From f9b077f7e86f3cb5ffd0e1d17354c15024958ecf Mon Sep 17 00:00:00 2001 From: Tobias Gall Date: Thu, 11 Feb 2021 11:04:00 +0100 Subject: [PATCH] Add allowed and denied peer to turnserver.conf Following [1] and [2] the TURN-Server can be used to access the network behind the TURN-Server or the server can be abused to relay attacks in the internet. To workaround those problems `denied-peer-ip` and `allowed-peer-ip` setting should be used. [1] https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/ [2] https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/ --- _posts/2019-02-14-setup-turn-server.md | 31 +++++++++++++++++++++----- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/_posts/2019-02-14-setup-turn-server.md b/_posts/2019-02-14-setup-turn-server.md index 08b088af..edea9f2d 100644 --- a/_posts/2019-02-14-setup-turn-server.md +++ b/_posts/2019-02-14-setup-turn-server.md @@ -104,10 +104,12 @@ $ sudo chmod 0755 /etc/letsencrypt/renewal-hooks/deploy/coturn Use the file below for `/etc/turnserver.conf` and make the following changes: -* Replace `` with the hostname of your TURN server, and -* Replace `` with the realm of your TURN server, and -* Replace `` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`) -* Replace `` with the external IP of your TURN server +* Replace `` with the hostname of your TURN server. +* Replace `` with the realm of your TURN server. +* Replace `` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`). +* Replace `` with the external IP of your TURN server. +* Replace `` with the IP Address of your BigBlueButton-Server. + * Repeat `allowed-peer-ip=` for each IPv4 and IPv6 for every BigBlueButton-Server. This configuration file assumes your TURN server is not behind NAT and has a public IP address. @@ -115,8 +117,8 @@ This configuration file assumes your TURN server is not behind NAT and has a pub listening-port=3478 tls-listening-port=443 -listening-ip=$IP -relay-ip=$IP +listening-ip= +relay-ip= # If the server is behind NAT, you need to specify the external IP address. # If there is only one external address, specify it like this: @@ -127,6 +129,23 @@ relay-ip=$IP #external-ip=172.17.19.131/10.0.0.11 #external-ip=172.17.18.132/10.0.0.12 +# Flag that can be used to disallow peers on well-known broadcast addresses +# (224.0.0.0 and above, and FFXX:*). This is an extra security measure. +# +no-multicast-peers + +# Option to allow or ban specific ip addresses or ranges of ip addresses. +# If an ip address is specified as both allowed and denied, then the ip address is +# considered to be allowed. This is useful when you wish to ban a range of ip +# addresses, except for a few specific ips within that range. +# +# This can be used when you do not want users of the turn server to be able to access +# machines reachable by the turn server, but would otherwise be unreachable from the +# internet (e.g. when the turn server is sitting behind a NAT) +denied-peer-ip=0.0.0.0-255.255.255.255 +denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +allowed-peer-ip= + min-port=32769 max-port=65535 verbose