Recherche dans le site/ Search this Blog:

Login



Asterisk FreePBX Security: FreePBX Backdoor Passwords Pose Asterisk Security Threat; Here is more robust solution to eliminate this possibility Imprimer
Écrit par Alain Côté   
dimanche, 01 mai 2011 16:44

We received an email from one of our provider pointing to a Nerd Vittles article warning about hidden admin passwords by which hackers could gain admin access to FreePBX/Asterisk installations granted such installations can be accessed through the Internet. You should always protect your FreePBX installation by forcing users that need to access it through the Internet to use a a VPN or SSH port redirection. This might be inconvenient for some customers so keep on reading...

 


Well, Nerd Vittles does a very good job but although the more robust solution we suggest requires more technical knowledge, we would like to share it here. What we dislike about Nerd Vittles proposed solution is that they are suggesting to test for a limited list of usernames/passwords without providing a definitive solution to test who has access to your FreePBX installation. Nevertheless, we tried logging in with Nerd Vittles list of username/password because our solution doesn't cover potentially hardcoded passwords in the source code of FreePBX itself although we doubt there is any. One would have to scrutinize FreePBX source code to definetely find out.
 

First, you should ALWAYS change your database access password for FreePBX without regards for the flavor of the bundle you have chosen to install FreePBX and Asterisk. Better yet, if you have the technical skills, just install Asterisk then FreePBX from sources, do not use any bundles like Trixbox etc., they are not needed and they might introduce additional security risks like mentioned in the Nerd Vittles article.

Changing access to FreePBX database:

  1.  In /etc/amportal.conf, look at the current database username/password configuration. They are represented by the AMPDBUSER and AMPDBPASS fields.
  2. Log in to your mysql (or postgres, etc.) database using the command line mysql utility using those credential. Just type "mysql --help" or "man mysql" at the command prompt to find out how to use mysql. Usually, logging in to your FreePBX database will require a command that looks like this: "bash$ mysql -u < AMPDBUSER> -h 127.0.0.1 -p <your_asterisk_database_name>" http://dev.mysql.com/doc/refman/5.0/en/mysql.html  "<your_asterisk_database_name>"  is usually "asterisk", view the AMPDBNAME field in /etc/amportal.conf to find out your specific setting . You can change the database name at FreePBX installation time, this could constitute good practice too. You can alternatively use your mysql root user and password to login and manage your database if you are aware of it. Your database root password should be highly protected as well. http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html
  3. Create a new user to access your FreePBX database: usually: "mysql> GRANT ALL PRIVILEGES ON <your_asterisk_database_name>.* TO '<your_new_user>'@'localhost' IDENTIFIED BY '<your_new_password>' WITH GRANT OPTION;"   http://dev.mysql.com/doc/refman/5.0/en/grant.html Choose a username unique to yourself and hard to guess.
  4. Revoke permission to the old user, you should test that you actually removed the old user access by actually trying to log in again using step1 and using the old credentials. You should get "access refused". Here is the mysql command to remove access to the old user: "mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM <old_user>; http://dev.mysql.com/doc/refman/5.0/en/revoke.html
  5. Edit your /etc/amportal.conf file and change the AMPDBUSER and AMPDBPASS fields to the new credentials you have just defined. You should also make the amportal.conf file only readable by the user running your apache server. chown <user_running_apache> /etc/amportal.conf; chmod 600 /etc/amportal.conf
  6. List the other username/password that can  access your FreePBX installation: "mysql> select * from ampusers;"
  7. Delete any user that you do not want in there: "mysql> delete from ampusers where username='unwanted_user'; No standard username such as admin etc. should be in there, only usernames unique to yourself and hard to guess should show up in there. Alternatively, you can use FreePBX "Administrators" graphical module to edit those users but it is still a good idea to use the mysql utility just to make sure what is in that database table.
FreePBX works great for small to medium sized businesses or individuals. We have many installs behind our belt and satisfied customers. Nevertheless, FreePBX development team will tell you that it wasn't designed from the start with a focus on the security needed to face Internet attacks. This is understandable because very few commercial enterprise PBX are directly connected to the Internet. PBX are usually only accessible through a VPN or similar solutions.
 
