From db76 at riseup.net  Tue Jan 18 02:52:15 2022
From: db76 at riseup.net (Damian)
Date: Tue, 18 Jan 2022 12:52:15 +1000
Subject: [Icecast] Securing the Icecast admin page
Message-ID: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>

Hi to all Icecast community members,

I?d like to know if anyone has successfully configured fail2ban or something similar in order to provide additional security to the login section of the Icecast2 admin area, and whether it is worthwhile to actually do so?

If fail2ban is not the way to go, are there any recommended tools or actions that I should take. I would like to prevent repeated failed login attempts at the admin login page. I have noticed that the Icecast2 access.log does not seem to log failed attempts anyway, so I am not sure how useful fail2ban would be in this regard.

Damian



From jordan at coolmic.net  Tue Jan 18 04:35:25 2022
From: jordan at coolmic.net (Jordan Erickson)
Date: Mon, 17 Jan 2022 20:35:25 -0800
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
Message-ID: <ae61fb75-9e42-29b3-822e-c87081289940@coolmic.net>

Hi Damian,

I would think f2b would be a good candidate to take care of something 
like that.


Cheers,
Jordan Erickson

On 1/17/22 18:52, Damian wrote:
> Hi to all Icecast community members,
>
> I?d like to know if anyone has successfully configured fail2ban or something similar in order to provide additional security to the login section of the Icecast2 admin area, and whether it is worthwhile to actually do so?
>
> If fail2ban is not the way to go, are there any recommended tools or actions that I should take. I would like to prevent repeated failed login attempts at the admin login page. I have noticed that the Icecast2 access.log does not seem to log failed attempts anyway, so I am not sure how useful fail2ban would be in this regard.
>
> Damian
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

-- 
Jordan Erickson
Project Manager, Cool Mic
https://coolmic.net/



From db76 at riseup.net  Tue Jan 18 05:12:55 2022
From: db76 at riseup.net (Damian)
Date: Tue, 18 Jan 2022 15:12:55 +1000
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <ae61fb75-9e42-29b3-822e-c87081289940@coolmic.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
 <ae61fb75-9e42-29b3-822e-c87081289940@coolmic.net>
Message-ID: <9DE4CBA3-3C53-4347-A783-3CB2CB1A3033@riseup.net>

Yeah, that?s what I thought, except f2b reads from the logs you specific, and so when I tested logging in with incorrect Icecast user credentials on my server, I could not see any lines in the Icecast access.log file to indicate that a failed login attempt was recorded. It leads me to think that f2b would not work in this instance.

> On 18 Jan 2022, at 2:35 pm, Jordan Erickson <jordan at coolmic.net> wrote:
> 
> Hi Damian,
> 
> I would think f2b would be a good candidate to take care of something like that.
> 
> 
> Cheers,
> Jordan Erickson
> 
> On 1/17/22 18:52, Damian wrote:
>> Hi to all Icecast community members,
>> 
>> I?d like to know if anyone has successfully configured fail2ban or something similar in order to provide additional security to the login section of the Icecast2 admin area, and whether it is worthwhile to actually do so?
>> 
>> If fail2ban is not the way to go, are there any recommended tools or actions that I should take. I would like to prevent repeated failed login attempts at the admin login page. I have noticed that the Icecast2 access.log does not seem to log failed attempts anyway, so I am not sure how useful fail2ban would be in this regard.
>> 
>> Damian
>> 
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
> 
> -- 
> Jordan Erickson
> Project Manager, Cool Mic
> https://coolmic.net/
> 



From un at aporee.org  Tue Jan 18 09:47:35 2022
From: un at aporee.org (unosonic)
Date: Tue, 18 Jan 2022 10:47:35 +0100
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <9DE4CBA3-3C53-4347-A783-3CB2CB1A3033@riseup.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
 <ae61fb75-9e42-29b3-822e-c87081289940@coolmic.net>
 <9DE4CBA3-3C53-4347-A783-3CB2CB1A3033@riseup.net>
Message-ID: <20220118094735.hwqzgljgiqra3b3o@mail.aporee.net>



just a guess and untested, maybe you could create / add to a specific logfile utilizing
icecast auth mechanism, esp. listener_add https://icecast.org/docs/icecast-2.4.0/auth.html

in general it would be nice to have a more elaborated access control in 
icecast, like in apache or nginx webservers... 

u.

