Suggestions Administrators can use to Strengthen TS Security

[Tink]

Sgtbenc, those are the implications and you are perfectly right, except AV does require registered.

Secondly, you could disable webaccess for SA but then you have lost the ability to give that control to others. Using R as an inchannel SA gives you 3 tiers of control, and gives less admins SA meaning there are less opportunities for passwords to be guessed, thus lowering risk. Since you can also give these select few R accounts for use on the server the SA account need not ever enter the TS server meaning hackers need to guess the name AND password. So yes it is more secure with the obvious problems of CA V O etc. It would be remiss of you to look at securing a server and not look at limiting webaccess to as few people as possible since it allows you to delete the accounts of offline members. This is one of the only ways to gain complete control over a teamspeak server without the requirement for all the SA to be online at the time of takeover.

You might as well let Guest (Unregistered) full control. I say that because it is just as easy to crack at Registered account that is an SA account if registered have the same rights.

Simply because I have a different opinion to you pilot, gives you no right to attack with such stupid arguments. Suggesting that making R equivalent to SA is in anyway similar to giving an unregistered user full admin is complete bullshit assuming you limit access to R. Sure you can crack a R account as easily as a SA account, but an UNREGISTERED account is completely unpassworded, that is its nature. If you are going to get paranoid about security then limiting the amount of access to the website by limiting access is beneficial. Since passwords are passed uncoded and can be captured limiting the amount of them being sent is surely a sensible idea. If you are going to argue don't lower the tone. - Tink

[velusip]

Change permissions of all server files so that only owners can read or write to them. Especially ini, dbs, and log.

[PilotMan]

Sgtbenc, those are the implications and you are perfectly right, except AV does require registered.

Secondly, you could disable webaccess for SA but then you have lost the ability to give that control to others. Using R as an inchannel SA gives you 3 tiers of control, and gives less admins SA meaning there are less opportunities for passwords to be guessed, thus lowering risk. Since you can also give these select few R accounts for use on the server the SA account need not ever enter the TS server meaning hackers need to guess the name AND password. So yes it is more secure with the obvious problems of CA V O etc. It would be remiss of you to look at securing a server and not look at limiting webaccess to as few people as possible since it allows you to delete the accounts of offline members. This is one of the only ways to gain complete control over a teamspeak server without the requirement for all the SA to be online at the time of takeover.

Simply because I have a different opinion to you pilot, gives you no right to attack with such stupid arguments. Suggesting that making R equivalent to SA is in anyway similar to giving an unregistered user full admin is complete bullshit assuming you limit access to R. Sure you can crack a R account as easily as a SA account, but an UNREGISTERED account is completely unpassworded, that is its nature. If you are going to get paranoid about security then limiting the amount of access to the website by limiting access is beneficial. Since passwords are passed uncoded and can be captured limiting the amount of them being sent is surely a sensible idea. If you are going to argue don't lower the tone. - Tink

Your are right, I didn't fully understand your security scheme until I have re-read this a few times.

So you have created a few registered accounts that have full server right (basically an SA) and those account rarely login which is a method of security through obscurity (a valid scheme).

I come from a network administrators background, so multiple levels of security groups is natural for me. I wish I could require password complexity through TS, but I am doing that manually by assigning my SA's their passwords. The only remote management tool I have enabled it the WebSite management which is on a different IP than the server and only the SuperAdmin accounts I have created can log in here to do management.

Change permissions of all server files so that only owners can read or write to them. Especially ini, dbs, and log.

I don't believe this has any effect on TS Security and I'm not really sure what advantage this would give you, unless someone logged into your server that was not an administrator of the machine.

[sgtbenc]

Well, this will all be much better in TS3. (Totally customizable permissions.)

[[AI] EAT_MY_SHORTS]

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

Hello,

I am starting up a server for the first time and I wanted to make it more secure. However, I don't know what every line in the server.ini file means and I don't know what line represents the use of the web-interface and the tcpquery-port. Can someone please explain me what to alter in that file in order to do that?

Thanks in advance.

[sgtbenc]

It is a good idea to change the TCP Query port and the Web Interface port to something otehr then the default. Or for even more protection, just close those port with your router. Here are the lines in the "server.ini" file that you should change:

HTTPServer Port=14534
TCPQueryPort=51234

Just change them to anything not already being used.

If you want to disable others from using your web interface then change the value on this line:

HTTPServer Enabled=1

to 0

[WalkaboutTigger]

Yes, but how do you disable the TCP Query port? Can you just set the value to blank and have it not work?

[PilotMan]

Yes, but how do you disable the TCP Query port? Can you just set the value to blank and have it not work?

I set mine to 0 and I think it disabled it (or it set it to a port not available)

[sgtbenc]

I set mine to 0 and I think it disabled it (or it set it to a port not available)

I know of no other way to do what you ask. So I believe that is the best course of action.

[breadtrk]

Why can't TS just be made secure on the front end? Not a blast, but a serious question. If all these hacks and troubles are known, why not make the next version secure from the install? Make complex password rules a matter of setup.

[sgtbenc]

why not make the next version secure from the install?

Maybe the are making the next version more secure. I think the reason they are not really updating TS2 is because they are getting too much preasure to finish TS3.

[breadtrk]

TS3 is what I was refering to. Perhaps they can set it up so that it is impossible to have an unsecure server?

I would rather them take another year or two and get it right, than rush from pressure.

[sgtbenc]

Well, it is rather simple to make your server secure. But, I do see your point.

[slim4d]

Thanks to all for the help, also the group that hacked us were from skullzclan.com (pk3 - is the tag name)They are some nasty folks, they don't play by the rules...

[Marcus]

How about commands so you can do them in a chatbox like IRC, and also, block the possibility of a SERVER ADMIN (ROOT/Owner) to be banned or edit, only normal server admins should be killed, not the owner like I did! That needs to be fixed in your next version also time bas and other commands that are not there.