I have decided to set up a Teamspeak server on a remote server (Buster 10.3). I am a novice with security issues.
I care about security on that server, especially because it hosts my Nextcloud server. I have secured it the best I could by following the best guides I could find.
To set up the Teamspeak server:
I have created a new user with the --disabled-login option (I do have a '!' in /etc/shadow).
I have replaced /bin/bash by /usr/sbin/nologin in /etc/passwd (I do not know if that is relevant, because of the --disabled-login).
The server application is inside the home folder of that new user.
All files belong to that user and its group. Permissions are set to 755.
I have created /lib/systemd/system/teamspeak.service which contains:
Code: Select all
[Unit]
Description=TeamSpeak 3 Server
After=network.target
[Service]
WorkingDirectory=/home/teamspeak/
User=teamspeak
Group=teamspeak
Type=forking
ExecStart=/home/teamspeak/ts3server_startscript.sh start inifile=ts3server.ini
ExecStop=/home/teamspeak/ts3server_startscript.sh stop
PIDFile=/home/teamspeak/ts3server.pid
RestartSec=15
Restart=always
[Install]
WantedBy=multi-user.target
Your advices would be welcome.
In particular:
- are the above steps correct?
- I guess I can do nothing about possible Teamspeak vulnerabilities. In case somebody can exploit a security flaw, will this person be efficiently locked "inside" my new teamspeak user? Is the --disabled-login sufficient? Is there any way that person can manage to set up a password or worse?
- Many of my Nextcloud files are set to 755 by default. It is tempting to overwrite all permissions with something more restrictive like 750, but many files have specific permissions, so this is certainly not a good idea. So I have the feeling that my personal datas are very vulnerable.
As you can see, I know very little. I am not comfortable with using a software which 1/ is proprietary 2/ is not maintained by the Debian team or another team I can trust.
How could I secure my system? Some kind of chroot for my teamspeak user? Should I consider using Docker, virtualization or anything in that spirit?
That is a vast question, and there are certainly many excellent readings on that subject. But I do not know where to begin.
Thank you for your help!