We received an email from one of our provider pointing to a Nerd Vittles article warning about hidden admin passwords by which hackers could gain admin access to FreePBX/Asterisk installations granted such installations can be accessed through the Internet. You should always protect your FreePBX installation by forcing users that need to access it through the Internet to use a a VPN or SSH port redirection. This might be inconvenient for some customers so keep on reading...
Well, Nerd Vittles does a very good job but although the more robust solution we suggest requires more technical knowledge, we would like to share it here. What we dislike about Nerd Vittles proposed solution is that they are suggesting to test for a limited list of usernames/passwords without providing a definitive solution to test who has access to your FreePBX installation. Nevertheless, we tried logging in with Nerd Vittles list of username/password because our solution doesn't cover potentially hardcoded passwords in the source code of FreePBX itself although we doubt there is any. One would have to scrutinize FreePBX source code to definetely find out.
First, you should ALWAYS change your database access password for FreePBX without regards for the flavor of the bundle you have chosen to install FreePBX and Asterisk. Better yet, if you have the technical skills, just install Asterisk then FreePBX from sources, do not use any bundles like Trixbox etc., they are not needed and they might introduce additional security risks like mentioned in the Nerd Vittles article.
Changing access to FreePBX database:
- In /etc/amportal.conf, look at the current database username/password configuration. They are represented by the AMPDBUSER and AMPDBPASS fields.
- Log in to your mysql (or postgres, etc.) database using the command line mysql utility using those credential. Just type "mysql --help" or "man mysql" at the command prompt to find out how to use mysql. Usually, logging in to your FreePBX database will require a command that looks like this: "bash$ mysql -u < AMPDBUSER> -h 127.0.0.1 -p <your_asterisk_database_name>" http://dev.mysql.com/doc/refman/5.0/en/mysql.html "<your_asterisk_database_name>" is usually "asterisk", view the AMPDBNAME field in /etc/amportal.conf to find out your specific setting . You can change the database name at FreePBX installation time, this could constitute good practice too. You can alternatively use your mysql root user and password to login and manage your database if you are aware of it. Your database root password should be highly protected as well. http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html
- Create a new user to access your FreePBX database: usually: "mysql> GRANT ALL PRIVILEGES ON <your_asterisk_database_name>.* TO '<your_new_user>'@'localhost' IDENTIFIED BY '<your_new_password>' WITH GRANT OPTION;" http://dev.mysql.com/doc/refman/5.0/en/grant.html Choose a username unique to yourself and hard to guess.
- Revoke permission to the old user, you should test that you actually removed the old user access by actually trying to log in again using step1 and using the old credentials. You should get "access refused". Here is the mysql command to remove access to the old user: "mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM <old_user>; http://dev.mysql.com/doc/refman/5.0/en/revoke.html
- Edit your /etc/amportal.conf file and change the AMPDBUSER and AMPDBPASS fields to the new credentials you have just defined. You should also make the amportal.conf file only readable by the user running your apache server. chown <user_running_apache> /etc/amportal.conf; chmod 600 /etc/amportal.conf
- List the other username/password that can access your FreePBX installation: "mysql> select * from ampusers;"
- Delete any user that you do not want in there: "mysql> delete from ampusers where username='unwanted_user'; No standard username such as admin etc. should be in there, only usernames unique to yourself and hard to guess should show up in there. Alternatively, you can use FreePBX "Administrators" graphical module to edit those users but it is still a good idea to use the mysql utility just to make sure what is in that database table.
FreePBX works great for small to medium sized businesses or individuals. We have many installs behind our belt and satisfied customers. Nevertheless, FreePBX development team will tell you that it wasn't designed from the start with a focus on the security needed to face Internet attacks. This is understandable because very few commercial enterprise PBX are directly connected to the Internet. PBX are usually only accessible through a VPN or similar solutions.
FreePBX authentication scheme is weak. For example, storing the database access password in a plain text file readable by everybody and granting access to the FreePBX console with it is weak. FreePBX development team just recently started to look into this problem because, despite the warnings, many people do make their installation open to the Internet. Also, storing username passwords in the ampusers table in plain text is weak. In our humble opinion, you should protect your FreePBX installation by other means like at least using a VPN or SSH port redirection if you really need to access it through the internet.