Old 28th May 2013, 21:40   #1
rogermjohnson
Junior Member
 
Join Date: Nov 2007
Posts: 5
Strange server message...

I've been getting some strange lines in the server log the last few days. I'm using 1.98 for certain reasons. Here is the line I'm concered with...

<05/27/13@19:24:27> [dest: 67.234.202.230] Invalid resource request(http://the-proxy-list.com/files/chec...OTc6YTMKFDkg==)

I've also been seeing unusually large amounts of the same IP address showing up. Sometimes as many as 24 simultanious connections from the same place.

Are there security issues I need to be concerned about?
rogermjohnson is offline   Reply With Quote
Old 29th May 2013, 11:02   #2
DrO
 
Join Date: Sep 2003
Posts: 27,873
depends on the version of the v1 DNAS as there's 3 out standing security advisories against the last release of it (according to secunia) but a lot of people are still using the older 1.9.5 and they then don't have the security issues fixed between it and 1.9.8) so anything is possible.

the "Invalid resource request" just appears to be the DNAS not being able to cope with the request made and so it drops the connection attempt (as it's likely somone / something scraping the DNAS). other than trying to see if banning the IP of the connection, there's not a lot to do about it.

with the multiple connections, based on the first issue, it could be a number of listeners coming through a proxy which is why it all looks the same. if in doubt, just ban the IP.
DrO is offline   Reply With Quote
Old 29th May 2013, 16:19   #3
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,030
Send a message via Skype™ to thinktink
Block the IP. The request is a test to see if your server is an open proxy.

Example:
http://oucsace.cs.ohiou.edu/~tysko/webattacks.2012.06
thinktink is offline   Reply With Quote
Old 29th May 2013, 17:33   #4
rogermjohnson
Junior Member
 
Join Date: Nov 2007
Posts: 5
Thanks, I did block that IP.

My station is pretty small... about 3K listeners/month. It's mainly to add to my OTA part 15 station.

I've been trying to tighten up security lately. I was using DNAS v2 server and an older version of SAM Broadcaster (I cant afford a whole new version of SAM just to be compatable with DNAS v2). Problem was no title listed in the ShoutCast directory. With DNAS v1.98 I get 'Recently Played' wich is better than nothing so...

The machine is running Win XP SP3. I've added Comodo Firewall as it seems more secur than Windows stock firewall. The router has all it's security up as far as I can go and still stream.

Any ideas on anything else I can do to beef up security? When I went back to DNAS v1.98 it was still configured from 5 years ago settings. Back then I was new to streaming and just trying to get up and running. Today I went into the configuration and made the changes liste below. Did I make any mistakes here? Any suggestions on other changes?

I also listed below that some settings I didn't change, but am unclear about. When it comes to 'Relaying'... I have no problem with somebody else re-broadcasting my stream, but I surely don't want anybody relaying anything off my server. Any comments or suggestions on this?

Thanks to everbody for taking the time to help with this...

Todays Chages:

-----
; SrcIP, the interface to listen for source connections on (or to make relay
; connections on if relaying). Can and usually will be ANY or 127.0.0.1
; (Making it 127.0.0.1 will keep other machines from being able to
; broadcast using your shoutcast server ) *** CHANGED from 'ANY' 05-30-13 ***
SrcIP=127.0.0.1

-----

; NameLookups. Specify 1 to perform reverse DNS on connections.
; This option may increase the time it takes to connect to your
; server if your DNS server is slow. Default is 0 (off). *** CHANGED from '0' 05-30-13
NameLookups=1

-----

; RelayPort and RelayServer specify that you want to be a relay server.
; Relay servers act as clients to another server, and rebroadcast.
; Set RelayPort to 0, RelayServer to empty, or just leave these commented
; out to disable relay mode. *** CHANGED from '8000' and 192.168.1.58 05-30-13
; RelayPort=0
; RelayServer=

