin passwords. I DO NOT RECOMMEND EDITING THE DBS FILE IN A TEXT EDITOR. When I tried it wouldn't allow any login except for guest* with no password or username. When I tried to restart the server the following error occurred "Error starting daemon. Aborted. Perhaps in a hex editor modifications to the database could be conveniently archived. I'll let you know when I try it. If your server is local disconnect from the internet while changing passwords and recovering the server. After recovery carefully review your security procedures. And, never have more then one server admin. Its the other guy you cant trust with it. That's what channel admin is for. If you can avoid it don't use remote admin. Fire wall the servers web admin port.
The registered users permissions are too light by default and should be customized to your needs. give them nothing more then is required.

*+*+*UPDATE/AFTER THOUGHT*+*+*

I have just thought of a good counter measure for your recovery backup.
1. make a backup of your TS directory after changing the default admin and superadmin passwords. The default passwords are very insecure.
2. Change your admin passwords again in your original directory. This will give you a clean, password protected recovery, especially for remote systems that can not be disconnected from the internet.
3. You can recover your server VIA, SSH-FTP (Preferably) and there (the hackers) auto login wont work for them when they try to reconnect with the old password. this will give you time to tidy things up.

I encourage you to get there (the hackers) ips when they try to reconnect using the old password. Then firewall it from the router. I know ip's are dime a dozen but for the average joe it works fine. I prefer using cisco equipment to get the ip detection and firewalling job done. Cisco will also let you firewall MAc-ID's more effective against IP spoofers. Team Speak needs to go with a GUID model similar to Punk Buster, to ban people along with their IP. Subnet banning should also be available.

Good Luck and I hope this helps.
whatsamatau.org

[m&m's]

i am no expert but cant you "depending on the operating system" encript a file or folder ? right click / propertys / general tab /advanced --- encrypt contance to secure data / ok

[whatsamatau]

You are...

A. assuming that the server is on a windows system, With MS encryption.

Most TS servers are run on linux systems.

B. Assuming that the system and daemon will correctly function with that file MS encrypted.

If you in fact run a MS-TS system with the server.dbs file encrypted, and, not logged in as Administrator, or have administrator rights involved (incase you didn't know a hacker has the same rights as the account being hacked), and everything is working fine. Then Plz say so. If you don't then research it, document it, and post it to this forum. What ever your results are. Don't feel ashamed if your wrong it happens.
And I aggree... your no expert. OK?

[m&m's]

You are...

A. assuming that the server is on a windows system.

Most TS servers are run on linux systems.

B. Assuming that the system and daemon will correctly function with that file MS encrypted.

If you in fact run a MS-TS system with the server.dbs file encrypted, and, not logged in as Administrator, or have administrator rights involved (incase you didn't know a hacker has the same rights as the account being hacked), and everything is working fine. Then Plz say so. If you don't then research it, document it, and post it to this forum. What ever your results are. Don't feel ashamed if your wrong it happens.
And I aggree... your no expert. OK?

a. i did state assuming on the OS , but yes i run a win 2000 pro
b. i did a few mins ago enctipt that file to see if i could log in - i could , but i dont feel i need to test this any farther , as i dont have a hacking proublem .
and i dont know what servers OS's are being hacked becuse no one ever states my linux ts server got hacked or my win 2000 server , xp , bla . bla server got hacked only it got hacked . witch 1/2 the time it was not hacked it was a sa right clicking & e short cut granting a stranger SA

[whatsamatau]

a. i did state assuming on the OS , but yes i run a win 2000 pro
b. i did a few mins ago enctipt that file to see if i could log in - i could , but i dont feel i need to test this any farther , as i dont have a hacking proublem .
and i dont know what servers OS's are being hacked becuse no one ever states my linux ts server got hacked or my win 2000 server , xp , bla . bla server got hacked only it got hacked . witch 1/2 the time it was not hacked it was a sa right clicking & e short cut granting a stranger SA

To properly test your server encrypt the file server.dbs "RESTART THE SERVER" before doing anything. Run it in non administrator and try to access it remotely with a user name and password "AFTER ENCRYPTING". I get the feeling that you are in admin running the server and logging in locally, and not restarting the server after the encryption. that's not how you test a server. Not to mention there is much more to that post then what you are talking about. And, why does it seem you feel it necessary to dumb down security on something so critical. You seem to be arguing the point to "NOT" make the database secure. Perhaps you are from goonz and the unencrypted server.dbs is the weakness. Hummmm I wonder.

