RMS Security

I am crazy about security and wonder if RMS for Dolphin has been configured by default to be secure. I read lots about Red5 and it looks like it is very open for everybody from the beginning. So bad there are nearly no docs or good wikis out there with some background information about all these settings in Red5 (RMS).

1) Is it possible that people use RMS to share their own stuff and install apps?

2) Another question, in the docs it is mentioned to add an asterisk to the "video app" properties when changing ports. Why? Whats the reason for that? Why only when changing the ports? Isn't an asterisk allowing anybody?

in the video module you'll also need to specify an asterisk:
webapp.virtualHosts=192.168.1.1:10000,*

3) And why are there no restrictions-files like:
allowedHTMLdomains.txt
allowedPlaybackHTMLdomains.txt
allowedPlaybackSWFdomains.txt
allowedPublishHTMLdomains.txt
allowedPublishNames.txt
allowedPublishSWFdomains.txt
allowedSWFdomains.txt
allowedSharedObjectNames.txt

4) Is the connection between the Dolphin Flash Apps and RMS done with tokens?

I can't answer all those questions except..

When your setting up RMS, yes it has "open" on ports 5080,1935 default,

e.g. http://76.123.106.199:5090/ my ports I changed to 5090,1937 your welcome to try to "break in" or use the service but you will never connect because of the "access.dat" file included.

When you have RMS you will have an access.dat, that is where IP's or domain names are stored to check for security, if your not on the list, you cannot access.

I hope this helps...

 Red5 is setup different. It does not have an access file as in RMS for Dolphin.

I use the access.dat and it only allows the IP's and domains listed within it ...

Hi Newton,

Red5 also uses the access.dat file. These basic stuff i already have behind me. What about the deeper things in this mystical peace of software haha...

I tested your site with the first thing i changed in the past on my site. If i want i could install new apps and use bandwith from your server. Who knows what else i could do. I sent you PM, do not want to discuss this here. I really wish there would be more step-by-step instructions what to change to make it totally closed and the open it for specific things.

PS: Also google for deactivating the default tomcat errors returned by Red5.

I would be interested if someone could take a server out with RMS... or install rouge apps.

If your able to hack me, do it.

As i wrote you per message i never coded a Red5 App so i have no time for that. Pls google the topics i send you. One video i saw (think it was youtube) described how to capture a default Red5 Server via the "folders" you still have installed. No matter what IPs and Ports you want to restrict.

I do not say its totally unsecure, i just want to know more. All these internet threads drive me crazy. Maybe Ray has the knowledge to clear my mind. LOL

Anyway one thing i know is to run RMS not as root.

 I don't, it's under my username. Not root.

Regarding the access.dat file. I am not sure anymore if its also in Red5. Some people talk about their Red5 installation and using it, but not lots and i also cannot find it in the Red5 download. Hmmm really lacking so much clear info for this software.

Not talking about possible security holes in an application does not make it more secure; those out in the wild looking for exploits already have the knowledge.  This has been debated before when Microsoft wanted to restrict security testers from releasing their findings.  If we RMS users should know about possible security issues, then please post those issues here.

 As I first stated, Red5 does not use it.

I have installed many Red5 servers for clients, not for Dolphin (Dolphin will only work with RMS compiled by Boonex,) for other scripts and chat programs.

Many chat companies require Red5, or equal to Wowza media server.

@geek_girl: if you talk to me i just not wanted to let people play with newtons server right now because he posted his IP. Let me be clear I not say RMS is unsecure. I just read about Red5 because I wanted to know more about all the stuff I can find in the ini's and also wondered about stuff missing people under Red5 useing to make it more secure. If for example access.dat is a modification by boonex/ray which forbids everything then I am fine with it. There is just no real documentation out there which goes into any details like in other open source projects or I cannot find them. So if boonex can answer my initial questions I am OK with it. Anyway I will try to follow some instructions I found to test if I am able to deploy some code/app to RMS which will run there as a server application. If its not possible I am happy.

@newton: Access.dat, maybe that's users I saw running dolphin/RMS and try to get some info like me on some Red5 websites. he he I don't know. maybe its another hidden option not documented anywhere.. maybe boonex tells me different things, let's wait.

writing from my tablet.....

I think your missing our whole conversation point.

Dolphin uses RMS from Boonex.

Red5 media server found on the internet is a complete different thing.

Dolphin has nothing to do with it.

As for posting my address, I've posted it here long ago... I'm ok with it..

you talk to me newton? if so I know what RMS is and what Red5 is