Configure SubSeven Server Service

If no configuration specified or if default configuration is used, server will only listen for incomming connection from local host.

However, you won’t be able to establish a complete session since by default configuration uses public key authentication without any defined authorized keys. Your connection will be rejected.

The following page will describe how to configure your own SubSeven server and understand available options.

The configuration file uses JSON format to describe different supported properties and might evolve between SubSeven Server versions.

Notice that each time you update the configuration file, you will need to restart the SubSeven Server Service to apply the new configuration.

The configuration file is located in the SubSeven Server installation path (in C:\Program Files\SubSeven Server\config.json.

When SubSeven Server is installed for the first time, this file is not present. You will need to create the file manually or use the SubSeven Service Controller to generate and edit this file which is the recommended method.

SubSeven Service Controller Editor

SubSeven Service Controller Editor

Default configuration template

{
    "servers": [
        {
            "bind_address": "127.0.0.1",
            "bind_port": 2801,
            "concurrency": true,
            "certificate": "",
            "authentication": {
                "method": "pubkey"
            }
        }
    ]
}

Available Options

bind_address

String(Default: 127.0.0.1) - IP address / Hostname

Define in which interface to listen for new incomming connections. This interface is defined by its corresponding IP address.

By default, server listen on localhost so only local clients can connects to the server.

If you want to accept connection from any location use 0.0.0.0 instead which means listen for new connection from any interfaces.

bind_port

Word(Default: 2801) - 0 – 65535

Define in which TCP port server will listen for new incomming connections.

By default, it uses 2801, it is recommended to use a random port to bypass certain port scan mode for service discovery.

A port above 49152 and bellow 65535 is a perfect choice.

concurrency

Boolean(Default: True)

Concurrency is a feature that allow multiple viewers to open control session at the same time.

By default, it is set to True, if set to False only one viewer at a time can open a control session with server.

If you expect to be the only user to use the server, you can safely set this option to False.

This option doesn’t impact security of the server.

certificate

String(Default: sub7server.pem) - (File Path, PEM File Format)

Define the location of an SSL/TLS Certificate for network traffic encryption.

If not specified or if empty, by default it searchs for a file called sub7server.pem in server installation directory (Program Files).

sub7server.pem only exists if you:

  • Check the option “Generate new SSL/TLS Certificate” during Server Setup (Additional Tasks Pane).
  • Right click on SubSeven Service Controller icon on system tray and choose Local Server Certificate then Generate new certificate
  • Right click on SubSeven Service Controller icon on system tray and choose Local Server Certificate then Import existing certificate (PEM)
  • Manually generate and copy a valid certificate to server installation directory called sub7server.pem

Notice that no generic certificate are used, you use one of the above option to use default certificate location.

If you want, you can specify another location defined by the certificate configuration attribute.

If you generate a certificate by yourself, the public and private key must be present in the same file in PEM format.

Use strongest option possible to generate your certificate.

authentication

method

Define authentication method for viewers to connect to the server. By default pubkey method is used and no authorized_keys are defined for security measure.

Using default properties will turn the server to be unsuable until you edit authentication properties accordingly.

Available methods
password

Define password authentication as authentication mechanism. This is considered as the weakest authentication method if you don’t plan to use a very strong password using the secure password guidelines:

  • At least 10 characters.
  • Use both uppercase and lowercase characters.
  • Include numbers.
  • Include at least one special character.
  • Be sure it is not present in any public wordlist or used in any known leaks.

Using a password generator is recommended, this option might be available in a future version of SubSeven.

The password must be defined as a SHA512 hex strings with a salt (see bellow schema).

You can whether use the embedded Password Hash Generator available in Configuration Editor or use bellow schema for generating your own hash.

sha512(sha512(cleartext_password) + 'sub7legacy_salt')

Salt is used to turn rainbow tables and hash tables unusable with SubSeven Legacy. The salt might become dynamic in future version of SubSeven.

When you are ready, you can place your password hash in a new JSON key value called password.

Example:

…
"authentication": {
	"method": "password",
	"password": "b903e233900a2…381d3bd9b19"
}
…
pubkey

This is the default option used for authentication and is considered as very strong.

Instead of using a password that is often considered as weak because chosen by the end-user, this option will use an SSL/TLS fingerprint to authentify viewer to the server.

You can find the fingerprint of your certificate using the SubSeven Viewer itself on “Client Certificat” window and “Copy Fingerprint” or use OpenSSL command line tool:

openssl x509 -in sub7viewer.pem -noout -fingerprint -sha512

Server configuration only support SHA512 fingerprint.

This will output something like:

SHA512 Fingerprint=AA:BB:CC:DD:EE:FF:01:02:03:00:05:06:07:08:09:10:11:12:13:14:15:00:17:18:19:20:21:22:23:24:25:26

The SHA512 Fingerprint= prefix must be removed.

When you have your bunch of authorized keys ready, you can place them in an array of object called authorized_keys.

Each object must specify at least the key / value fingerprint. You can optionally specify additional information about the fingerprint using prefixed keys with _.

Example:

…
"authentication": {
	"method": "pubkey",
	"authorized_keys": [{
			"_description": "Viewer #1 Fingerprint",
			"fingerprint": "AA:BB:CC:...:22:23:24:25:26"
		},
		{
			"_description": "Viewer #2 Fingerprint",
			"fingerprint": "BB:DD:FF:...:22:23:24:25:26"
		}
	]
}
…

Additional information fields are not yet supported but might be in a near future, until that day they will just be ignored by config parser.

If no authorized_keys node is present, server will still wait for incomming connection, but session creation will be refused.

pubkey-password

This method is the strongest authentication method. It uses both public key authentication and password authentication.

If one of both method is compromised, your server will still be in a safe state.

To define this method, you must use the value pubkey-password value for the key method and use a combination of both password and pubkey config requirement.

Example:

…
"authentication": {
		"method": "pubkey-password",
		"password": "b903e233900a2…381d3bd9b19",
		"authorized_keys": [{
				"_description": "Viewer #1 Fingerprint",
				"fingerprint": "AA:BB:CC:...:22:23:24:25:26"
			},
			{
				"_description": "Viewer #2 Fingerprint",
				"fingerprint": "BB:DD:FF:...:22:23:24:25:26"
			}
		]
	}
…

Conclusion

This configuration schema will evolve progressively with new SubSeven version. Feel free to reach me if you have any questions or if you need additional precisions.