Suggestions Administrators can use to Strengthen TS Security

[PilotMan]

1. Change the superadmin password to a harder password*

2. Limit the amount of SA's to people you fully trust and use harder passwords*

3. Revoke the ability for SA's to login Via the Web and TCP server

4. Revoke the ability for SA's to Grant SA's and revoke SA's

5. Disable the ability for SA's to remove a users registration or delete players

6. Disable the use of the web-interface and tcpquery-port through the server.ini (or you can block the ports by using a firewall and limit the access to certain IPs)

7. Add more characters to the DisAllowedClientNameChars in the server.ini
DisAllowedClientNameChars=()[]{}`~!@#$%^&*_-+=|\'";:<>,./?

8. Enable all logging to catch them if the try again

Also turn on logging and cut down on the commands per second in your server.ini

Code:

[log]
access_r=1
access_u=1
channel_registerred=1
channel_unregisterred=1
sa=1
chat=1
kick_server=1
kick_channel=1
[Spam]
max_commands=10
in_seconds=10

*Harder Password are:
- 8 to 20 characters
- Contain Upper and Lower case characters
- Contain embedded numbers
- Contain embedded non-Alphanumeric characters


If you have any more suggestions, please post them here.


(If it still gets hacked and messed up be sure to backup the server.ini file and the server.dbs file so you can reset the server back to its last backup)

[sgtbenc]

4, 5 and 6 are very good things to do, but what does 7 have to do with anything?

[PilotMan]

Quote:

Originally Posted by sgtbenc

4, 5 and 6 are very good things to do, but what does 7 have to do with anything?

7 was an attempt to be a pain in the but for what I have seen the hackers in thier attacks use for names, nothing more.

[Frosted]

I would also recommend, depending on how paranoid you are and who you are trying to serve with your server, just changing the ports. Script-kiddies love default settings. As a general rule, you should change as many of them as possible. This is especially easy for linux because chances are, you already have iptables installed.

If you are super paranoid, and worried that a compromised TS server can get them access to your box, think about using something Xen. If you think running TS in a chroot is a chore, don't try this. It is a major system overhaul. http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

Finally, there's going all the way "outside the box," which I intend to do, soon. I will post my scripts so that others can make use of them, but it essentially works this way: Someone wanting to use your server must register their IP address. Essentially, you point them at a URL, which the same box serves. You log their IP address and then amend your iptables rules to allow them into teamspeak. Only give the URL to those you want on the server. It's essentially a quick-and-dirty port knocker. I've done this for other things on my server (like phpmyadmin) so that I have to validate my access before the firewall will open to me. Then, of course, you have to validate with your long SA password, too, right?

I know all that sounds like a lot of work, but until TS3 hits the streets, everything we do is a workaround.

[AMessler]

^^^^ changing ports does not do anything. You can change your ports all you want I can scan the box and have the new ports in a matter of minutes. That only slow's them down for about 2 to 3 minutes.

[Teddy]

Quote:

Originally Posted by AMessler

^^^^ changing ports does not do anything. You can change your ports all you want I can scan the box and have the new ports in a matter of minutes. That only slow's them down for about 2 to 3 minutes.

Don't be so sure, man. You would not find any ports on my TS-server, because nearly all ports (including those of TS) are hidden. Port-knocking does the trick of opening them. In my case, it is ~60000^12 combinations. Happy scanning! :-)

IMHO, the best way for TS would be to use it with xinetd and its connection-rate limiting feature. That would stop each password-guessing attempts. Unfortunatelly, afaik TS does not work with xinetd...

[Marik]

Quote:

Originally Posted by PilotMan

Code:

[log]
access_r=1
access_u=1
channel_registerred=1
channel_unregisterred=1
sa=1
chat=1
kick_server=1
kick_channel=1
[Spam]
max_commands=10
in_seconds=10

what does the special code do i know what the spam does but not the log

[PilotMan]

Quote:

Originally Posted by Marik

what does the special code do i know what the spam does but not the log

It enables logging of those events.

access_r=1 : Logs access to the server by registered users
access_u=1 : Logs access to the server by unregistered users
channel_registerred=1 : Logs Channel switches and configurations changes for registered channels
channel_unregisterred=1 :Logs Channel switches and configurations changes for unregistered channels
sa=1 : Logs Server Admins acctions
chat=1 : Logs Chat
kick_server=1 : Logs kick from the server
kick_channel=1 : Logs kicks from the channel


max_commands=10
in_seconds=10

These two commands make it so some one can only send 10 commands to the server per ten secconds

[poncho]

Another Point,

Always be suspicios of anyone that comes into your server that you do not know, if you have never spoken to them and they get hevily into talking with you (or sit there silently) they could be about to pop a question that you willingly do for them.
If they ever ask you about your server and what ports your using if you have webadmin, this is a given but don't take it lightly, kick them if you think necacery.
5x out of 10 just kicking someone will send them away for good, as long as they don't think your an easy crack.

Key to this post is, ALWAYS have your wits about you.

[Highguard]

Another thing if someone asks for you to click on their name and then hit Ctrl-E, don't do it. This will give them SA rights.

[sgtbenc]

Quote:

Originally Posted by Highguard

Another thing if someone asks for you to click on their name and then hit Ctrl-E, don't do it. This will give them SA rights.

Actually, all you need to do is right-click their name and press E.

[PilotMan]

Actually if you follow what I recomend, you couldn't even do that.

[Tink]

Best way to get secure? Don't use SA. Change it so that R has all the powers you need and only allow your admins to register. That way even if they get access to an admins account they still cant use the html web based controls. Of course its not an option if you have some elaborate ranking system, but they have never been my preference - Tink

[sgtbenc]

I considered this once, but like you said if someone has an elaborate ranking system it isn't very helpful. For example there is no point in having Op or CA anymore. And then I can't give anyone partial power like over one particular channel because they wont get it back next time they log in unless they are registered. So it'll end up like this: ME (and maybe a select few others) have SA. People I trust enough for kicking and banning and channel editing and stuff are R. And everyone else is U. another thing is (please correct me if i am wrong) registered users cannnot talk in voice channels, but i guess they can give themselves auto voice if they wanted. But thats just one little problem that can be overcome. <-"The straw that broke the camel's back."

[PilotMan]

Quote:

Originally Posted by Tink

Best way to get secure? Don't use SA. Change it so that R has all the powers you need and only allow your admins to register. That way even if they get access to an admins account they still cant use the html web based controls.

The easiest way to prevent SA's from getting into the web console is to follow the steps I listed in the first post and disable that ability for that level of administration. If people are to follow what you suggest then what is the point of having any level of administration at all?

You might as well let Guest (Unregistered) full control. I say that because it is just as easy to crack at Registered account that is an SA account if registered have the same rights.

Quote:

Originally Posted by sgtbenc

I considered this once, but like you said if someone has an elaborate ranking system it isn't very helpful. For example there is no point in having Op or CA anymore. And then I can't give anyone partial power like over one particular channel because they wont get it back next time they log in unless they are registered. So it'll end up like this: ME (and maybe a select few others) have SA. People I trust enough for kicking and banning and channel editing and stuff are R. And everyone else is U. another thing is (please correct me if i am wrong) registered users cannnot talk in voice channels, but i guess they can give themselves auto voice if they wanted. But thats just one little problem that can be overcome. <-"The straw that broke the camel's back."

The system currently in-place is not that elaborate, very few levels of administration available.

I believe to get auto-voice you must be registered (i.e. logging in with a specific name/password), correct me if I am wrong. Also remove any/all privileges from Anonymous players so they are motivated to register :-)