From aa1b0fa1c69f8c5b6a8b8b99cfb0d931930c2317 Mon Sep 17 00:00:00 2001 From: Nazar Rudenko Date: Thu, 13 Apr 2023 11:47:16 +1000 Subject: [PATCH] Security updates for default turn server configuration. (#196) * Adding more secure configuration to turn server * Updated so CoTurn config will work inside docker * Whitelist TURN local ip so we can still connect when signalling and CoTURN are colocated on the same machine --- .../platform_scripts/bash/Start_TURNServer.sh | 2 +- .../platform_scripts/bash/docker-start-turn.sh | 8 ++++++-- .../platform_scripts/cmd/Start_TURNServer.ps1 | 4 ++-- SignallingWebServer/turnserver.conf | 15 +++++++++++++++ 4 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 SignallingWebServer/turnserver.conf diff --git a/SignallingWebServer/platform_scripts/bash/Start_TURNServer.sh b/SignallingWebServer/platform_scripts/bash/Start_TURNServer.sh index 74c5f742..811a8b9f 100755 --- a/SignallingWebServer/platform_scripts/bash/Start_TURNServer.sh +++ b/SignallingWebServer/platform_scripts/bash/Start_TURNServer.sh @@ -26,7 +26,7 @@ echo "" # Hmm, plain text realm="PixelStreaming" process="turnserver" -arguments="-p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -n -u ${turnusername}:${turnpassword}" +arguments="-c turnserver.conf --allowed-peer-ip=$localip -p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -u ${turnusername}:${turnpassword}" # Add arguments passed to script to arguments for executable arguments+=" ${cirruscmd}" diff --git a/SignallingWebServer/platform_scripts/bash/docker-start-turn.sh b/SignallingWebServer/platform_scripts/bash/docker-start-turn.sh index c0fad21d..11473410 100755 --- a/SignallingWebServer/platform_scripts/bash/docker-start-turn.sh +++ b/SignallingWebServer/platform_scripts/bash/docker-start-turn.sh @@ -20,7 +20,7 @@ turnusername="PixelStreamingUser" turnpassword="AnotherTURNintheroad" realm="PixelStreaming" process="turnserver" -arguments="-p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -n -u ${turnusername}:${turnpassword}" +arguments="-c /turnconfig/turnserver.conf --allowed-peer-ip=$localip -p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -u ${turnusername}:${turnpassword}" # Add arguments passed to script to arguments for executable arguments+=" ${cirruscmd}" @@ -31,12 +31,16 @@ echo "Running: ${process} ${arguments}" # Get the docker image docker pull coturn/coturn +# Copy the turn setup config to a path we can use as a volume +mkdir -p turnconfig +cp ../../turnserver.conf turnconfig/ + # Start the TURN server #docker run --name coturn_latest --network host -it --entrypoint /bin/bash coturn/coturn #docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "sudo mkdir -p /var/run" coturn/coturn "" #docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "/bin/ls" coturn/coturn "/var/" -docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "${process}" coturn/coturn "${arguments}" +docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr -v $PWD/turnconfig:/turnconfig --entrypoint "${process}" coturn/coturn "${arguments}" #docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "/bin/bash" coturn/coturn "ls -latr /var/run/" #docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "sudo chown ubuntu:ubuntu /var/run/turnserver.pid | sudo chmod +x /var/run/turnserver.pid | ${process}" coturn/coturn "${arguments}" diff --git a/SignallingWebServer/platform_scripts/cmd/Start_TURNServer.ps1 b/SignallingWebServer/platform_scripts/cmd/Start_TURNServer.ps1 index 97d1ab61..aa2dfa55 100644 --- a/SignallingWebServer/platform_scripts/cmd/Start_TURNServer.ps1 +++ b/SignallingWebServer/platform_scripts/cmd/Start_TURNServer.ps1 @@ -8,7 +8,7 @@ print_parameters #$LocalIp = Invoke-WebRequest -Uri "http://169.254.169.254/latest/meta-data/local-ipv4" $LocalIP = (Test-Connection -ComputerName (hostname) -Count 1 | Select IPV4Address).IPV4Address.IPAddressToString -Write-Output "Private IP: $LocalIp" +Write-Output "Private IP: $LocalIP" $TurnPort="19303" $Pos = $global:TurnServer.LastIndexOf(":") @@ -24,7 +24,7 @@ $TurnUsername = "PixelStreamingUser" $TurnPassword = "AnotherTURNintheroad" $Realm = "PixelStreaming" $ProcessExe = ".\turnserver.exe" -$Arguments = "-p $TurnPort -r $Realm -X $PublicIP -E $LocalIP -L $LocalIP --no-cli --no-tls --no-dtls --pidfile `"C:\coturn.pid`" -f -a -v -n -u $TurnUsername`:$TurnPassword" +$Arguments = "-c ..\..\..\turnserver.conf --allowed-peer-ip=$LocalIP -p $TurnPort -r $Realm -X $PublicIP -E $LocalIP -L $LocalIP --no-cli --no-tls --no-dtls --pidfile `"C:\coturn.pid`" -f -a -v -u $TurnUsername`:$TurnPassword" # Add arguments passed to script to Arguments for executable $Arguments += $args diff --git a/SignallingWebServer/turnserver.conf b/SignallingWebServer/turnserver.conf new file mode 100644 index 00000000..a8b7befe --- /dev/null +++ b/SignallingWebServer/turnserver.conf @@ -0,0 +1,15 @@ +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255