Wowza Community

ffmpeg rtmp to wowza security vulnerability

I can stream to my origin server using ffmpeg without a login even if RTMP Publishing is set to Require password authentication.

Why?

E:\Work\ffmpeg\bin>ffmpeg -re -f dshow -audio_buffer_size 10 -channels 1 -i audio=“Microphone (Realtek High Definition Audio)” -strict -2 -codec:a aac -channels 1 -b:a 8k -ar 22050 -f flv -rtmp_buffer 0 -rtmp_live live rtmp://audioroot/live/1

Hi,

I’m not sure what version of Wowza you are using, but a quick check is to edit [install-path]/conf/live/Application.xml and search for PublishMethod. Please confirm that it is set as follows:

 <RTP>
                        <!-- RTP/Authentication/[type]Methods defined in Authentication.xml. Default setup includes; none, basic, digest -->
                        <Authentication>
                                <PublishMethod>digest</PublishMethod>
                                <PlayMethod>none</PlayMethod>
                        </Authentication>

If so then please can you also zip up your /conf and /logs folders and raise a ticket by sending an email to support@wowza.com and we will investigate further.

Paul

Hi,

Thanks for checking. Those settings are actually specific to RTP/RTSP, but if your UI settings are set to require RTMP authentication then that should prevent RTMP publishing without credentials. I really should have asked you to check in another area of the file. Near the end of the Application.xml file there should be the following

<Property>
                                <Name>securityPublishRequirePassword</Name>
                                <Value>true</Value>
                                <Type>Boolean</Type>
</Property>

Toggling RTMP Publishing in Incoming Security for your Wowza app via the UI should add or remove the above property - note that a restart of the Wowza app is required.

If the above property exists and is set to true then ffmpeg should not be able to publish an RTMP stream to Wowza without credentials.

Paul

Hi,

Thanks for raising the support ticket. We can continue the conversation there.

Regards,

Paul

mine has the following.

the ui is set to this

RTMP Publishing

Require password authentication

RTSP Publishing

RTSP publishing not allowed

block

none

senderreport

12000

75

90000

0

0.0.0.0

127.0.0.1

*