Damian:
> Yeah, that?s what I thought, except f2b reads from the logs you specific, and so when I tested logging in with incorrect Icecast user credentials on my server, I could not see any lines in the Icecast access.log file to indicate that a failed login attempt was recorded. It leads me to think that f2b would not work in this instance.
> 
> > On 18 Jan 2022, at 2:35 pm, Jordan Erickson <jordan at coolmic.net> wrote:
> > 
> > Hi Damian,
> > 
> > I would think f2b would be a good candidate to take care of something like that.
> > 
> > 
> > Cheers,
> > Jordan Erickson
> > 
> > On 1/17/22 18:52, Damian wrote:
> >> Hi to all Icecast community members,
> >> 
> >> I?d like to know if anyone has successfully configured fail2ban or something similar in order to provide additional security to the login section of the Icecast2 admin area, and whether it is worthwhile to actually do so?
> >> 
> >> If fail2ban is not the way to go, are there any recommended tools or actions that I should take. I would like to prevent repeated failed login attempts at the admin login page. I have noticed that the Icecast2 access.log does not seem to log failed attempts anyway, so I am not sure how useful fail2ban would be in this regard.
> >> 
> >> Damian
> >> 
> >> _______________________________________________
> >> Icecast mailing list
> >> Icecast at xiph.org
> >> http://lists.xiph.org/mailman/listinfo/icecast
> > 
> > -- 
> > Jordan Erickson
> > Project Manager, Cool Mic
> > https://coolmic.net/
> > 
> 
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast


From phschafft at de.loewenfelsen.net  Tue Jan 18 13:08:31 2022
From: phschafft at de.loewenfelsen.net (Philipp Schafft)
Date: Tue, 18 Jan 2022 13:08:31 +0000
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
Message-ID: <7f39c57149791b7c01a428b004f59eedb8bc36d8.camel@de.loewenfelsen.net>

Good afternoon,

On Tue, 2022-01-18 at 12:52 +1000, Damian wrote:
> Hi to all Icecast community members,
> 
> I?d like to know if anyone has successfully configured fail2ban or
> something similar in order to provide additional security to the
> login section of the Icecast2 admin area, and whether it is
> worthwhile to actually do so?

Generally a strong password is all you need. (I recommend to have a
look at: https://xkcd.com/936/ )

Adding fail2ban surely should not be a problem. However it does seem to
be unnecessary. (General usecase. there may be cases this can be
helpful.)


> If fail2ban is not the way to go, are there any recommended tools or
> actions that I should take. I would like to prevent repeated failed
> login attempts at the admin login page. I have noticed that the
> Icecast2 access.log does not seem to log failed attempts anyway, so I
> am not sure how useful fail2ban would be in this regard.

I'm a bit confused. Icecast does log failed attempts in access log.
They are marked with a status code > 399 (as per HTTP specification),
most notably 401.

I also just confirmed with with both 2.4:
127.0.0.1 - - [18/Jan/2022:13:01:50 +0000] "GET /admin/ HTTP/1.1" 401 360 "-" "Mozilla/5.0 [...]" 0


and 2.5:
127.0.0.1 - - [18/Jan/2022:13:01:26 +0000] "GET /admin/ HTTP/1.1" 401 1987 "-" "Mozilla/5.0 [...]" 1


I would be happy if you could check your logs again. Maybe the problem
is somewhere else?


With best regards,

-- 
Philipp Schafft (CEO/Gesch?ftsf?hrer) 
Telephon: +49.3535 490 17 92

L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
Bickinger Stra?e 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20220118/a77bea46/attachment.sig>

From phschafft at de.loewenfelsen.net  Tue Jan 18 13:12:17 2022
From: phschafft at de.loewenfelsen.net (Philipp Schafft)
Date: Tue, 18 Jan 2022 13:12:17 +0000
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <20220118094735.hwqzgljgiqra3b3o@mail.aporee.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
 <ae61fb75-9e42-29b3-822e-c87081289940@coolmic.net>
 <9DE4CBA3-3C53-4347-A783-3CB2CB1A3033@riseup.net>
 <20220118094735.hwqzgljgiqra3b3o@mail.aporee.net>
Message-ID: <47b4b825ce5c0a9e544a4f91eab99e526af5070c.camel@de.loewenfelsen.net>

Good afternoon,

On Tue, 2022-01-18 at 10:47 +0100, unosonic wrote:
> just a guess and untested, maybe you could create / add to a specific
> logfile utilizing
> icecast auth mechanism, esp. listener_add 
> https://icecast.org/docs/icecast-2.4.0/auth.html
> 
> in general it would be nice to have a more elaborated access control
> in icecast, like in apache or nginx webservers... 

