| Author |
|
Carphunter
Flashcom Newbie
Joined: 06 September 2006
Location: United States
Posts: 16
|
| Posted: 09 February 2010 at 07:01 | IP Logged
|
|
|
Wondering how many other sites are dealing with pirate streams being bounced through their servers.
I was recently made aware that someone was bouncing a pirate stream through us that was being accessed via an tv-style aggregator site.
Well, I started looking to find what we had to do to lock down our live encoding side of our FMIS server and found that we're sort of S.O.L.
We installed the FMLE authenticator...but that doesn't stop the feed sources.
Also, reviewing our logs, we can see where clients are picking up streams that don't exist on our site... but we can't find any publish/unpublish statements for these streams..... so I have no confidence in being able to tell when they are coming through us.
I'm in the Adobe forums asking them how to kill this access, and while they mention an authentication plugin I don't see in our install, and some swf verification methods we'll have to examine and see if we can implement in all of our existing apps.....
I'm just wondering... how many servers are dealing with this crud.... and has someone found an effective way to stop it.
It wasn't until this happened that I realized what an open, gaping, hole Adobe left in the server when it comes to the live streams.
grr
|
| Back to Top |
|
| |
mr-webcam
Flashcom Badass
Joined: 01 July 2005
Location: United Kingdom
Posts: 173
|
| Posted: 09 February 2010 at 08:52 | IP Logged
|
|
|
You should consider locking your server down by editing the vhost configuration. This will prevent any connection except from urls your have specified.
This way no one can view anything from your fms server unless the file is served from an allowed url
<DNSSuffix></DNSSuffix>
<!-- This tag specifies a comma delimited list of domains that are -->
<!-- allowed to connect to this vhost. If this tag is empty, then -->
<!-- only connections from the same domain that is being connected -->
<!-- to will be allowed. If this tag is not empty, then only the -->
<!-- domains explicitly listed will be accepted. For example, -->
<!-- <Allow>macromedia.com, yourcompany.com</Allow> will only allow -->
<!-- connections from the macromedia.com & yourcompany.com domains. -->
<!-- If you wish to allow localhost connections, you will specify -->
<!-- "localhost". For example, <Allow>localhost</Allow>. To allow -->
<!-- all domains, specify "all". For example, <Allow>all</Allow>. -->
<Allow>my-first-se rver.c om, my-second-server.com, 123.456.789.012</Allow>
Edited by mr-webcam on 09 February 2010 at 08:53
__________________
http://www.mr-webcam.com
FCS/FMS Red5 and wowza application demos online plus see our 14 streaming cams here
|
| Back to Top |
|
| |
=fb3=
Flashcom Badass
Joined: 07 February 2004
Location: United States
Posts: 509
|
| Posted: 09 February 2010 at 13:55 | IP Logged
|
|
|
You cannot use the vhost allow tag if you are letting people encode with FMLE because the allow tag only would accept connections if it is from an application located on the server.
You would need to authenticate sessions.
So basically you would need to have an authenticated session stored in a DB via a login to your site for example.
Then you would need to pass the valid sessionID in your FMLE rtmp string to the FMS server and parse out the string.
Then you would need to use remoting from FMS to the database to check the passed session is valid.
If so, acceptConnection else rejectConnection.
That how I would do it.
HTH
__________________
www.virtualjam.net
|
| Back to Top |
|
| |
jaycharles
Moderator
Joined: 18 February 2004
Posts: 507
|
| Posted: 09 February 2010 at 14:33 | IP Logged
|
|
|
It actually doesn't need to be that complicated. For simple protection, you could hardcode a password on the server side, pass a password in from the client side in the onConnect, and then validate the password in the onPublish hander (dropping any unauthorized publisher):
application.onAppStart = function(){
application.password = "somepassword"
}
application.onConnect = function(client,pass){
client.pass = pass != undefined ? pass : 0;
application.acceptConnection(client);
}
application.onPublish = function(client, stream){
if(!client.pass || client.pass != application.password){
application.disconnect(client);
}
}
__________________
http://www.jaycharles.net
|
| Back to Top |
|
| |
Carphunter
Flashcom Newbie
Joined: 06 September 2006
Location: United States
Posts: 16
|
| Posted: 09 February 2010 at 15:18 | IP Logged
|
|
|
thanks for the info.
JayCharles... with your method, is any of that password info "sniffable?"
also, combining two thoughts... if the server has a hardcoded password, and FMLE tries to fire off user/pass... would that be allowed by the server?
