[Icecast] Protect Icecast Admin/Run on different port?

Philipp Schafft lion at lion.leolix.org
Wed Apr 3 21:40:48 UTC 2013 

reflum,

On Wed, 2013-04-03 at 14:37 +0300, "Rücker, Thomas" wrote:
> On 03/04/13 10:08, David Farrell wrote:
> > On 3 April 2013 02:19, Philipp Schafft <lion at lion.leolix.org> wrote:
> >         On Thu, 2013-03-28 at 14:28 +0000, David Farrell wrote:
> >         
> > Hi Philipp,
> > 
> > 
> > Thanks for your reply.

np. :)

> >         You can not run the admin interface on a diffrent port.
> >         I also don't see how that should improve security.
> >         
> > We would not expose the administrative port to the world, rather to
> > a range of trusted IP addresses.
> 
> Feel free to file a ticket at http://trac.xiph.org
> It might not be too complicated to add a check that admin requests can
> only come through a certain port. Bonus points for sending patches.

We currently support a allow/deny list for IP addresses at connection
layer. Maybe we could port that to the next layer (admin, web, yp,
source, stats). I guess that would solve your problem. See below.

> >  
> >         Which kind of attac do you try to protect against? Maybe I
> >         can help you
> >         if you tell a bit more about your overall goal.
> >         
> > The goal is just really to restrict administrative access to the
> > systems. 
> > 

See above.

> If you really know what you're doing a light weight reverse proxy is
> currently the only option to filter that. 
> I can see that restricting requests to either an IP white-list or a
> port would be desirable for production environments.

This requires (as well as all the other possible solutions) complex
rules as there are some stuff within admin/ that needs special handling:
playlist generation, resources accessable to the source(user) and
resources accessed by the source itself (meta data updates for broken
containers/codecs).

PS: I got like a milion copies of your E-Mail. They all have distinct
message-id. Please check your MUA/MTA/... to avoid this. Thanks!

-- 
Philipp.
 (Rah of PH2)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20130403/f7e87bd9/attachment.sig>

More information about the Icecast mailing list