<html>
<head>
<meta content="text/html; charset=windows-1257"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/04/13 10:08, David Farrell wrote:<br>
</div>
<blockquote
cite="mid:CAChaoduaf8qFFTbAhL=-gH0VrmJ9zRDrA57YE+F4W13u0M7C-Q@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 3 April 2013 02:19, Philipp
Schafft <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:lion@lion.leolix.org" target="_blank">lion@lion.leolix.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">reflum,<br>
<br>
On Thu, 2013-03-28 at 14:28 +0000, David Farrell wrote:<br>
> Hi list,<br>
><br>
> We're new to Icecast and we're looking at securing
the admin functions.<br>
> I've trawled the docs but it's not clear to me if we
are able to run<br>
> this on a different TCP port to the streams
themselves.<br>
><br>
> Has anyone with a little more experience any insight
into this?<br>
<br>
</blockquote>
<div style="">Hi Philipp,</div>
<div style=""><br>
</div>
<div style="">Thanks for your reply.</div>
<div style=""> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
You can not run the admin interface on a diffrent port.<br>
I also don't see how that should improve security.<br>
<br>
</blockquote>
<div style="">We would not expose the administrative port to
the world, rather to a range of trusted IP addresses.</div>
</div>
</div>
</div>
</blockquote>
<br>
Feel free to file a ticket at <a class="moz-txt-link-freetext" href="http://trac.xiph.org">http://trac.xiph.org</a><br>
It might not be too complicated to add a check that admin requests
can only come through a certain port. Bonus points for sending
patches.<br>
<br>
<blockquote
cite="mid:CAChaoduaf8qFFTbAhL=-gH0VrmJ9zRDrA57YE+F4W13u0M7C-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Which kind of attac do you try to protect against? Maybe I
can help you<br>
if you tell a bit more about your overall goal.<br>
<br>
</blockquote>
<div>The goal is just really to
restrict administrative access to the systems. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
If you really know what you're doing a light weight reverse proxy is
currently the only option to filter that. <br>
I can see that restricting requests to either an IP white-list or a
port would be desirable for production environments.<br>
<br>
<blockquote
cite="mid:CAChaoduaf8qFFTbAhL=-gH0VrmJ9zRDrA57YE+F4W13u0M7C-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
In general: Use strong passwords. Avoid sending them in
plain text.<br>
</blockquote>
<div style=""><br>
</div>
<div style="">That is a given, I have yet to investigate
what external AAA resources we can use in this case e.g.
RADIUS, LDAP.</div>
</div>
</div>
</div>
</blockquote>
<br>
Right now for admin access Icecast only supports http basic auth
with optional SSL transport security. For listener and source
connections we support forwarding the plain text authentication
credentials to a back-end for validation.<br>
Tickets and patches welcome.<br>
<br>
Cheers<br>
<br>
Thomas<br>
</body>
</html>