If you don’t want to be too transparent about the bans on your server, you can explicitly disable the privilege client_ban_list
for server groups like the default guest server groups.
This prevents people from retrieving the ban list and figuring out which of these bans they can avoid before they start their trolling.
However, the server will still inform banned clients of the reason why they can’t connect by responding with a message like this one:
You are banned permanently. Reason: “AUP violation: acceptable nicknames”
This doesn’t actually require a “spy” on your server. It’s part of the TeamSpeak protocol and basically a “netiquette” feature because banning people without giving a reason can be considered “rude”, especially in cases where the person affected by the ban is not aware that they are doing something wrong.
As @TS.ChrisR said, you can stop the TeamSpeak server from handling incoming connection requests and giving away the fact that someone is banned by blocking the offending IP addresses in a firewall which sits in front of the TeamSpeak server.
You can also solve your VPN issue in that firewall.
The Internet Assigned Numbers Authority (IANA) provides a Whois Service which tells you which regional organization the VPN IP address belongs to.
For European VPNs, this will be Réseaux IP Européens (RIPE), for American VPNs it’s the American Registry for Internet Numbers (ARIN), etc…
You can use the corresponding organization’s whois service to determine the entire IP address block the offending IP address belongs to, e.g. 77.46.128.0/17
and simply ban the entire range.
This will block out a large portion of the offending VPN network and you can repeat this procedure until you eventually blocked out the entire VPN provider. Likely, the abusive user will give up earlier than that.
In nftables
(which replaces the aging iptables
), a corresponding block rule could look like this:
iifname "eth0" ip saddr 77.46.128.0/17 counter packets 0 bytes 0 drop
However, it is highly recommended to read up on this topic before applying any firewall rules so you won’t end up locking yourself out of your own server.