(please keep my reply to the original question in mind.)

Icecast 2.5 improved the auth system a lot over 2.4 (which actually was
the main reason we started with 2.5).

If you feel there is something missing I would be very happy to hear
about this via our ticket system:
https://gitlab.xiph.org/xiph/icecast-server/-/issues

Really looking forward to any suggestions.

With best regards,


> Damian:
> > Yeah, that?s what I thought, except f2b reads from the logs you
> > specific, and so when I tested logging in with incorrect Icecast
> > user credentials on my server, I could not see any lines in the
> > Icecast access.log file to indicate that a failed login attempt was
> > recorded. It leads me to think that f2b would not work in this
> > instance.

-- 
Philipp Schafft (CEO/Gesch?ftsf?hrer) 
Telephon: +49.3535 490 17 92

L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
Bickinger Stra?e 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20220118/4f7958c6/attachment.sig>

From db76 at riseup.net  Wed Jan 19 12:02:23 2022
From: db76 at riseup.net (Damian)
Date: Wed, 19 Jan 2022 22:02:23 +1000
Subject: [Icecast] Securing the Icecast admin page
In-Reply-To: <7f39c57149791b7c01a428b004f59eedb8bc36d8.camel@de.loewenfelsen.net>
References: <6B645B3B-EA8F-4E6B-891E-CA0C61EF7B7B@riseup.net>
 <7f39c57149791b7c01a428b004f59eedb8bc36d8.camel@de.loewenfelsen.net>
Message-ID: <BC6D5A4E-792F-43F7-ACCC-95A2D338810B@riseup.net>

Hi Phillip,

Your response helps a lot. I appreciate the information you have provided.

Regards
Damian

> On 18 Jan 2022, at 11:08 pm, Philipp Schafft <phschafft at de.loewenfelsen.net> wrote:
> 
> Good afternoon,
> 
> On Tue, 2022-01-18 at 12:52 +1000, Damian wrote:
>> Hi to all Icecast community members,
>> 
>> I?d like to know if anyone has successfully configured fail2ban or
>> something similar in order to provide additional security to the
>> login section of the Icecast2 admin area, and whether it is
>> worthwhile to actually do so?
> 
> Generally a strong password is all you need. (I recommend to have a
> look at: https://xkcd.com/936/ )
> 
> Adding fail2ban surely should not be a problem. However it does seem to
> be unnecessary. (General usecase. there may be cases this can be
> helpful.)
> 
> 
>> If fail2ban is not the way to go, are there any recommended tools or
>> actions that I should take. I would like to prevent repeated failed
>> login attempts at the admin login page. I have noticed that the
>> Icecast2 access.log does not seem to log failed attempts anyway, so I
>> am not sure how useful fail2ban would be in this regard.
> 
> I'm a bit confused. Icecast does log failed attempts in access log.
> They are marked with a status code > 399 (as per HTTP specification),
> most notably 401.
> 
> I also just confirmed with with both 2.4:
> 127.0.0.1 - - [18/Jan/2022:13:01:50 +0000] "GET /admin/ HTTP/1.1" 401 360 "-" "Mozilla/5.0 [...]" 0
> 
> 
> and 2.5:
> 127.0.0.1 - - [18/Jan/2022:13:01:26 +0000] "GET /admin/ HTTP/1.1" 401 1987 "-" "Mozilla/5.0 [...]" 1
> 
> 
> I would be happy if you could check your logs again. Maybe the problem
> is somewhere else?
> 
> 
> With best regards,
> 
> -- 
> Philipp Schafft (CEO/Gesch?ftsf?hrer) 
> Telephon: +49.3535 490 17 92
> 
> L?wenfelsen UG (haftungsbeschr?nkt)     Registration number:
> Bickinger Stra?e 21                     HRB 12308 CB
> 04916 Herzberg (Elster)                 VATIN/USt-ID:
> Germany                                 DE305133015
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast