Hello everyone, I'm in the process of running an Icecast server and I would like to know some best pratices. 1. Should I place Icecast on port 8000 or should I change that to one more common (80, 443...)? 2. Should I place the server behind a webserver like ngingx or apache? 3.Can I disable the login interface? what can be disabled? My best guess is to run icecast behind a webserver, keeping icecast on port 8000 and refusing everything that is not a request for a legit mount, adding a custom admin url. Thanks for your input Edoardo Putti -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.xiph.org/pipermail/icecast/attachments/20160117/0303af44/attachment.htm
Hey.
They are big questions, I no expert with exploits of icecast so I
will give you what I have gain from experiences.
On Sun, Jan 17, 2016 at 9:30 AM, Edoardo Putti <edoardo.putti at
gmail.com>
wrote:
> Hello everyone,
>
> I'm in the process of running an Icecast server and I would like to
know
> some best pratices.
>
> 1. Should I place Icecast on port 8000 or should I change that to one more
> common (80, 443...)?
> 2. Should I place the server behind a webserver like ngingx or apache?
> 3.Can I disable the login interface? what can be disabled?
>
> My best guess is to run icecast behind a webserver, keeping icecast on
> port 8000 and refusing everything that is not a request for a legit mount,
> adding a custom admin url.
>
> Thanks for your input
>
> Edoardo Putti
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.xiph.org/pipermail/icecast/attachments/20160117/d2b10af1/attachment.htm
Having run IceCast for about 5 years, starting with Windows, then moving to Linux, the following is current 1. Centos 7. Apache, IceCast port 8000 The only reason I run 8000 is cause 8000 gets less hits to break in then 80, Never ran SSH, so cant answer question on 443 Kurt AMR.fm, LLC LSDcode.com, LLC On 1/17/2016 7:30 AM, Edoardo Putti wrote:> Hello everyone, > > I'm in the process of running an Icecast server and I would like to > know some best pratices. > > 1. Should I place Icecast on port 8000 or should I change that to one > more common (80, 443...)? > 2. Should I place the server behind a webserver like ngingx or apache? > 3.Can I disable the login interface? what can be disabled? > > My best guess is to run icecast behind a webserver, keeping icecast on > port 8000 and refusing everything that is not a request for a legit > mount, adding a custom admin url. > > Thanks for your input > > Edoardo Putti > > > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast > > <p></p>-------------------------------------------------------------------------------------<br> > This email has been scanned by the MxScan Email Security System.<br> > --------------------------------------------------------------------------------------------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.xiph.org/pipermail/icecast/attachments/20160117/6c79e280/attachment.htm
On 17 Jan 2016, at 15:30, Edoardo Putti wrote:> Hello everyone, > > I'm in the process of running an Icecast server and I would like to > know > some best pratices. > > 1. Should I place Icecast on port 8000 or should I change that to one > more > common (80, 443...)?That's up to you. It's easier to run it using the default port 8000 as that one won't require starting Icecast as root and setting up the change owner part correctly. Still if you want to use Icecast on port 80 and 443 set the <security> section of your configuration correctly. You just need the <changeowner> not the <chroot>, have a look at the documentation here: http://icecast.org/docs/icecast-2.4.1/config-file.html#security> 2. Should I place the server behind a webserver like ngingx or apache?No, Icecast does not support to be run behind a reverse proxy like nginx or apache and those webservers are not really made for streaming, Icecast is. So you would most likely run into problems doing so unless you really know how to configure the reverse proxy properly.> 3.Can I disable the login interface? what can be disabled?You can disable the public website by removing some of the xsl files in the web folder, you can't disable the admin interface. (Do not remove any files in the admin folder, it will prevent Icecast working properly)> My best guess is to run icecast behind a webserver, keeping icecast on > port > 8000 and refusing everything that is not a request for a legit mount, > adding a custom admin url. > > Thanks for your input > > Edoardo Putti > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast
Good evening, On Sun, 2016-01-17 at 15:30 +0100, Edoardo Putti wrote:> Hello everyone, > > > I'm in the process of running an Icecast server and I would like to > know some best pratices. > > > 1. Should I place Icecast on port 8000 or should I change that to one > more common (80, 443...)?There is virtually no reason for changing the port. The only reason some people bring up is that port 8000 may be blocked in some cooperative networks. However my feeling about this is that if they block stuff you don't need to care as they're likely not allowed to access your service anyway.> 2. Should I place the server behind a webserver like ngingx or apache?DON'T. This will cause big harm in most cases. Icecast is made for allowing ten thousands of simultaneous connections. Apache for example is designed for several magnitudes smaller sets of long running connections. You will just break your setup and waste a lot resources on your systems.> 3.Can I disable the login interface? what can be disabled?Just set good passwords and don't use them plain over the internet and you're perfectly fine. There is no need to disable the interface.> My best guess is to run icecast behind a webserver, keeping icecast on > port 8000 and refusing everything that is not a request for a legit > mount, adding a custom admin url.see my answers above. In general I very, very much recommend every starter just to change the passwords to some good ones and that's it. The defaults work for virtually every station. A complicated setup is complicated to run and maintain. Likely to break sooner or later. Icecast is made for just working. That means a simple setup is always preferred in Icecast context!> > > Thanks for your input > > > Edoardo Putti > > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast-- Philipp. (Rah of PH2) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part Url : http://lists.xiph.org/pipermail/icecast/attachments/20160117/fc0b769e/attachment.pgp
oops, I hit the return and it got sent. All those questions depends on the application you setting up. if your worried about security, isolate the icecast server from your network. We designed a user interface on the company web site fronts the stream servers. The customers get a simple URL for the stream. We use several stream servers some on site and some off, our web server setup to server up a play list or a message when the http client goes to stream.company/mount. When you go to the company site www.comapny/mount you get information about the stream, and archive.company/mount will bring up archives :) since we run multiple IPs with multiple servers and multiple connections to the internet we can spread the load around. We aculy have not done any customization of the icecast servers they are set up on the default ports. only thing we have seen over the years with icecast is a attempt to DOS the mount point. We would get 1000s/sec of connection with no streaming, I wrote a condition in the security monitor that will block the ip and place it in the blacklist of icecast. And we have a short spike of connections now then they get blocked off. And since I keep the black list updated I remove any connections from that IP from then stream use report. What you can disable or enable on the UI I never got into, Never needed to. Just use strong passwords. Make separate passwords for all sources. And only use the master password for testing or emergency use. On Sun, Jan 17, 2016 at 9:36 AM, David Saunders <abitar.com at gmail.com> wrote:> Hey. > > They are big questions, I no expert with exploits of icecast so I > will give you what I have gain from experiences. > > > > On Sun, Jan 17, 2016 at 9:30 AM, Edoardo Putti <edoardo.putti at gmail.com> > wrote: > >> Hello everyone, >> >> I'm in the process of running an Icecast server and I would like to know >> some best pratices. >> >> 1. Should I place Icecast on port 8000 or should I change that to one >> more common (80, 443...)? >> 2. Should I place the server behind a webserver like ngingx or apache? >> 3.Can I disable the login interface? what can be disabled? >> >> My best guess is to run icecast behind a webserver, keeping icecast on >> port 8000 and refusing everything that is not a request for a legit mount, >> adding a custom admin url. >> >> Thanks for your input >> >> Edoardo Putti >> >> _______________________________________________ >> Icecast mailing list >> Icecast at xiph.org >> http://lists.xiph.org/mailman/listinfo/icecast >> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.xiph.org/pipermail/icecast/attachments/20160117/7419cc27/attachment-0001.htm