tip: always use a different shoutcast installation for each stream that you are using, so that you can update them independently. Also use different user for each instance.

Roger Wilco said:

Running a public Shoutcast (or Icecast) server on the same instance as your private Airtime production server is never a good idea. Separating the two is absolutely critical for anyone interested in real security.

Can you provide more documentation on this?

@Roger Wilco say:
However, in the real world, you definitely don't want the IP address of your honeypot loaded with valuable assets to just hang out in public... potentially syndicated by YPs and various random aggregators.
 
Honeypots are never a good idea unless you know exactly what you are doing.as the name suggests,you are bring in all the bees,scripties and amateur who are looking to test there skills.
One way to use honeypots if you should then host it remotely and then have excess traffic directed to there.
But no need for that,just set up a relay for your server and when one is full the person is redirected somewhere else.
Or setup a proxy like pound so that say all your windows users are directed to one server and others are redirected to other servers or ports. for instance you could have multiple ports (not a wise idea) on the Iceecast servers  or multiple mount points

Put it this way you cannot hide an IP from hackers.Remember,true hackers use scanners,its just like a radio scanners,where the parameters (station) are there it will just lock on and the music plays.
Also there are various ways to hack and these target various layers of the OSI Model.

But why do you want to keep the production server for .

Unscrupulous and unwanted traffics should be reduce as much as possible.setting up a separate icecast server is the best solution.Just as I always say you want to delegate as much as possible So set up your webserv,seperate from your airtime serve,from your proxy server ,your database server ,your dns server etc.provides a better audit and troubleshoot when something wrong.
Simple you could put a backup file mount on the seperate Icecast server so that when you restart your airtime  you do not lose your listeners.

@Roger Wilco  further said:
Intentionally separating the two allows you to keep your Airtime production IP number private, known only to you and your team. That's infinitely better than any firewall.

What? That's crazy talk,Half-Fast talk.

Your firewall is the first line of defense it encompass the first 3 layers of the OSI Model.Its like a fence,a wall etc.You cannot hide in open house.
The firewall carries the DMZ,The local network,the wifi network,all other types of hybrid network. and determine your packet filters.
So you can run all your database locally,and all your php remotely to obtain necessary information,not exposing the database entirely.(barring injections etc.)
You can put your Airtime on one branch and your other server on other branch and only access the services necessary on the other server.

The Airtime server Applications and most applications operate at the presentation layer,(layer 6) and attack here is trivial to the fact that you need the others layers.
So if your firewall say only port 80 in ,then launching an attack on an application need to be transported (layer 7) and the network layers.
You need the firewall to limit these attack,so if the Softare is exposed without the firewall ,"DOG HAS JUST ATE YOUR Supper"

Become Familiar with OSI- MODEL and network security for New Year
\
VOISSES

All good advice, but we are a nonprofit station and can't afford having 2 servers, so our website, Shoutcast, and Airtime are all being hosted on the same server. Maybe when we win the lottery we'll separate stuff out.

Oh pishaw... check out Digital Ocean