hidden/protect shoutcast web status page

[adrenalinic]

Hi.
How can hidden or protect shoutcast status page to listeners??
at http://111.111.111.111:8000 ?

Thanks.
Josef

[Evil Lu]

You can't really and anyhow why would you? They're hardly going to do anything to it.

[Nick@ss]

This cannot be done with shoutcast but it can be done with icecast.

support to do this can be found in the icecast forums.

[hackerdork]

ya you cant, because to listen to your stream in winamp, you simple open URL and type in 111.111.111.111:8000 , without it nothing... The DNAS is what is providing the webpage
If you blocked http to 111.111.111.111 your stream would break..

~ D

[SorceryKid]

This is kind of a long shot, but it may be possible to operate an HTTP proxy server on the same box.

Have it bind to both a public port on the NIC and the private port with the SHOUTcast server on localhost such that it can filter incoming and outgoing HTTP sessions accordingly. For example, if a Web browser (identified by user-agent of Mozilla/X.X) submitted a 'GET' request for the root Web directory), then it would be forbidden before it even reached the SHOUTcast server. This would likewise be a possible method you could use to password protect the SHOUTcast server from unauthorized listeners.

Again, this just a hypothetical setup. I've never tried it. And I would be interested to see if it could be accomplished.

Good luck,

--Randall

[djrm.net]

Quote:

Originally posted by SorceryKid
This is kind of a long shot, but it may be possible to operate an HTTP proxy server on the same box.

Have it bind to both a public port on the NIC and the private port with the SHOUTcast server on localhost such that it can filter incoming and outgoing HTTP sessions accordingly. For example, if a Web browser (identified by user-agent of Mozilla/X.X) submitted a 'GET' request for the root Web directory), then it would be forbidden before it even reached the SHOUTcast server. This would likewise be a possible method you could use to password protect the SHOUTcast server from unauthorized listeners.

Again, this just a hypothetical setup. I've never tried it. And I would be interested to see if it could be accomplished.

Good luck,

--Randall

we have this kind of setup... kind of.
Our servers are behind a proxy (and caching) server so requests are cached... usually find mega delays on our status pages but its ideal if there are many requests... our stream isnt affected (afaik)

theres another thing i would like to-do and that is block GET requests to all the pages (if the user-agent is Mozilla for example) as i have no need for users to be snooping around. i am currently working on this and i think it may be possible (and ideal)... but would shoutcast allow this?

if have found a few requests for /7.html (html stats) which is pretty annoying... these Ips have been blocked now.

[SorceryKid]

As was written:
> i am currently working on this and i think it may be
> possible (and ideal)... but would shoutcast allow this?

If you mean legally, I'm pretty sure that so long as you aren't falsifying your YP stats, then you should be fine. Of course, if you aren't listed in the directory (your server isn't set to public), then you can do whatever you want that doesn't violate with the license terms.

Once a "proxy wrapper" setup like this is accomplished, I know it would be helpful to a lot of people esp. if it is customized just for SHOUTcast with several much needed administrative controls like challenge-response listener authentication, cookie- and URL-based session management, and comprehensive access protection.

I've been waiting patiently for these very features since 2000. And yeah, if somebody is snooping /7.html behind your back, that can get pretty annoying.

--Randall

[Jay]

Be advised that your listing on shoutcast.com could be in jeopordy if you do this. If your stats don't look kosher and during varification we are blocked from your stats page your listing could be banned. Just a friendly warning.

[hackerdork]

7.html is the public stats. hell the stream is on port 8000 which is where the admin stuff is also generated. so trying to block access to status page could fubar your stream as well.

leave well enough alone so you are not banned becasue you are hacking up the icy communication that yp.shoutcast.com uses to check your stream, which gets 7.html in the first place!

~ D

[djrm.net]

Quote:

7.html is the last XX songs played.

no it aint. its a simple html version of public stats. ideal for importing into csv.

Quote:

so trying to block access to status page could fubar your stream as well.

i agree. not worth the effort tbh.

Quote:

that yp.shoutcast.com uses to check your stream, which gets 7.html in the first place!

yp.shoutcast.com doesnt use 7.html afaik.


Kind Regards,
Rico.

[hackerdork]

close enough.. mangle the html and like KXRM said you could get banned from being listed.

not worth the time nor headaches

[djSpinnerCee]

I would guess that if one were to want to "hide" the DNAS status display, they probably wouldn't care too much about being [YP] banned either because their objective is to be more private, instead of more public.

* Recently, I've been getting a ton of hits by proxy testing scripts (ie: [http:89.52.18.231] REQ:"http://metagen.ath.cx/anon.php" (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))) -- they're making requests to remote sites to see if the DNAS is capable of proxying requests -- to be honest I don't know what kind of response is returned, but the log does not show an error (ie: invalid resource request), so it may be a concern, especially in a high volume environment.

[djrm.net]

Quote:

Originally posted by djSpinnerCee
I would guess that if one were to want to "hide" the DNAS status display, they probably wouldn't care too much about being [YP] banned either because their objective is to be more private, instead of more public.

