Debian Icecast Streaming Radio Server

Posted on: 2017-04-30

I participated in a project at work recently that had me looking into streaming radio technologies. I've listened to them since the age of dialup but haven't ever really messed with running one. This blog will change that.

do a fresh minimal debian install. then install some software

apt-get -y update && apt-get -y upgrade
apt-get -y install mpd icecast2 ncmpcpp mpc  
#configure icecast during the install routine

Icecast is the streaming server that vlc or other similar media players will connect to, to listen to the music.

mpd is a music player that can be remotely controlled and can send the audio it is playing to icecast servers as well as to speakers.

An mpd client controls what mpd is playing. You can think of it as a playlist/queue manager. We will be using a mpd client on the server in this tutorial.

So... DJ > mpc client > mpd > icecast server > vlc or similar > listener.

This provides a lot of power and flexibility. Your DJ could be choosing the next song your guests in franshised restaurants across the US hear from a mpc client on is phone while waiting for a flight in an airport in Mexico.

Configure icecast

vim /etc/default/icecast2
ENABLE=true

vim /etc/icecast2/icecast.xml
#replace any passwords the config script missed
%s/hackme/test1234/g

systemctl enable icecast2
systemctl restart icecast2

Configure mpd

vim /etc/mpd.conf
#set password and bind_to_address if you want to control remotely
#setup audio like so. updating password in shout section.
audio_output {
    type            "null"
    name            "My Null Output"
    mixer_type      "none"                  # optional
}
audio_output {
    type            "shout"
    encoding        "ogg"                   # optional
    name            "My Shout Stream"
    host            "localhost"
    port            "8000"
    mount           "/mpd.ogg"
    password        "test1234"
    quality         "5.0"
    #bitrate         "128"
    format          "44100:16:1"
    protocol        "icecast2"              # optional
    #user            "source"                # optional
    #description     "My Stream Description" # optional
    #url             "http://example.com"    # optional
    #genre           "jazz"                  # optional
    #public          "no"                    # optional
    #timeout         "2"                     # optional
    #mixer_type      "software"              # optional
}

systemctl enable mpd
systemctl restart mpd

Add and play some music

scp my.mp3 root@VMIP:/var/lib/mpd/music/
ncmpcpp
3
u
arrow keys
enter on song
#1 or tab/shift+tab to learn more about the player

Check out the admin UI

http://VMIP:8000  
admin/password you chose
click around
mountpoint list is a list of streams you can tune into

Tune in

Open the M3U URL of the icecast mount in VLC or similar on your laptop.

Thats it. It is worth mentioning that you can stream to your icecast server from other places, so if you have lots of music on a specific machine, there is no reason to copy it to the icecast server. You can also play with things like Darkice and Mixxx to do live broadcasting.

References

https://wiki.archlinux.org/index.php/Streaming_With_Icecast


Basic Debian Jessie Security Hardening

Posted on: 2017-04-24

Make sure you are subscribed to all official repos and then do updates and install some software.

vim /etc/apt/sources.list
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-updates main contrib non-free
deb http://security.debian.org jessie/updates main contrib non-free

apt-get -y update
apt-get -y upgrade

apt-get -y install vim screen lsof telnet dnsutils openssl netcat-openbsd fail2ban unattended-upgrades netfilter-persistent iptables-persistent rsyslog sysv-rc-conf anacron rsync less

Generate and set a good root password

openssl rand -base64 24
#copy
passwd
#paste

Configure automatic updates

vim /etc/apt/apt.conf.d/50unattended-upgrades
#only the following should be uncommented
  "o=Debian,n=jessie";
  "o=Debian,n=jessie-updates";
  "o=Debian,n=jessie,l=Debian-Security";

dpkg-reconfigure -plow unattended-upgrades
y

vim /etc/apt/apt.conf.d/20auto-upgrades
#should look like
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

systemctl enable unattended-upgrades.service

#trying it
dpkg -l vim 
#note version number
apt-get remove vim-*
apt-get install vim=2:7.4.488-7+deb8u1 vim-common=2:7.4.488-7+deb8u1 vim-runtime=2:7.4.488-7+deb8u1
dpkg -l vim 
#note version number
unattended-upgrade --debug --dry-run
#should see notes about vim upgrades
#wait a day or so and check with a dpkg -l vim again

Locking down the firewall

vi /etc/iptables/rules.v4
#make the filter section look like this. open other ports like we are for 22 for other services you plan to offer. 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

systemctl enable netfilter-persistent
systemctl restart netfilter-persistent

#check it
iptables --list --verbose --numeric

Protecting against brute force ssh attacks

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
#needed for some crappy vpses
banaction = iptables
#ensure
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

systemctl enable fail2ban
systemctl restart fail2ban

#check it
iptables --list --verbose --numeric
#try to login 10 or so times from a box that isn't the one you are connecting through right now or just wait and soon enough some 'hacker' will be blocked.

