Mitigation Strategy: Robust Authentication and Authorization (using nginx-rtmp-module directives)
-
Description:
on_publishandon_playConfiguration: Configure theon_publishandon_playdirectives within thertmpblock of yournginx.conf. These are corenginx-rtmp-moduledirectives. They specify URLs to which Nginx will send HTTP requests when a client attempts to publish or play a stream, respectively.- Authentication Script/Service Interaction: The external authentication script/service (which you must provide) receives data from
nginx-rtmp-modulevia these HTTP requests. This data typically includes the stream name, client IP, and potentially authentication credentials (or a token). - Response Handling: The script/service processes the request, validates credentials against a backend (database, LDAP, etc.), and returns an HTTP status code to
nginx-rtmp-module.nginx-rtmp-modulethen uses this status code to allow or deny the publish/play operation. A2xxcode allows; a4xxor5xxcode denies. - Token-Based Authentication (via
on_publish): Implement token-based authentication by having your publishing clients include a token (usually as a query parameter in the RTMP URL). Youron_publishhandler script extracts and validates this token. This is still directly usingnginx-rtmp-module'son_publishdirective. allow publish/deny publishandallow play/deny play(Supplementary): Use these directives within thertmpapplication block to add IP-based restrictions. However, this should be a supplementary measure, not the primary authentication method, as IP addresses can be spoofed. These are directnginx-rtmp-moduledirectives.
-
Threats Mitigated:
- Unauthorized Publishing (High Severity): Directly prevents unauthorized publishing by requiring authentication through the
on_publishdirective. - Unauthorized Playback (Medium to High Severity): Directly prevents unauthorized playback through the
on_playdirective. - Stream Hijacking (High Severity): Makes hijacking significantly harder by requiring authentication for both publishing and playing.
- Replay Attacks (Medium Severity): Mitigated when combined with token-based authentication and short token lifetimes (handled by your external script, but triggered by
nginx-rtmp-module).
- Unauthorized Publishing (High Severity): Directly prevents unauthorized publishing by requiring authentication through the
-
Impact:
- Unauthorized Publishing: Risk reduced from High to Low (with proper implementation).
- Unauthorized Playback: Risk reduced from Medium/High to Low (with proper implementation).
- Stream Hijacking: Risk reduced from High to Low.
- Replay Attacks: Risk reduced from Medium to Low (with token-based authentication).
-
Currently Implemented:
- Basic
on_publishandon_playdirectives are configured, pointing to a PHP authentication script.
- Basic
-
Missing Implementation:
- Token-based authentication is not fully integrated with
on_publish(the script doesn't handle tokens). allow/denydirectives are not used, even as a supplementary measure.
- Token-based authentication is not fully integrated with
Mitigation Strategy: Bandwidth Limiting (using nginx-rtmp-module's limit_rate)
-
Description:
limit_rateDirective: Use thelimit_ratedirective within thertmpapplication or server block in yournginx.conf. This is a directnginx-rtmp-moduledirective. It controls the bandwidth allowed for RTMP connections.- Configuration: Specify the desired bandwidth limit. Examples:
limit_rate 1m;(1 megabit per second),limit_rate 500k;(500 kilobits per second). You can apply this globally or per-stream/application.
-
Threats Mitigated:
- Bandwidth Exhaustion (Medium Severity): Directly prevents individual RTMP connections from consuming excessive bandwidth, protecting server resources.
- DoS (Partial Mitigation - Medium to High Severity): Helps mitigate DoS attacks that attempt to saturate bandwidth, although it's not a complete solution against sophisticated attacks.
-
Impact:
- Bandwidth Exhaustion: Risk reduced from Medium to Low.
- DoS: Risk reduced from Medium/High to Medium (limits the effectiveness, but doesn't eliminate the threat).
-
Currently Implemented:
limit_rateis NOT implemented.
-
Missing Implementation:
- Complete absence of
limit_rateconfiguration. No bandwidth limits are enforced at the RTMP level.
- Complete absence of
Mitigation Strategy: RTMP-Specific Logging and Statistics (using nginx-rtmp-module features)
-
Description:
statDirective: Use thestatdirective within thertmpblock of yournginx.conf. This is a corenginx-rtmp-modulefeature. It exposes statistics about the RTMP server, typically accessible via an HTTP endpoint.- Accessing Statistics: Configure a location block (in the
httpsection of yournginx.conf) to handle requests to thestatURL. This usually involves using thertmp_statdirective. - Data Provided: The
statdirective provides information like the number of active connections, bytes in/out, and details about individual streams (if configured). nginx-rtmp-moduleSpecific Logging: While general Nginx logging is important, ensure you're capturing logs specifically generated bynginx-rtmp-module. This might involve adjusting log levels or using custom log formats within thertmpblock. The exact options depend on the module's version and configuration.
-
Threats Mitigated:
- All Threats (Indirectly): Provides crucial visibility into the RTMP server's operation, enabling detection of anomalies and facilitating incident response. It's a detection and response enabler, not a direct preventative measure.
- Slow Attacks/Probing (Medium Severity): Helps identify slow, stealthy attacks by monitoring connection patterns and resource usage.
-
Impact:
- All Threats: Improves detection and response capabilities.
- Slow Attacks/Probing: Risk reduced from Medium to Low (with effective monitoring).
-
Currently Implemented:
- The
statdirective is NOT used. - No specific
nginx-rtmp-modulelogging beyond default Nginx logs.
- The
-
Missing Implementation:
statdirective is completely absent. No RTMP-specific statistics are exposed.- No dedicated monitoring of
nginx-rtmp-module's log output.