How to secure a manually set up service

Kernels & Hardware, configuring network, installing services

How to secure a manually set up service

Postby Ophrys » 2020-04-18 22:53

Hello everyone,

I have decided to set up a Teamspeak server on a remote server (Buster 10.3). I am a novice with security issues.
I care about security on that server, especially because it hosts my Nextcloud server. I have secured it the best I could by following the best guides I could find.

To set up the Teamspeak server:

I have created a new user with the --disabled-login option (I do have a '!' in /etc/shadow).
I have replaced /bin/bash by /usr/sbin/nologin in /etc/passwd (I do not know if that is relevant, because of the --disabled-login).

The server application is inside the home folder of that new user.
All files belong to that user and its group. Permissions are set to 755.

I have created /lib/systemd/system/teamspeak.service which contains:

Code: Select all
[Unit]
Description=TeamSpeak 3 Server
After=network.target
[Service]
WorkingDirectory=/home/teamspeak/
User=teamspeak
Group=teamspeak
Type=forking
ExecStart=/home/teamspeak/ts3server_startscript.sh start inifile=ts3server.ini
ExecStop=/home/teamspeak/ts3server_startscript.sh stop
PIDFile=/home/teamspeak/ts3server.pid
RestartSec=15
Restart=always
[Install]
WantedBy=multi-user.target


and enabled the service with systemctl.

Your advices would be welcome.
In particular:
- are the above steps correct?
- I guess I can do nothing about possible Teamspeak vulnerabilities. In case somebody can exploit a security flaw, will this person be efficiently locked "inside" my new teamspeak user? Is the --disabled-login sufficient? Is there any way that person can manage to set up a password or worse?
- Many of my Nextcloud files are set to 755 by default. It is tempting to overwrite all permissions with something more restrictive like 750, but many files have specific permissions, so this is certainly not a good idea. So I have the feeling that my personal datas are very vulnerable.

As you can see, I know very little. I am not comfortable with using a software which 1/ is proprietary 2/ is not maintained by the Debian team or another team I can trust.
How could I secure my system? Some kind of chroot for my teamspeak user? Should I consider using Docker, virtualization or anything in that spirit?

That is a vast question, and there are certainly many excellent readings on that subject. But I do not know where to begin.

Thank you for your help!
Ophrys
 
Posts: 9
Joined: 2019-07-12 22:52

Re: How to secure a manually set up service

Postby cuckooflew » 2020-04-19 01:56

As you can see, I know very little. I am not comfortable with using a software which 1/ is proprietary 2/ is not maintained by the Debian team or another team I can trust.

So, why do you use software which 1/ is proprietary 2/ is not maintained by the Debian team ?
Seems to me like it would be better ask the teamspeak support team about this as well, or do they not offer any support ?, I certainly would not use any software I can not or do not trust, As you can see, I know very little, as well but I do know I would not use anything I can not trust, ...so I am curios as to why ?,
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
cuckooflew
 
Posts: 683
Joined: 2018-05-10 19:34
Location: Some where out west

Re: How to secure a manually set up service

Postby Ophrys » 2020-04-19 09:11

Thank you for your comment.

To use an analogy: let's imagine you have ten colleagues using Photoshop and a special plugin.
Would you tell them:
- forget Photoshop, I want you to use GIMP. About that plugin? Stop using it or write a new one.
- ok, I will install Photoshop and ask a forum how to properly configure it with Wine.

So I bet you understand my question better: it is not whether or not I should let the devil inside, it is how I can build a cage strong enough to contain the devil :wink:
About asking their support: would you ask them which kind of cage I should build? I prefer to ask you.
Ophrys
 
Posts: 9
Joined: 2019-07-12 22:52

Re: How to secure a manually set up service

Postby Head_on_a_Stick » 2020-04-19 10:37

Use this to check the security status for your custom service:
Code: Select all
systemd-analyze security teamspeak.service

Spoiler alert:
Code: Select all
Overall exposure level for teamspeak.service: 9.1 UNSAFE

See some of the native services for examples of how to apply systemd's hardening features to your unit file:
Code: Select all
systemctl cat systemd-timesyncd.service

But it's still a complete crapfest :mrgreen:

EDIT: local unit files should go under /etc/systemd/system/ rather than /lib/systemd/system/.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12785
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: How to secure a manually set up service

Postby cuckooflew » 2020-04-19 20:40

Post by Ophrys » 2020-04-19 09:11
Thank you for your comment.

You are welcome, and thank you very much for your explanation, I had not thought of it that way, Good analogy, I think H_O_A_S will be more help the I can be, but any way, again your welcome, you really made my day by saying thank you :D
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
cuckooflew
 
Posts: 683
Joined: 2018-05-10 19:34
Location: Some where out west

Re: How to secure a manually set up service

Postby CwF » 2020-04-20 03:57

If it's worth it to you, use a virtual machine.

Same answer for those tempted to use wine.
CwF
 
Posts: 812
Joined: 2018-06-20 15:16

Re: How to secure a manually set up service

Postby Ophrys » 2020-05-08 21:02

Hello,

Thank you very much for your answers.

I have begun to try the different directives (man systemd.directives) to increase the "Overall exposure level" from systemd-analyze security. It is a quiet long work, because I have to study the directives one by one.

I have tried to draw my inspiration from systemd-timesyncd.service, but the nature of this service is quiet different from teamspeak. If you can think of an example file that would match closely what I could do with teamspeak, I would be interested :)
Ophrys
 
Posts: 9
Joined: 2019-07-12 22:52

Re: How to secure a manually set up service

Postby santosha » 2020-05-20 00:28

How have you come along with securing your service?

From a security perspective, I would approach this from another angle. It is very hard to first punch a giant hole by using a non-trusted software and allowing access from anywhere, and then trying to limit the potential damage.

Could you "cage the beasts" network access? Maybe some simple form of port knocking that limits access to the service to your friends? That would improve security by A LOT.

Otherwise, just confining the potential attacker to userspace won't cut it. That is already a giant big hole. Look into sandboxing with libvirt and qemu/kvm. Setup a virtual network for the application, and close down all ports that are not needed for the application (inbound AND outbound). This way, should the application be compromised, the attacker is confined to a sandbox without the ability to spam/attack on the usual ports.
santosha
 
Posts: 7
Joined: 2020-05-11 19:47


Return to System configuration

Who is online

Users browsing this forum: No registered users and 17 guests

fashionable