* Recently, I've been getting a ton of hits by proxy testing scripts (ie: [http:89.52.18.231] REQ:"http://metagen.ath.cx/anon.php" (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))) -- they're making requests to remote sites to see if the DNAS is capable of proxying requests -- to be honest I don't know what kind of response is returned, but the log does not show an error (ie: invalid resource request), so it may be a concern, especially in a high volume environment.

nothing to worry about tbh... i get tons of requests too, the only thing that bugs me is the "legit" requests for 7.html... i dont know who would be request these and why.


runing some sniffers on my work network (10 public ips) shows some mad stuff... the amount of junk requests/traffic is unbelievable, but not of concern


Kind Regards,
Rico.

[djSpinnerCee]

I have a feeling that bots and crawlers are getting better (more persistent) -- I get many hits on my /listen.pls from the MSNbot whereas the googlebot and yahoo slurp realize they should not read it and leave it alone after the first read.

Hits for /7.html indicate that the DNAS station page is being crawled by a bot of some kind (that maybe knows it's a DNAS?) for links, or a link exists for it somewhere -- probably nothing to worry about, but the question will remain as to where the link to the station page that starts it all came from? Many bots are stupid (compared to a human, browser or media player) and ignore content-types, many don't have mozilla as part of their user-agent, and some may just be "caught up" by accident after finding the YP-generated listen link in the SHOUTcast directory and are finding the station page by accident because they do have mozilla in their user-agent.

I have linked to my station page, both here and other places, so I kind of know where it comes from, hits on /llamacookie is another indication of a blind crawler because the link is not obvious.

[SorceryKid]

I suspect that most anybody that tries to block access to the server stats interfaces doesn't want to be listed in the YP in the first place. When it comes to my server, I certainly feel that technical details like listener count and TTSL are nobody's business but my own.

--Randall

[CraigF]

pray tell, what details on the status page are so important that they must not be public?

[Nick@ss]

listener stats... so djs dont get demotivated as only their 2 friends are listening and also competing stations dont get to see what there rival station has got

we get lots of requests to hide the stats but just switch them to icecast if they want it

[djSpinnerCee]

I think the debate about what should be on the public (sans authentication) status for the DNAS is probably moot -- the station page is not for a casual passer by, and it is not linked to by the YP -- the YP uses listener counts to "Rank" stations (it's the primary key), and many broadcasters totally depend on the YP so you can't have one without the other.

The other issue involves getting the simple stats by the station admin (they are useful and important to them in real time) -- the (standard HTTP) authentication lends itself to exposing the password (it is passed in plain text, no secure sockets), so authentication should not be necessary to get simple stuff like the listener count and current track info.

The real issue should be what "else" you need -- clearly, just a DNAS (and its built-in interface) is not a webradiostation in a box, and it shouldn't be thought of as one -- a website is necessary to put the DNAS server in context, and to hide it -- it's actually inappropriate to link to the DNAS station page even if you have no other site because once it gets linked to and found by search engines, you're pretty much done for because then it will really be public (the DNAS has no /robots.txt to tell bots "no"). People who are smart enough to find it on their own certainly know what they'll find there, so there's no use in complaining about it -- you can only hide so much.

SHOUTcast is self-promoting (via the YP) and suitable for the beginner and the expert -- it's not designed for many of it's uses that include taking money from broadcasters (as in hosting) for its use or from listeners, so if it does not do those things well, it shouldn't be considered a problem with SHOUTcast -- it's just its nature -- the ability to add packages like a proxy or other front-ends to disguise the DNAS probably indicate that other solutions are probably called for -- remember, the DNAS is still just a caching HTTP server under the skin that is designed to give (relay) one file -- the source stream -- everything else is candy.

[BornKillaz]

I'm also looking for an answer to this.

It's unbelievable that ShoutCast does not provide an option to block access to this page.

[NJK]

why dig out a thread that has been dead for years
and the answer is already given by Nick

just switch to icecast that has this option.

[Nick@ss]

Quote:

Originally posted by Jay
Be advised that your listing on shoutcast.com could be in jeopordy if you do this. If your stats don't look kosher and during varification we are blocked from your stats page your listing could be banned. Just a friendly warning.

i think this one is enough of a reason not to do it.

[BornKillaz]

Quote:

Originally posted by Nick@ss
i think this one is enough of a reason not to do it.

It sure is.

[equate2010]

concealed element Listener Peak: to: xD

see how it is possible
http://72.20.7.120:8000/

others that also hesitate to leak it, such as fm radio stations ...

[Jkey]

As long as your station remains private you will be fine.
If you decide to list however, with an altered dnas you will be banned from the yp!


/Warning done
Oh and http://72.20.7.120:8000/7.html to check listeners

[equate2010]

Quote:

Originally Posted by Jkey

As long as your station remains private you will be fine.
If you decide to list however, with an altered dnas you will be banned from the yp!


/Warning done
Oh and http://72.20.7.120:8000/7.html to check listeners

Thank you.
which I will file to change the "Listener Peak"?

[Jkey]

I can not tell you this because you are breaking the shoutcast terms of service.

[BornKillaz]

Quote:

Originally Posted by Jkey

I can not tell you this because you are breaking the shoutcast terms of service.

I believe he doesn't really care about it, so, it's OK!

[Jkey]

It shows either a lack of brain power or huge balls to turn up and wave around a hacked
sc binary on the official sc forums.

I will leave this thread to mods,it is their jurisdiction,and therefore none of my concern.