Setting Up and Securing a Linux Teamspeak Server
by williamruckman in Circuits > Linux
25533 Views, 22 Favorites, 0 Comments
Setting Up and Securing a Linux Teamspeak Server
This article will walk you through setting up a securing your Linux Teamspeak server, and how to set it up to run as a service that can also run at boot time. Just downloading and running the software is a really bad idea as it is not set up for security. If a vulnerability ever developed in the Teamspeak software and you were attacked, a attacker could get permissions equal to what user you have it running as. I will show you how to set up Teamspeak with rock solid security.
This is a general walk through for Teamspeak RC2 Linux Server.
This instructable is brought to you by William Ruckman of ( http://ruckman.net/archives.htm#TEAMSPEAK )
This is a general walk through for Teamspeak RC2 Linux Server.
This instructable is brought to you by William Ruckman of ( http://ruckman.net/archives.htm#TEAMSPEAK )
Download the Teamspeak Server Software
Download the Teamspeak server software from:
http://www.teamspeak.com/?page=downloads
You will want the "TeamSpeak 2 Server" in the "Linux" section.
EXAMPLE:
You can run the command:
wget ftp://ftp.freenet.de/pub/4players/teamspeak.org/releases/ts2_server_rc2_202319.tar.bz2
http://www.teamspeak.com/?page=downloads
You will want the "TeamSpeak 2 Server" in the "Linux" section.
EXAMPLE:
You can run the command:
wget ftp://ftp.freenet.de/pub/4players/teamspeak.org/releases/ts2_server_rc2_202319.tar.bz2
Login, Create User and Group
SSH to your server if remote or open a terminal on your GUI if local.
Log in as root, or type:
su -
to get root privileges with the root profile. You will need to enter the root password.
Create the teamspeak group by typing:
groupadd teamspeak
Create the teamspeak user by typing:
useradd -g teamspeak teamspeak -s /sbin/nologin
-g is for the group the user will be added to and -s is very important because this will disallow this user from logging in to the system.
Log in as root, or type:
su -
to get root privileges with the root profile. You will need to enter the root password.
Create the teamspeak group by typing:
groupadd teamspeak
Create the teamspeak user by typing:
useradd -g teamspeak teamspeak -s /sbin/nologin
-g is for the group the user will be added to and -s is very important because this will disallow this user from logging in to the system.
Install the Software
Once the user is created, there will be a home directory created for this user.
Such as: /home/teamspeak.
If not, issue:
mkdir /home/teamspeak
Copy the teamspeak software to this directory using:
cp ts2_server_rc2_20201.tar.bz2 /home/teamspeak
Uncompress the archive using:
tar -jxvf ts2_server_rc2_20201.tar.bz2
The software is now located in /home/teamspeak/tss2_rc23. I dont like this, so I have it moved to the /home/teamspeak directory using the following commands:
cd tss2_rc2
cp * -R /home/teamspeak
rm tss2_rc2 -R -f
chgrp -R /home/teamspeak teamspeak
chown -R /home/teamspeak teamspeak
Certain files do not show up until after the initial start of the server. You will have to start the server.
./teamspeak2-server_startscript start
Such as: /home/teamspeak.
If not, issue:
mkdir /home/teamspeak
Copy the teamspeak software to this directory using:
cp ts2_server_rc2_20201.tar.bz2 /home/teamspeak
Uncompress the archive using:
tar -jxvf ts2_server_rc2_20201.tar.bz2
The software is now located in /home/teamspeak/tss2_rc23. I dont like this, so I have it moved to the /home/teamspeak directory using the following commands:
cd tss2_rc2
cp * -R /home/teamspeak
rm tss2_rc2 -R -f
chgrp -R /home/teamspeak teamspeak
chown -R /home/teamspeak teamspeak
Certain files do not show up until after the initial start of the server. You will have to start the server.
./teamspeak2-server_startscript start
Login to the Admin Interface, Change Passwords.
There are two ways to do this, the web interface or the telnet interface. You only need to do one or the other. I will list them both. i will list the web interface method first and the telnet interface method second.
WEB METHOD
After the server is started, you must login to the web interface (If you are in Init 5) or the telnet TCP query port (if you are in Init 3 and don't want to go to graphical mode)
In order to do this, you must be on the console if you have a firewall as I haven't told you how to open up the ports yet.
For the web interface, you must go to the URL:
http://127.0.0.1:14534
You will have to login with a pre-defined password. You can get this password from the server log file. You can open it with your favorite text editor or with the following command:
joe /home/teamspeak/server.log
NOTE: I am using the joe editor. If you have not used this editor before you can get help by hitting CNTL K, H obviously, you can use any editor that pleases you. Such as vi, kate, kwrite, and so on.
Then login to the web interface using the superadmin account and change both the superadmin password and the admin password.
TELNET METHOD
To do this via the TCP query port type:
telnet 127.0.0.1 51234
slogin superadmin LOGFILEPASSWORD
sel 8767
dbsuserlist *(TAKE NOTE OF THE SUPERADMIN ID)
dbsuserchangepw SUPERADMINID PASSWORD PASSWORD
dbuserlist *(TAKE NOTE OF THE ADMIN ID)
dbuserchangepw ADMINID PASSWORD PASSWORD
serverset server_password PASSWORDTOLOGIN (THIS IS FOR USER ACCESS)
serverset server_name YOURSERVERNAME
serverset server_maxusers MAXUSERS (VALUE OF 0-32000)
serverset server_welcomemessage WELCOMEMESSAGE (YOUR MOTD)
quit
WEB METHOD
After the server is started, you must login to the web interface (If you are in Init 5) or the telnet TCP query port (if you are in Init 3 and don't want to go to graphical mode)
In order to do this, you must be on the console if you have a firewall as I haven't told you how to open up the ports yet.
For the web interface, you must go to the URL:
http://127.0.0.1:14534
You will have to login with a pre-defined password. You can get this password from the server log file. You can open it with your favorite text editor or with the following command:
joe /home/teamspeak/server.log
NOTE: I am using the joe editor. If you have not used this editor before you can get help by hitting CNTL K, H obviously, you can use any editor that pleases you. Such as vi, kate, kwrite, and so on.
Then login to the web interface using the superadmin account and change both the superadmin password and the admin password.
TELNET METHOD
To do this via the TCP query port type:
telnet 127.0.0.1 51234
slogin superadmin LOGFILEPASSWORD
sel 8767
dbsuserlist *(TAKE NOTE OF THE SUPERADMIN ID)
dbsuserchangepw SUPERADMINID PASSWORD PASSWORD
dbuserlist *(TAKE NOTE OF THE ADMIN ID)
dbuserchangepw ADMINID PASSWORD PASSWORD
serverset server_password PASSWORDTOLOGIN (THIS IS FOR USER ACCESS)
serverset server_name YOURSERVERNAME
serverset server_maxusers MAXUSERS (VALUE OF 0-32000)
serverset server_welcomemessage WELCOMEMESSAGE (YOUR MOTD)
quit
Change / Update Server Configuration
It is now time to change the server configuration file. Before these settings take effect you must restart the Teamspeak server. See troubleshooting for how to do this.
The file we will have to edit is server.ini
joe /home/teamspeak/server.ini
In this file there are many options. Most of these options can also be done in the telnet session as well. These are the ones you should customize, the others are optional:
[Main Config]
BoundToIp1= YOUREXTERNALADAPTERIP (USE IFCONFIG COMMAND TO OBTAIN)
ExternalIPDectection=1 (WINDOWS ONLY, IGNORE)
HTTPServer Port=14534 (LEAVE AS DEFAULT)
HTTPServer Enabled=1 (LEAVE AS DEFAULT)
DateTimeFormat=dd-mm-yyyy hh:nn:ss (LEAVE AS DEFAULT)
TCPQueryPort=51234 (LEAVE AS DEFAULT)
AllowedClientNameChars= (OPTIONAL)
DisAllowedClientNameChars=()[] (OPTIONAL)
[debug]
MessageTypes=LMTALL (LEAVE AS DEFAULT)
MessageDepths=LMDALL (LEAVE AS DEFAULT)
[WebPost]
AdminEmail= YOURADMINEMAIL (ENTER YOUR E-MAIL)
ISPLinkURL= YOURWEBSITEURL (ENTER YOUR WEBSITE URL)
ISPName= YOURISPNAME (YOUR ISP NAME)
ISPCountryNumber=2457 (LEAVE AS DEFAULT)
Enabled=0 (1=ENABLE WEBPAGE STAT POSTING)
PostURL= (THE WEB STAT URL TO POST TO)
ListPublic=0 (LIST YOUR SERVER PUBLICLY?)
