|Asterisk FreePBX Security: FreePBX Backdoor Passwords Pose Asterisk Security Threat; Here is more robust solution to eliminate this possibility|
|Écrit par Alain Côté|
|dimanche, 01 mai 2011 16:44|
We received an email from one of our provider pointing to a Nerd Vittles article warning about hidden admin passwords by which hackers could gain admin access to FreePBX/Asterisk installations granted such installations can be accessed through the Internet. You should always protect your FreePBX installation by forcing users that need to access it through the Internet to use a a VPN or SSH port redirection. This might be inconvenient for some customers so keep on reading...
Well, Nerd Vittles does a very good job but although the more robust solution we suggest requires more technical knowledge, we would like to share it here. What we dislike about Nerd Vittles proposed solution is that they are suggesting to test for a limited list of usernames/passwords without providing a definitive solution to test who has access to your FreePBX installation. Nevertheless, we tried logging in with Nerd Vittles list of username/password because our solution doesn't cover potentially hardcoded passwords in the source code of FreePBX itself although we doubt there is any. One would have to scrutinize FreePBX source code to definetely find out.
First, you should ALWAYS change your database access password for FreePBX without regards for the flavor of the bundle you have chosen to install FreePBX and Asterisk. Better yet, if you have the technical skills, just install Asterisk then FreePBX from sources, do not use any bundles like Trixbox etc., they are not needed and they might introduce additional security risks like mentioned in the Nerd Vittles article.
Changing access to FreePBX database:
FreePBX works great for small to medium sized businesses or individuals. We have many installs behind our belt and satisfied customers. Nevertheless, FreePBX development team will tell you that it wasn't designed from the start with a focus on the security needed to face Internet attacks. This is understandable because very few commercial enterprise PBX are directly connected to the Internet. PBX are usually only accessible through a VPN or similar solutions.
FreePBX authentication scheme is weak. For example, storing the database access password in a plain text file readable by everybody and granting access to the FreePBX console with it is weak. FreePBX development team just recently started to look into this problem because, despite the warnings, many people do make their installation open to the Internet. Also, storing username passwords in the ampusers table in plain text is weak. In our humble opinion, you should protect your FreePBX installation by other means like at least using a VPN or SSH port redirection if you really need to access it through the internet.
Here is the link to the Nerd Vittles article:
Commentaires / Comments (4)
|Mis à jour / Last updated ( samedi, 07 mai 2011 18:09 )|