-
-
Notifications
You must be signed in to change notification settings - Fork 407
Teamserver Security Considerations Guidelines
It's extremely recommended to minimize access to the Teamserver port as much as possible as I cannot ever guarantee that there won't be security vulnerabilities within the Teamserver (either through the client port or its listeners)
Therefore, when exposing the Teamserver port to the internet it is recommended to whitelist client IP addresses using a firewall either at the OS level or through network ACLs (e.g. Amazon VPC Firewall).
The Teamserver itself enforces authentication by checking a cookie sent by the client (which is generated via HMAC). If any client connection to the Teamserver does not contain the authorization cookie, it will be rejected.
Listeners are spun up in their own separate process. Because of this Connection objects are used between the listeners and the main Teamserver thread in order to receive events and data. Due to the nature of the way these Connection objects work, data received by them are pickled. From a security standpoint, pickling untrusted data is a horrible idea, however I've tried to mitigate this by putting the data in a tuple before the Connection object pickles stuff. From my testing this seems to mitigate potential RCE vulnerabilities.
- To Do
- To Do
- To Do