UserAgent=teamspeak (LEAVE AS DEFAULT)
[log]
access_r=0 (OPTIONAL)
access_u=0 (OPTIONAL)
channel_registerred=0 (OPTIONAL)
channel_unregisterred=0 (OPTIONAL)
sa=0 (OPTIONAL)
chat=0 (OPTIONAL)
kick_server=0 (OPTIONAL)
kick_channel=0 (OPTIONAL)
[Spam]
max_commands=10 (MAX NUMBER OF CHAT POSTS)
in_seconds=2 (IN # OF SECONDS)
[ISP] (OPTIONAL - NOT INCLUDED)
GFX URL= (BANNER IMAGE)
The file we will have to edit is server.ini
joe /home/teamspeak/server.ini
In this file there are many options. Most of these options can also be done in the telnet session as well. These are the ones you should customize, the others are optional:
[Main Config]
BoundToIp1= YOUREXTERNALADAPTERIP (USE IFCONFIG COMMAND TO OBTAIN)
ExternalIPDectection=1 (WINDOWS ONLY, IGNORE)
HTTPServer Port=14534 (LEAVE AS DEFAULT)
HTTPServer Enabled=1 (LEAVE AS DEFAULT)
DateTimeFormat=dd-mm-yyyy hh:nn:ss (LEAVE AS DEFAULT)
TCPQueryPort=51234 (LEAVE AS DEFAULT)
AllowedClientNameChars= (OPTIONAL)
DisAllowedClientNameChars=()[] (OPTIONAL)
[debug]
MessageTypes=LMTALL (LEAVE AS DEFAULT)
MessageDepths=LMDALL (LEAVE AS DEFAULT)
[WebPost]
AdminEmail= YOURADMINEMAIL (ENTER YOUR E-MAIL)
ISPLinkURL= YOURWEBSITEURL (ENTER YOUR WEBSITE URL)
ISPName= YOURISPNAME (YOUR ISP NAME)
ISPCountryNumber=2457 (LEAVE AS DEFAULT)
Enabled=0 (1=ENABLE WEBPAGE STAT POSTING)
PostURL= (THE WEB STAT URL TO POST TO)
ListPublic=0 (LIST YOUR SERVER PUBLICLY?)
UserAgent=teamspeak (LEAVE AS DEFAULT)
[log]
access_r=0 (OPTIONAL)
access_u=0 (OPTIONAL)
channel_registerred=0 (OPTIONAL)
channel_unregisterred=0 (OPTIONAL)
sa=0 (OPTIONAL)
chat=0 (OPTIONAL)
kick_server=0 (OPTIONAL)
kick_channel=0 (OPTIONAL)
[Spam]
max_commands=10 (MAX NUMBER OF CHAT POSTS)
in_seconds=2 (IN # OF SECONDS)
[ISP] (OPTIONAL - NOT INCLUDED)
GFX URL= (BANNER IMAGE)
Change Firewall Settings
You will now have to open your UDP port 8767 so that you and others can connect to the teamspeak server.
joe /etc/sysconfig/iptables
and enter this line in the iptables file:
-A INPUT -m state --state NEW -m udp -p udp --dport 8767 -j ACCEPT
or if you are using Ubuntu with UFW:
ufw allow 8767
joe /etc/sysconfig/iptables
and enter this line in the iptables file:
-A INPUT -m state --state NEW -m udp -p udp --dport 8767 -j ACCEPT
or if you are using Ubuntu with UFW:
ufw allow 8767
Troubleshooting
TROUBLESHOOTING:
Starting and stopping the server:
From the Teamspeak directory ( /home/teamspeak/ ) run:
./teamspeak2-server_startscript stop
./teamspeak2-server_startscript start
If you get an error with a "carrot M"
in it, then the service scripts have a windows control character in them. Remove these characters with the following command:
tr -d \0153 < inputfilename > outputfilename
Replace inputfilename with the original file, and outputfilename as the file to copy the fixed info to. They cannot be the same.
On some platforms, you may get an exception error. To fix this, add the following command to the beginning of the Teamspeak start command:
setarch i386 COMMAND
Starting and stopping the server:
From the Teamspeak directory ( /home/teamspeak/ ) run:
./teamspeak2-server_startscript stop
./teamspeak2-server_startscript start
If you get an error with a "carrot M"
in it, then the service scripts have a windows control character in them. Remove these characters with the following command:
tr -d \0153 < inputfilename > outputfilename
Replace inputfilename with the original file, and outputfilename as the file to copy the fixed info to. They cannot be the same.
On some platforms, you may get an exception error. To fix this, add the following command to the beginning of the Teamspeak start command:
setarch i386 COMMAND