How to hide information about your Wowza Streaming Engine media server from internet scanning.

2023-02-16 16:43:00

Various vulnerability scanning services, IoT search engines and openly criminal botnet networks constantly send millions of requests to all detected IP addresses on the Internet in order to obtain the maximum amount of information about the device found and the software installed on it. All information received is accumulated and can potentially be used for targeted attacks from the exploitation of vulnerabilities specific to this type of software or device firmware.

While “security through obscurity” does not protect your system per se, it is good practice to hide information about your installed software from scanning services and Google hacking methods.

A few simple tips for Wowza Streaming Engine users to hide the fingerprint of the media server from the outside world:

First of all, this is the Wowza Streaming Engine Manager web management interface. By default, this administrative management console process runs on TCP port 8088. The login web page that opens upon request to the port clearly indicates which one is installed here:

Wowza Streaming Engine Manager

It is best to disallow port 8088 at the firewall level of the operating system or router and allow access to it only from known IP addresses. The Wowza Streaming Engine Manager process can even be completely disabled, the media server engine itself works independently of the admin web interface. In many cases, the media server setting rarely changes and the web interface can be safely disabled. Most of the vulnerabilities found in Wowza also relate to the admin web interface, and not to the media server engine itself.
Informative web page with license type and Wowza version number.

By default, immediately after installing the Wowza Streaming Engine server, this page opens when a /ServerVersion HTTP GET request is sent to port 1935 or port 8086 . In the browser it looks like this:

Before the version of Wowza Streaming Engine 4.8.8, everything was even simpler, the page was opened when a request was made to the root directory:

To disable this information page, edit the [Wowza Install Directory]/conf/VHost.xml file in a text editor. Remove or comment out blocks from it (in 2 places, for port 1935 and port 8086 respectively):

<HTTPProvider> <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass> <RequestFilters>*ServerVersion</RequestFilters> <AuthenticationMethod>none</AuthenticationMethod> <PasswordEncodingScheme>none</PasswordEncodingScheme> </HTTPProvider>

Prior to version 4.8.8, the property block looks a little different:

<HTTPProvider> <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass> <RequestFilters>*</RequestFilters> <AuthenticationMethod>none</AuthenticationMethod> </HTTPProvider>

After making changes to the file, you must restart the Wowza Streaming Engine service.
Information with license type and Wowza version number is sent in the Server response header for the RTSP protocol, and in versions of Wowza Streaming Engine prior to 4.8.12 and for the HTTP protocol !

An RTSP request can be sent with the Curl utility:

# curl -v -X OPTIONS rtsp://#######:1935/ * About to connect() to ######### port 1935 (#0) * Trying ##.##.##.##... * Connected to ####### (##.##.##.##) port 1935 (#0) > OPTIONS * RTSP/1.0 > CSeq: 1 > User-Agent: curl/7.29.0 < RTSP/1.0 200 OK < CSeq: 1 < Server: Wowza Streaming Engine 4.8.21+6 build20230125151621 < Cache-Control: no-cache < Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, OPTIONS, ANNOUNCE, RECORD, GET_PARAMETER < Supported: play.basic, con.persistent

You can change the Server header by adding a property to the [Wowza Install Directory]/conf/Server.xml

The file is modified in a text editor by adding the rtspHeaderServer property to the end of the file, in the <Properties> section:

<Property> <Name>rtspHeaderServer</Name> <Value>My server</Value> </Property>

After the change, you need to restart the Wowza Streaming Engine service.

For versions of Wowza before 4.8.12, the Server HTTP header is changed in the same way, by adding the property:

<Property> <Name>httpHeaderServer</Name> <Value>My server</Value> </Property>