Whatsamatau

[m&m's]

no I am not with those turds called the ***** lol and like I stated I don't and have never had trouble with the ***** hacking my server, I have run a server for years , but I am not dumb/unaware enough to fall for any right click e trick no matter how it is ask for .and have baned 30 or more for asking. I am only a user that helps out in the fourms. if you want to test security hash's and file security go for it . I don't have ports open in my router or my web admin open to the world and if there is a hole it is most likely , with the default admin / 6 car password being bruited with a password gen , or a ts server hosted on a system with no security .and r-click-e all of witch I have stated in many posts should be looked into by users . and ts3 will have some sort of encrypted file on passwords if the dev's run with there plans stated in the past , so I restate I am not wasting my time to test something I don't feel I need . but I did post info for others to use if they so chose to try.

oh and yes i did restart my server and yes i logged in as admin and a (U) user fine both trys

[whatsamatau]

If this 'THREAD" doesn't apply to you why are you unnecessarily posting reply's to it? (this is a rhetorical question plz don't feel the need to reply.)

Dude get over it and move to a channel that cares about your off topic banter. I'm trying to be nice but you are making it hard for me to not really make you look like an ass. I'm sure your a little kid maybe 17 that needs to get a life...... But, you have no place in this forum thread. I appreciate your suggestion to use MS encryption but that's a very limited (and as far as I know) an untested or unreliable fix. Other then that your....
Forget it just get a life

[m&m's]

i think you posted in the suggestions thread . i my only posting a suggestion as well so piss off if you don't like it ! encrypting the files has been asked for 100's of times , and the dev's have responded . oh but you have not speant the time to look or read the fourms to know that .... and my SUGGESTION was to see if you / or someone who needed it , an idea/suggestion that would not take the dev team to make a app change to try .. so test away .... or not there choice

[whatsamatau]

Thx Cracker
I think he posts just to see his numbers go up.
He would be more helpful if he stayed on topic and kept the irrelevant things he had to say to himself. Though I do appologize to m&m's for being a lil short with him.

BTW my original post has more information and suggestions from the original post. Enjoy and I hope it helps make TS better.

PS. I would love to hear a TS DEV's opinian on my post.

[m&m's]

I think he posts just to see his numbers go up.

i post to help out and the mods can reset my post count to "0" any time they want and i will still help out

He would be more helpful if he stayed on topic and kept the irrelevant things quote hos is a diferant point of view off topic

????? you just want the devs to fix something you think is broke for you and i came up with a diferant way to do it with out a rewrite of ts for windows sys anyway , and to top it off i am on topic the topic is encryption of a file ..only diferance is you want dev team to do it and i came up with a way to do it your self , if linux cant do encryption then that is the flaw , not ts's falt if your system is not secure . if your system was secure noone could read the file !!!

and on a windows sys with encryption set you can't read a encrypted file enless you got that users name and password for the user that encrypted it , becuse username/password is a part of the encryption process . on top of that if there are two users on the same sys and one encrypts a file the other user can not read it , so my idea of encrypting a file is not so far feched as you think . but still not tested by me , i will leave that to someone who needs it

[Peter]

Hum,

the search function comes up with multiple threads about the topic, and it has been said that for TS3 we are definitely going for hashed passwords in the database. Encrypting the database would require a key, which would have to be stored/remembered somehow, which is a chicken and egg problem. So hashing is the answer, but I assume you mean that (look up the difference on wikipedia if you don't know it).
Oh, by the way - if you really want this functionality, it's already possible with teamspeak2, albeit not default or even very easy to use: You need to use mysql instead of the default sqlite database (see INSTALL.mysql file), and you need to rewrite the sql scripts that come with the teamspeak server to not save the string directly but instead apply a hash (sha-1 or the weak md5) to the string before saving it, and comparing to the a hashed version when verifying the password. Has been done and documented on this forum too (search!).

[whatsamatau]

Hum,

the search function comes up with multiple threads about the topic, and it has been said that for TS3 we are definitely going for hashed passwords in the database. Encrypting the database would require a key, which would have to be stored/remembered somehow, which is a chicken and egg problem. So hashing is the answer, but I assume you mean that (look up the difference on wikipedia if you don't know it).
Oh, by the way - if you really want this functionality, it's already possible with teamspeak2, albeit not default or even very easy to use: You need to use mysql instead of the default sqlite database (see INSTALL.mysql file), and you need to rewrite the sql scripts that come with the teamspeak server to not save the string directly but instead apply a hash (sha-1 or the weak md5) to the string before saving it, and comparing to the a hashed version when verifying the password. Has been done and documented on this forum too (search!).

And I'm sorry for losing my temper with M&M's and have deleted my flame.
And, I did search. I must not have chosen the right strings.
And, having to sift through ignorant garbage is also a challange.
I wish all posts were as helpfull as yours pwk.linuxfan. If that were the case flaming and hard to find info wouldnt exist.

EDIT: deleted a dozen of pointless posts. Why post when there is nothing to be said except push the other to post more garbage? CLOSED.