FreePBX authentication scheme is weak. For example, storing the database access password in a plain text file readable by everybody and granting access to the FreePBX console with it is weak. FreePBX development team just recently started to look into this problem because, despite the warnings, many people do make their installation open to the Internet. Also, storing username passwords in the ampusers table in plain text is weak. In our humble opinion, you should protect your FreePBX installation by other means like at least using a VPN or SSH port redirection if you really need to access it through the internet.

Here is the link to the Nerd Vittles article:
 http://nerdvittles.com/?p=737
 

 

 

Commentaires / Comments (4)
OK But
1 vendredi, 06 mai 2011 10:34
Zach
While having read the article in question, I feel that even with my "diminished capacity" as a nerd vittles reader, I can comment on this one.
I think that either solution still works. Really though, just knowing that you have an unknown account backdoor should cause you or anyone to review there security in full.
Re: but
2 vendredi, 06 mai 2011 16:34
Alain Côté
Hello Zach,

 

Come on, I read Nerd Vittles myself and I don't feel that I have a "diminished capacity" so neither should you !

Nerd Vittles does a great job at making things available to people who do not want to have to learn technical stuff in depth just to make a phone system work. A phone system should be a commodity. Nerd Vittles does very well in reaching that goal and I respect that. They offer a pretty good Asterisk/FreePBX/other stuff bundle even including fail2ban.

So, I would think that it would be fair to say that Nerd Vittles "targeted audience" would require less technical skills than needed for logging into mysql, writing firewall rules with iptables to limit brute force attacks on SIP Register, etc.

Nerd Vittles "targeted audience" means the average audience, especially with regards to the tone of the article I link to. You will notice that the only technical skill required to test for backdoors in Nerd Vittles article is to be able to type a username and password in a login form and this is fine if you want to reach as many people as possible.

My intention was to complement Nerd Vittles solution. You should test for potential usernames/passwords unknown to Nerd Vittles and that is what I suggested to do, adding a few other tips along the way.

Thanks for your comment Zach, I have rephrased the article, sorry about this: removed:

"than Nerd Vittles targeted audience usually possesses"

security
3 mardi, 24 mai 2011 01:49
kulisty
For a few years now, your passwords are encrypted (sha) in the db, and not in a plain text file as the poster would like you to believe
Re: security
4 lundi, 06 juin 2011 00:35
Alian Cote
Hello Kulisty,

The plain text file we refer to is /etc/amportal.conf

On new and fresh installations of FreePBX from scratch, the passwords are indeed encrypted in the database table "ampusers". Nevertheless, there are many installations around which still have non-encrypted passwords in the "ampusers" table. I would even think it could be the majority of FreePBX installations. What happens on an upgrade path would remain to be seen. We will report back here when we encounter this situation.

One may ask why passwords weren't encrypted from the start in all versions of FreePBX since hashing techniques have been around for much longer than Asterisk or FreePBX existed.

Ajouter votre commentaire / Add your comment

Votre nom / Your name:
Sujet / Subject:
Commentaire:
SPAM: Ne pas inclure de lien ou utiliser le stratagème suivant: "yahoo.com slash mapage.html"     Nous utilisons un filtre qui bloque les commentaires suspects avec une erreur 403. De même, du code de programmation ou sql peut provoquer des erreurs 403. Veuillez utiliser un lien vers votre code tel que: "pastebin.com slash jVNqLieD"    Merci!
Comment:
SPAM: Do not include any links in your post or use the following construct: "yahoo.com slash mypage.html"    We are using a filter that denies suspicious posts with a 403 error. Programming language or SQL code may also cause a 403 error. Please provide a link to your code instead like: "pastebin.com slash jVNqLieD"    Thank you! :
  Lettres de vérification; lettres minuscules seulement, pas d
Retaper les lettres affichées / Word verification:
Mis à jour / Last updated ( samedi, 07 mai 2011 18:09 )
 



Consultez TOUS nos fils d'actualité ici. / View ALL our newsfeed here.