Finally, I think I said it before.... I'm truly worried that streams are coming through us with no publish/unpublish indication in the logs.
I say this because I found this in my access log.
#Fields: date time &nbs p; x-category x-event ; x-status &nb sp;x-sname x-pid &nb sp; c-ip cs-bytes&nb sp; sc-bytes & nbsp;sc-stream-bytes x-file-siz e x-file-length &nbs p; c-user-agent c-re ferrer c-proto ; x-comment
2010-02-07 00:15:58 session conne ct 200 & nbsp;- 4540 &n bsp; 24.130.211.56 3073&nb sp; 3073 ;- - &nb sp;- WIN 10,0,22,87 http://nadorlive.com /swf/hd.swf rtmp &nb sp; -
2010-02-07 00:15:59 stream play&n bsp; 200 ;netherlandschannel 4540 & nbsp; 24.130.211.56 3136 3451 &nbs p; 0 - &n bsp; - WIN 10,0,22,87 http://nadorlive.com /swf/hd.swf rtmp &nb sp; -
2010-02-07 00:16:22 stream stop&n bsp; 408 ;netherlandschannel 4540 & nbsp; 24.130.211.56 3170 3915 &nbs p; 374 - - WIN 10,0,22,87 http://nadorlive.com /swf/hd.swf rtmp &nb sp; -
We don't have a matching app name like this on our box. but if I'm reading the log correctly, there's no note of failure of this stream. I can find no publish/unpublish command for netherlandschannel. so I'm paranoid that there is a stream there that somehow isn't evident in the logs.
|
| Back to Top |
|
| |
jaycharles
Moderator
Joined: 18 February 2004
Posts: 507
|
| Posted: 09 February 2010 at 15:55 | IP Logged
|
|
|
In regards to the password info being "sniffable", it's equally succeptible to a man-in-the-middle attack as an HTTP request. If you need an additional layer of security, install a secure cert on FMS and use RTMPS.
As for FMLE, you can't pass in credentials as connect arguments (no support in FMLE for that), but you can use query variables in your RTMP address. To do that, you'd change your onconnect to pick out the query vars:
URL: rtmp://myfms.com/app/instance/?pass=secret
application.onConnect = function(client){
client.queryVars = {};
var args = client.uri.split("?")[1];
for(var a=0; a<args.length; a++){
var pair = args[a].split("=");
client.queryVars[pair[0]] = pair[1];
}
}
application.onPublish = function(client, stream){
if(!client.queryVars.pass || client.queryVars.pass != application.password){
application.disconnect(client);
}
}
}
I actually prefer query vars as opposed to onConnect arguments, as it makes supporting different publishing tools easier.
What you're seeing in the log there appears to be a request to play a stream, not to publish a stream.
The thing to understand about live streams is that a subscribing client can tell FMS to create the live stream, even if there's no publisher. For example, from the client side, the following code:
ns.play("someLiveStream", -1, -1);
tells fms the following:
"I want to play a live stream named someLiveStream. If someone is already publishing to that stream, play it, otherwise create the stream, and I'll wait here listening until someone starts publishing to it"
Given that the sc-bytes and sc-stream-bytes fields in your log show almost no data transferred, it looks to me like someone tried to connect to a live stream that had no publisher, and left the player sitting there connected for about 23 minutes.
The next question is, which app was the illegitimate subscriber connected to? The "netherlandschannel" data appears to be the stream name (its in the x-sname field, which is the stream name, not the app name) In order to see the app/instance being used for the stream, you'll need to include the x-app and x-appinst fields in logger configs.
__________________
http://www.jaycharles.net
|
| Back to Top |
|
| |
Carphunter
Flashcom Newbie
Joined: 06 September 2006
Location: United States
Posts: 16
|
| Posted: 12 February 2010 at 16:43 | IP Logged
|
|
|
jaycharles... thanks for the info.
We've thrown a couple commands into the main.asc where this stream appears to enter.
most of our apps use a cookie-cutter main.asc that works with the flvplayback component.... so we just added this in them... and from our tests, it will stop FMLE from publishing through the apps
// stop illegal uploaders
application.onPublish = function(p_client, stream ) {
application.disconnect(p_client);
}
but, while we've seen more "play" and "live" commands as you mention.... we've still not seen a publish command.
I don't know if there's just old code out there that keeps hitting us, or what.
|
| Back to Top |
|
| |
|
|
Topic: How many servers running pirate streams?
