But even if I do both of the above, the default web interface is still open to the internet (if the stream is on the internet). It seems strange to me that Icecast doesn't have a built-in way to optionally remove/hide this access and separate these two functions. What I've done for the moment is to set the web root alias to a HTML page that redirects to our main website. To further secure the server I'll have to move all the XSL files and change the config file accordingly. – Justin – 2018-12-27T02:42:24.023

Most of the time what people care about is hiding the listener numbers, for some reason. Pretty much all the other metadata is also available from the streams themselves, obviously. For making things completely oblique it's sufficient to point to an empty directory as webroot in the config. The admin API/Interface always requires authentication and a strong password is always a good idea. – I'm not sure what you mean by "still open" though. What are your real concerns here? – TBR – 2018-12-27T10:29:03.800

OK, I initially misunderstood the idea of removing the files in web root, in which case there would be no files to serve. But, someone could still point to //myserver.com/admin, right? My real concern is someone trying to poke around in the Icecast server and seeing stuff they don't need to see or finding vulnerabilities. – Justin – 2018-12-28T15:01:27.513