Security considerations when keeping ports open for a TURNserver

[ioki]

Helloi,

I am using Coturn TURN/STUN server on Ubuntu. I understand that the method requires having a large number of ports (range of 20000?) open to relay the media.

To strengthen the server security, in my firewall, I have closed all the ports except four, and configured Turnserver to use these specific ports only. This method works, but does not allow multiple calls to be made.

How could I bets maintain my server secure and same time to allow transfer a lot of media?

[Warren McDonald]

Hi,

Well the first thing is that a large number of ports open is not a security risk, if the processes running on the server are understood. 

A compromise which is working well for people with TURN on shared functions servers is to configure a block of several thousand clearly assigned ports, say 50000-54000 in the turnserver.conf. Then ensure no other processes on the server has a configuration that would use those ports. Then open that range in your firewall config, as well as the client ports 3478, 5349, 443 etc.  

With the TURN server the UDP relay ports will only be connected to when an allocation is granted and candidate is provided back to the client browser, which then provides this server:port address to the browser they are negotiating with. When there is no allocation using that port, it will be effectively dead to any external attack.

If you are really worried about security of the server and network resources, ensure that all clients use TLS or DTLS connections, which protect the TURN credentials. There is much more risk in interception of plain text credentials, than there is a wide port range which is mostly on standby.

In fact, from a denial of service point of view, you will be better to configure as large a range as you can, so that if someone successfully scrapes credentials and bombards the server with unused allocations requests, the limiting factor will be available ports.