Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: security issue

  1. #1

    Default security issue

    We run a edge-origin configuration.

    We have recently been hijacked by people using our edge server in the following way.

    rtmp://ouredge.com/live/rtmp://theirserver/whatever/stream

    Could you please let me know how to stop this.

    Thanks,

    Joe

  2. #2

    Default

    Hi,

    Please see the following tutorial

    http://www.wowza.com/forums/content....tream-repeater

    It outlines how to secure origin and edge servers.

    Andrew

  3. #3

    Default

    Is it possible to secure just the edges in this way and still allow unauthenticated encoder PUSH to the origins? i.e. stop the hijacking without having to put restrictions on the origins ( which are IP restricted using a firewall)

  4. #4

    Default

    Yes, you can secure only the edges and leave the origin unrestricted.

    Follow these steps to secure the edges, omit the steps that secure the origin:
    Secure the edges
    Secure the edges(continued)

    Follow the steps for securing the edges and omit the steps for securing the origin.


    Salvadore
    Last edited by salvadore; 01-06-2014 at 11:16 AM.

  5. #5

    Default

    Sorry about that, I referred to the wrong article. What you need to do is actually follow this guide, and set up SecureToken on the edges only. Omit ModuleRTMPAuthenticate from the origin:
    How to protect RTMP streaming using SecureToken (ModuleSecureToken)

    Salvadore

  6. #6

    Default

    The above method did not work.

    What i did was the following:
    1) Set up an application on the wowza origin and on the wowza edge servers
    2) Removed ModuleRTMPAuthenticate and ModuleSecureToken from the origin's Application.xml of the application
    3) Added the following to the edge's Application.xml in their appropriate places:
    <Module>
    <Name>ModuleSecureToken</Name>
    <Description>ModuleSecureToken</Description>
    <Class>com.wowza.wms.security.ModuleSecureToken</Class>
    </Module>
    <Property>



    <Name>secureTokenSharedSecret</Name>
    <Value>#ed%h0#w@1</Value>
    </Property>
    however when i play the stream, stream does not play and i get the following error in the error log:
    ModuleSecureToken.onConnect: Action before response received: kill connection:
    Just to be clear, i want to accomplish the following:
    leave the origins unsecured and encoders do not need to authenticate to push to the origin, but secure the connection between the origin and edge server, meaning that no one is allowed to push, publish or re-stream to our edge servers if it is not coming from our origin servers. However i want our clients to be able to play streams from the edge unsecured (meaning no need for tokens or usernames or passwords etc).

    How can this be achieved ?

  7. #7

    Default

    Quote Originally Posted by brayster99 View Post
    The above method did not work.

    What i did was the following:
    1) Set up an application on the wowza origin and on the wowza edge servers
    2) Removed ModuleRTMPAuthenticate and ModuleSecureToken from the origin's Application.xml of the application
    3) Added the following to the edge's Application.xml in their appropriate places:




    however when i play the stream, stream does not play and i get the following error in the error log:


    Just to be clear, i want to accomplish the following:
    leave the origins unsecured and encoders do not need to authenticate to push to the origin, but secure the connection between the origin and edge server, meaning that no one is allowed to push, publish or re-stream to our edge servers if it is not coming from our origin servers. However i want our clients to be able to play streams from the edge unsecured (meaning no need for tokens or usernames or passwords etc).

    How can this be achieved ?
    i.e how to stop

    rtmp://myserver.com/liverepeateregde/any/rtmp://someoneesle.com/any/thing

    From working. Clearly we need the edges to be able to talk to our own origins. We dont use passwords for our encoders

    And also how t stop encoders pushing directly to liverepeater-edge?

  8. #8

    Default

    So have just test and even though it possible to secure the edge and origins, it still doesnt solve the problem above. So..

    1) how to STOP on a server level the ability for encoders to push to liverepeater-edge
    2) How to stop the hijacking as rtmp://myserver.com/liverepeateregde/any/rtmp://someoneesle.com/any/thing

    THIS IS A MAJOR SECURITY HOLE.

  9. #9

    Default

    Try using ModuleRTMPAuthenticate on the edges instead of ModuleSecureToken.

    Salvadore

  10. #10

    Default

    Quote Originally Posted by salvadore View Post
    Try using ModuleRTMPAuthenticate on the edges instead of ModuleSecureToken.

    Salvadore
    we did. It doesn't stop the above scenario.

Page 1 of 2 12 LastLast

Similar Threads

  1. Security issue in Wowza using FMLE, please help
    By dannyhinhk in forum Server Administration Discussion
    Replies: 1
    Last Post: 05-31-2012, 05:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •