bigbluebutton.github.io icon indicating copy to clipboard operation
bigbluebutton.github.io copied to clipboard
verified publisher icon bigbluebutton

Add allowed and denied peer to turnserver.conf

Open symptog opened this issue 5 years ago • 4 comments

Following [1] and [2] the TURN-Server can be used to access the network behind the TURN-Server or the server can be abused to relay attacks in the internet. To workaround those problems denied-peer-ip and allowed-peer-ip setting should be used.

[1] https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/ [2] https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/

symptog avatar Feb 10 '21 17:02 symptog

If the TURN server is used by multiple BBB servers?

lonesomewalker avatar Feb 10 '21 21:02 lonesomewalker

If the TURN server is used by multiple BBB servers?

https://github.com/bigbluebutton/bigbluebutton.github.io/pull/233/files#diff-1a3e0cf20383b357d6a073f8ccb95126f5b7d7e9d5192c99fb564c0e9dc139c2R112

symptog avatar Feb 10 '21 21:02 symptog

And the blind shall see ;-)

This is a good pull request and makes the internet a lot safer!

lonesomewalker avatar Feb 10 '21 21:02 lonesomewalker

we run this setup in production since many months (can't remember since when). I'd recommend everyone to protect their turn servers using this setting.

schrd avatar Feb 20 '21 13:02 schrd