-----

; ListenerTimer is a value in minutes of maximum permitted time for
; a connected listener. If someone is connected for longer than this
; amount of time, in minutes, they are disconnected. When undefined,
; there is no limit defined. Default is undefined. CHANGED from '600' 05-30-13
; ListenerTimer=

--------
********
--------

; AllowRelay determines whether or not other SHOUTcast servers will be
; permitted to relay this server. The default is Yes.
AllowRelay=Yes

-----

; AllowPublicRelay, when set to No, will tell any relaying servers not
; to list the server in the SHOUTcast directory (non-public), provided
; the relaying server's Public flag is set to default. The default is
; Yes.
AllowPublicRelay=Yes

-----

Once again...

Thanks,
Roger Johnson
Voice Of Belle Plaine
vobp.8k.com
rogermjohnson is offline   Reply With Quote
Old 31st May 2013, 06:52   #5
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,030
Send a message via Skype™ to thinktink
Usually bots will crawl websites to find open servers. The first thing to do is not let them find the url:port directly. When I had a SHOUTcast station what I did was never ref a direct link to the server from my website and instead put the server stream information inside a playlist file (or more to support more players) hosted by the website, like an m3u or pls file. What this does is trick (most) bots into believing that the file resource is some unreadable file and ignore it. But it still allows listeners to find your station from your website. And since the SHOUTcast directory does the same thing (dynamically) it is fine to do the same thing on your site. But before you do any of that change the current port number the servers are currently on (whether or not it's a standard port or not) before publishing it again. And definitely change your port number if it's currently on port 8000. Port 8000 is a commonly used port for a lot of different kinds of servers, including ones the bots are looking for.

The 2nd thing I did was to actually use the linux version of the DNAS/Transcoder and with Fail2Ban on the same server I was able to automatically block blatant stream rippers. This one is really complicated however since there are no regex query strings that come with Fail2Ban for SHOUTcast v2 logs (at least last time I checked.)

The 3rd (and biggest) thing I did was block the entire country of China (and to a lesser extent, Taiwan.) This is pretty much universal to any kind of server. More hackers, crackers, bots, script kiddies, and general corporate espionage attempts from that country than you can shake a stick at. Simply blocking the entirety of China (especially the government IP addresses) will accrue a rate drop of overall attacks against your server so hard, fast, and steep, that you'll wonder why every nation on the planet hasn't already allied, even just temporarily, to turn that landscape into a parking lot. Seriously, it really is just that mind blowingly bad. Blocking China will reduce work-load investigating connections, reading security warning e-mails, and other automated and manual security system headaches. I've seen it with my own eyes (in my own server logs.) A number of people will probably tell you that I'm just being insane/over-paranoid or whatever and I can see why some might say that, but only out of ignorance.

I'll post more later on if I remember them.

Last edited by thinktink; 31st May 2013 at 06:53. Reason: accidental emoticon
thinktink is offline   Reply With Quote
Old 31st May 2013, 20:59   #6
rogermjohnson
Junior Member
 
Join Date: Nov 2007
Posts: 5
Hey Thanks...!

That sounds like very good advice. I'll do some more reading on the subject. Can you tell me if there is an easy way of blocking Chinese addresses? Looks like I have my homework cut out for me....
rogermjohnson is offline   Reply With Quote
Old 1st June 2013, 09:06   #7
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,030
Send a message via Skype™ to thinktink
Quote:
Originally Posted by rogermjohnson View Post
...

Can you tell me if there is an easy way of blocking Chinese addresses?

...
There is an easy way of a sorts. There's a linux script floating around somewhere out there that will automatically download a file (or more if you do more than one country), parse it, and shove it into the iptables firewall. You would normally put this script into a bi-weekly or monthly cron job since the IP address ranges sometimes change. The country code for China is CN and Taiwan's is TW. If you can't find it I'll try digging it out of my disembodied linux HDD if I can find it in my car somewhere.
thinktink is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump