Results 1 to 5 of 5

Thread: ffmpeg rtmp to wowza security vulnerability

  1. #1
    Join Date
    Apr 2015
    Posts
    3

    Exclamation ffmpeg rtmp to wowza security vulnerability

    I can stream to my origin server using ffmpeg without a login even if RTMP Publishing is set to Require password authentication.
    Why?

    E:\Work\ffmpeg\bin>ffmpeg -re -f dshow -audio_buffer_size 10 -channels 1 -i audio="Microphone (Realtek High Definition Audio)" -strict -2 -codec:a aac -channels 1 -b:a 8k -ar 22050 -f flv -rtmp_buffer 0 -rtmp_live live rtmp://audioroot/live/1

  2. #2

    Default

    Hi,

    I'm not sure what version of Wowza you are using, but a quick check is to edit [install-path]/conf/live/Application.xml and search for PublishMethod. Please confirm that it is set as follows:

     <RTP>
                            <!-- RTP/Authentication/[type]Methods defined in Authentication.xml. Default setup includes; none, basic, digest -->
                            <Authentication>
                                    <PublishMethod>digest</PublishMethod>
                                    <PlayMethod>none</PlayMethod>
                            </Authentication>
    If so then please can you also zip up your /conf and /logs folders and raise a ticket by sending an email to support@wowza.com and we will investigate further.


    Paul

  3. #3
    Join Date
    Apr 2015
    Posts
    3

    Default

    mine has the following.

    the ui is set to this

    RTMP Publishing

    Require password authentication

    RTSP Publishing

    RTSP publishing not allowed


    <RTP>
    <!-- RTP/Authentication/[type]Methods defined in Authentication.xml. Default setup includes; none, basic, digest -->
    <Authentication>
    <PublishMethod>block</PublishMethod>
    <PlayMethod>none</PlayMethod>
    </Authentication>
    <!-- RTP/AVSyncMethod. Valid values are: senderreport, systemclock, rtptimecode -->
    <AVSyncMethod>senderreport</AVSyncMethod>
    <MaxRTCPWaitTime>12000</MaxRTCPWaitTime>
    <IdleFrequency>75</IdleFrequency>
    <RTSPSessionTimeout>90000</RTSPSessionTimeout>
    <RTSPMaximumPendingWriteBytes>0</RTSPMaximumPendingWriteBytes>
    <RTSPBindIpAddress></RTSPBindIpAddress>
    <RTSPConnectionIpAddress>0.0.0.0</RTSPConnectionIpAddress>
    <RTSPOriginIpAddress>127.0.0.1</RTSPOriginIpAddress>
    <IncomingDatagramPortRanges>*</IncomingDatagramPortRanges>
    <!-- Properties defined here will override any properties defined in conf/RTP.xml for any depacketizers loaded by this application -->
    <Properties>
    </Properties>
    </RTP>

  4. #4

    Default

    Hi,

    Thanks for checking. Those settings are actually specific to RTP/RTSP, but if your UI settings are set to require RTMP authentication then that should prevent RTMP publishing without credentials. I really should have asked you to check in another area of the file. Near the end of the Application.xml file there should be the following

    <Property>
                                    <Name>securityPublishRequirePassword</Name>
                                    <Value>true</Value>
                                    <Type>Boolean</Type>
    </Property>
    Toggling RTMP Publishing in Incoming Security for your Wowza app via the UI should add or remove the above property - note that a restart of the Wowza app is required.

    If the above property exists and is set to true then ffmpeg should not be able to publish an RTMP stream to Wowza without credentials.


    Paul

  5. #5

    Default

    Hi,

    Thanks for raising the support ticket. We can continue the conversation there.


    Regards,

    Paul

Similar Threads

  1. Replies: 1
    Last Post: 09-22-2014, 02:49 AM
  2. RTMP security on Wowza 3.5 with EC2 devpay
    By briand123 in forum Wowza Media Server 3 for Amazon EC2 Discussion
    Replies: 9
    Last Post: 10-24-2013, 09:55 AM
  3. Using FFmpeg with an RTMP Wowza stream on an app instance as the source
    By Benny Veo in forum Live Streaming and Encoder Discussion
    Replies: 2
    Last Post: 08-21-2013, 08:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •