Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to secure a manually set up service

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
Ophrys
Posts: 9
Joined: 2019-07-12 22:52

How to secure a manually set up service

#1 Post by Ophrys »

Hello everyone,

I have decided to set up a Teamspeak server on a remote server (Buster 10.3). I am a novice with security issues.
I care about security on that server, especially because it hosts my Nextcloud server. I have secured it the best I could by following the best guides I could find.

To set up the Teamspeak server:

I have created a new user with the --disabled-login option (I do have a '!' in /etc/shadow).
I have replaced /bin/bash by /usr/sbin/nologin in /etc/passwd (I do not know if that is relevant, because of the --disabled-login).

The server application is inside the home folder of that new user.
All files belong to that user and its group. Permissions are set to 755.

I have created /lib/systemd/system/teamspeak.service which contains:

Code: Select all

[Unit]
Description=TeamSpeak 3 Server
After=network.target
[Service]
WorkingDirectory=/home/teamspeak/
User=teamspeak
Group=teamspeak
Type=forking
ExecStart=/home/teamspeak/ts3server_startscript.sh start inifile=ts3server.ini
ExecStop=/home/teamspeak/ts3server_startscript.sh stop
PIDFile=/home/teamspeak/ts3server.pid
RestartSec=15
Restart=always
[Install]
WantedBy=multi-user.target
and enabled the service with systemctl.

Your advices would be welcome.
In particular:
- are the above steps correct?
- I guess I can do nothing about possible Teamspeak vulnerabilities. In case somebody can exploit a security flaw, will this person be efficiently locked "inside" my new teamspeak user? Is the --disabled-login sufficient? Is there any way that person can manage to set up a password or worse?
- Many of my Nextcloud files are set to 755 by default. It is tempting to overwrite all permissions with something more restrictive like 750, but many files have specific permissions, so this is certainly not a good idea. So I have the feeling that my personal datas are very vulnerable.

As you can see, I know very little. I am not comfortable with using a software which 1/ is proprietary 2/ is not maintained by the Debian team or another team I can trust.
How could I secure my system? Some kind of chroot for my teamspeak user? Should I consider using Docker, virtualization or anything in that spirit?

That is a vast question, and there are certainly many excellent readings on that subject. But I do not know where to begin.

Thank you for your help!

cuckooflew
Posts: 677
Joined: 2018-05-10 19:34
Location: Some where out west
Been thanked: 1 time

Re: How to secure a manually set up service

#2 Post by cuckooflew »

As you can see, I know very little. I am not comfortable with using a software which 1/ is proprietary 2/ is not maintained by the Debian team or another team I can trust.
So, why do you use software which 1/ is proprietary 2/ is not maintained by the Debian team ?
Seems to me like it would be better ask the teamspeak support team about this as well, or do they not offer any support ?, I certainly would not use any software I can not or do not trust, As you can see, I know very little, as well but I do know I would not use anything I can not trust, ...so I am curios as to why ?,
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

Ophrys
Posts: 9
Joined: 2019-07-12 22:52

Re: How to secure a manually set up service

#3 Post by Ophrys »

Thank you for your comment.

To use an analogy: let's imagine you have ten colleagues using Photoshop and a special plugin.
Would you tell them:
- forget Photoshop, I want you to use GIMP. About that plugin? Stop using it or write a new one.
- ok, I will install Photoshop and ask a forum how to properly configure it with Wine.

So I bet you understand my question better: it is not whether or not I should let the devil inside, it is how I can build a cage strong enough to contain the devil :wink:
About asking their support: would you ask them which kind of cage I should build? I prefer to ask you.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: How to secure a manually set up service

#4 Post by Head_on_a_Stick »

Use this to check the security status for your custom service:

Code: Select all

systemd-analyze security teamspeak.service
Spoiler alert:

Code: Select all

Overall exposure level for teamspeak.service: 9.1 UNSAFE
See some of the native services for examples of how to apply systemd's hardening features to your unit file:

Code: Select all

systemctl cat systemd-timesyncd.service
But it's still a complete crapfest :mrgreen:

EDIT: local unit files should go under /etc/systemd/system/ rather than /lib/systemd/system/.
deadbang

cuckooflew
Posts: 677
Joined: 2018-05-10 19:34
Location: Some where out west
Been thanked: 1 time

Re: How to secure a manually set up service

#5 Post by cuckooflew »

Post by Ophrys » 2020-04-19 09:11
Thank you for your comment.
You are welcome, and thank you very much for your explanation, I had not thought of it that way, Good analogy, I think H_O_A_S will be more help the I can be, but any way, again your welcome, you really made my day by saying thank you :D
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: How to secure a manually set up service

#6 Post by CwF »

If it's worth it to you, use a virtual machine.

Same answer for those tempted to use wine.

Ophrys
Posts: 9
Joined: 2019-07-12 22:52

Re: How to secure a manually set up service

#7 Post by Ophrys »

Hello,

Thank you very much for your answers.

I have begun to try the different directives (man systemd.directives) to increase the "Overall exposure level" from systemd-analyze security. It is a quiet long work, because I have to study the directives one by one.

I have tried to draw my inspiration from systemd-timesyncd.service, but the nature of this service is quiet different from teamspeak. If you can think of an example file that would match closely what I could do with teamspeak, I would be interested :)

santosha
Posts: 7
Joined: 2020-05-11 19:47

Re: How to secure a manually set up service

#8 Post by santosha »

How have you come along with securing your service?

From a security perspective, I would approach this from another angle. It is very hard to first punch a giant hole by using a non-trusted software and allowing access from anywhere, and then trying to limit the potential damage.

Could you "cage the beasts" network access? Maybe some simple form of port knocking that limits access to the service to your friends? That would improve security by A LOT.

Otherwise, just confining the potential attacker to userspace won't cut it. That is already a giant big hole. Look into sandboxing with libvirt and qemu/kvm. Setup a virtual network for the application, and close down all ports that are not needed for the application (inbound AND outbound). This way, should the application be compromised, the attacker is confined to a sandbox without the ability to spam/attack on the usual ports.

Post Reply