Hi all, Are there any serious security risks for leaving port 8000 open to public use on icecast? I had wanted to limit to 8443 but it seems some radio devices cannot support this protocol. Thanks, Patricia Moynihan Director of Digital pmoynihan at fsu.edu<mailto:pmoynihan at fsu.edu> 850-645-6067 850-645-7200 WFSU Public Media 1600 Red Barber Plaza Tallahassee, FL 32310 wfsu.org<http://wfsu.org> [WFSU Public Media] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/icecast/attachments/20190510/5967a2e7/attachment.html>
I have a server running on 8000 and I know of some running multiple stations all through port 80 (which I would think was worse). Never heard of any major problems and my logs usually look okay. Good practice is to check the logs now and then and block appropriate IP's causing problems if needed. I wouldn't just set and forget a server regardless of what it was. But background scanners and the likes are pretty tiny amounts of traffic. If someone uses a port scanner to see what's open on a host it doesn't matter what port it's on. Cheers, Gavin. On 10/05/2019 3:11 PM, Patricia Moynihan wrote:> Hi all, > > Are there any serious security risks for leaving port 8000 open to > public use on icecast? I had wanted to limit to 8443 but it seems some > radio devices cannot support this protocol. > > Thanks, > > Patricia Moynihan > Director of Digital > > pmoynihan at fsu.edu <mailto:pmoynihan at fsu.edu> > 850-645-6067 > 850-645-7200 > > WFSU Public Media > 1600 Red Barber Plaza > Tallahassee, FL 32310 > wfsu.org <http://wfsu.org> > > WFSU Public Media > > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/icecast/attachments/20190510/55e452c2/attachment.html>
Hi, On 5/10/19 3:11 AM, Patricia Moynihan wrote:> Are there any serious security risks for leaving port 8000 open to > public use on icecast? I had wanted to limit to 8443 but it seems some > radio devices cannot support this protocol.The port number doesn't matter. I guess in your case you mean HTTP vs HTTPS. The proper and terse answer is: It doesn't matter if you use HTTP or HTTPS as long as you have a secure configuration including managed and strong (not bruteforceable) passwords AND you keep your Icecast server up to date wrt security updates (currently Version 2.4.4). From my anecdotal knowledge gained over 18 years of involvement in Icecast, if people would follow the above two, then 99,9% of incidents would not happen. The longer answer is that it will also depend on your 'threat model' and how you rate and address things that you consider 'risks' in this frame of reference. There is no one-fits-all or immediate answer that fits into this email. Hope this helps, Thomas
Yes I meant HTTPS over HTTP, which yes, I’m differentiating by those port numbers. Thanks for clarifying! We have been streaming HTTP for a long time, but I am at a university and there is a lot of emphasis on security. I was never really sure what the certificate did for us in this case…but was attempting to comply! Over the years we have had a small handful of IPs trying to maliciously access our Icecast server over port 8000. I guess the less of that I have to deal with, the better. But if there are streaming aggregators out there who can’t use the HTTPS over the HTTP, then it may be better to deal with the inconvenience once in a while. Thanks for your help. Patricia Moynihan Director of Digital pmoynihan at fsu.edu<mailto:pmoynihan at fsu.edu> 850-645-6067 850-645-7200 On May 10, 2019, at 4:04 AM, Thomas B. Rücker <thomas at ruecker.fi<mailto:thomas at ruecker.fi>> wrote: Hi, On 5/10/19 3:11 AM, Patricia Moynihan wrote: Are there any serious security risks for leaving port 8000 open to public use on icecast? I had wanted to limit to 8443 but it seems some radio devices cannot support this protocol. The port number doesn't matter. I guess in your case you mean HTTP vs HTTPS. The proper and terse answer is: It doesn't matter if you use HTTP or HTTPS as long as you have a secure configuration including managed and strong (not bruteforceable) passwords AND you keep your Icecast server up to date wrt security updates (currently Version 2.4.4). From my anecdotal knowledge gained over 18 years of involvement in Icecast, if people would follow the above two, then 99,9% of incidents would not happen. The longer answer is that it will also depend on your 'threat model' and how you rate and address things that you consider 'risks' in this frame of reference. There is no one-fits-all or immediate answer that fits into this email. Hope this helps, Thomas _______________________________________________ Icecast mailing list Icecast at xiph.org<mailto:Icecast at xiph.org> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xiph.org_mailman_listinfo_icecast&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=il3mbeSthlxEJd_b1NtmGe2biSOKp7VwqcXPdl2MdRc&m=X3zh6M4zoa3mkJwmMiZz1f54FZWn_anDeugwt91Y9Uw&s=PddWQ35fNEeUXAPZc9z2OIcjlDRy3lSx_2XgODSskyM&e -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/icecast/attachments/20190510/507faeed/attachment.html>