Turning off things that you aren't using

systemctl list-unit-files --type=service | grep enabled
anacron-resume.service                 enabled 
anacron.service                        enabled 
cron.service                           enable
getty@.service                         enabled 
hwclock-save.service                   enabled 
netfilter-persistent.service           enabled 
quota.service                          enabled 
rsyslog.service                        enabled 
ssh.service                            enabled 
sshd.service                           enabled 
syslog.service                         enabled 
systemd-networkd.service               enabled 
systemd-readahead-collect.service      enabled 
systemd-readahead-drop.service         enabled 
systemd-readahead-replay.service       enabled 
systemd-resolved.service               enabled 
systemd-timesyncd.service              enabled 
unattended-upgrades.service            enabled 
vzfifo.service                         enabled

^is what a tweaked system looks like for me.  You'll want to systemctl disable $x for anything you don't want to have running.

sysv-rc-conf

#disable things you aren't going to use, by unchecking them in 2-5.  A tweaked system for me runs:
bootlogs
fail2ban
motd
rc.local
rmnologin
rsyslog
ssh

Now reboot and make sure things look right

reboot
#almost nothing should be running
ps -ef 
root         1     0  0 12:38 ?        00:00:00 init -z       
root         2     1  0 12:38 ?        00:00:00 [kthreadd/10638]
root         3     2  0 12:38 ?        00:00:00 [khelper/10638]
systemd+    51     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-networkd
root        52     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-udevd
root        86     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-journald
root       189     1  0 12:38 ?        00:00:00 /usr/sbin/sshd -D
systemd+   190     1  0 12:38 ?        00:00:00 /lib/systemd/systemd-resolved
root       191     1  0 12:38 ?        00:00:00 /usr/sbin/rsyslogd -n
root       208     1  0 12:38 tty2     00:00:00 /sbin/agetty --noclear tty2 linux
root       209     1  0 12:38 tty1     00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
root       217     1  0 12:38 ?        00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
root       283   189  0 13:48 ?        00:00:00 sshd: root@pts/0    
root       285   283  0 13:48 pts/0    00:00:00 -bash

#should be very few ports listening
COMMAND PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
sshd    189 root    3u  IPv4 149984794      0t0  TCP *:22 (LISTEN)
sshd    189 root    4u  IPv6 149984796      0t0  TCP *:22 (LISTEN)

#firewall should be locked down
 iptables --list --verbose --numeric 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  230 19105 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  233 19779 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
7   376 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
   84  5155 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 166 packets, 18623 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  230 19105 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Single box OpenNebula setup

Posted on: 2017-04-24

Every once in a while I rebuild my home lab. This time I decided to choose something other than oVirt for my virtualization needs. I went with Open Nebula and I got to say I'm impressed. It is fast, has a good install routine, good docs, a good UI and just generally doesn't suck.

This post will setup a single server to be all components of an Open Nebula install. VMs hosted by it will be exposed on your normal home network with no extra security added.

Start with a fresh minimal CentOS 7 install on some hardware that supports virtualization and pick out some IPs in your home network range that you want to devote to you lab VMs and then do the following.

Create your network bridge and open up a firewall hole. Substitute your network info and devices.

yum -y install bridge-utils

vim /etc/hosts
192.168.1.105 lab.lan

vi /etc/sysconfig/network-scripts/ifcfg-lan0
DEVICE="lan0"
BOOTPROTO="static"
IPADDR="192.168.1.105"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
DNS1=192.168.1.1
ONBOOT="yes"
TYPE="Bridge"
NM_CONTROLLED="no"

vi /etc/sysconfig/network-scripts/ifcfg-eno1
DEVICE=eno1
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
BRIDGE=lan0

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" accept' --permanent

firewall-cmd --reload
systemctl restart network

Do some system config. Do updates. Add repos. Install software.

vi /etc/selinux/config
SELINUX=disabled

cat << EOT > /etc/yum.repos.d/opennebula.repo
[opennebula]
name=opennebula
baseurl=http://downloads.opennebula.org/repo/5.2/CentOS/7/x86_64
enabled=1
gpgcheck=0
EOT

yum -y install epel-release

yum -y update
reboot

yum -y install opennebula-server opennebula-sunstone opennebula-ruby opennebula-gate opennebula-flow opennebula opennebula-node-kvm opennebula-common nmap-ncat vim lsof screen net-tools telnet rsync

/usr/share/one/install_gems
1. CentOS/RedHat/Scientific
 Press enter to continue...

Set password. Start the services. Test the GUI

su - oneadmin
echo "oneadmin:test1234" > ~/.one/one_auth

ssh lab.lan #should get in without a password
Are you sure you want to continue connecting (yes/no)? yes

exit
exit

systemctl enable opennebula
systemctl start opennebula
systemctl enable opennebula-sunstone
systemctl start opennebula-sunstone
systemctl enable libvirtd
systemctl restart libvirtd

http://IP:9869 oneadmin/test1234

Configure networking, add a host and a user.

Network > Virtual Networks  > + 
General> 
    Name: lan0
Conf >
    Bridge: lan0
    mode:  Bridge
Addresses > IPv4 #put your info
    First: 192.168.1.200
    Size: 50
Context #user your info
    Network address: 192.168.1.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.1
    Network mask: 255.255.255.0
    MTU: 1400
Create

Infrastructure > Hosts > +
    hostname: lab.lan 
Create
Refresh until Status = ON

System > Users > +
    username: dminnich
    password, confirm: test1234
Create

System > Groups > users > update
    User view > Group Users
Update

Login as your new user and create a VM

oneadmin > sign out
dminnich / test1234

dminnich > settings > add SSH key 
paste in your ssh-key from your client machine. ssh-keygen if you don't have one.

dminnich > views > user
    Storage > Apps > Check Debian 8 KVM
    OpenNebula
    Select default datastore
    Download

dminnich > views > cloud
    VMs > + > Debian 8 
    Network > lan0
    Create

Testing

Wait for the VM status to go green.
ssh root@ip. From the box that has your ssh-key

References: http://docs.opennebula.org/5.2/deployment/index.html



<<Newer Older>>