Whether it’s forgetting to change a default password or not removing an additional password that you didn’t even know existed, some new revelations this week about FreePBX security are worth a minute of your time. There’s more disappointing news. The bad guys are getting smarter and much more dangerous.
If you’re new to Asterisk®, FreePBX® is the terrific, web-based graphical user interface that turns Asterisk into a user-friendly PBX that even mere mortals can use. It is bundled as part of every Asterisk aggregation including PBX in a Flash, trixbox, Elastix, and Asterisk Now. With the exception of PBX in a Flash, you may not know it’s there, but it is.
Years ago when FreePBX was in its infancy, the developers set up a way that administrators could still get into their system even if they forgot their administrator password. Typing admin:admin as the username:password combination basically gave you the keys to the castle in the default FreePBX install. That worked great in the days before folks exposed their systems to direct Internet web access which is a really BAD IDEA by the way.
Some of the aggregations shipped with a default username and password combination of maint and password. And for visually-impaired users, an automatic installer was crafted which set a default password of passworm. While users were encouraged to change these default passwords, many unfortunately didn’t heed the advice. According to one unnamed provider that recently saw a spike in illegal calling activity, his attempt to log in to some of his customer’s systems using password as the administrator password yielded a list of 50 vulnerable systems in under an hour!
And then there was this week’s Elastix revelation that the developers had embedded an additional backdoor password in their distribution that very few knew about… except the bad guys unfortunately. According to Xorcom:
It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name ‘asteriskuser’ and password ‘eLaStIx.asteriskuser.2oo7’. The user name and password are the same user name and password used by FreePBX to access the ‘asterisk’ MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.
What could possibly go wrong? Well, everything! Over the past few years, what typically happened with these vulnerable systems was that the buy guys obtained an extension password and began making free calls on your nickel until you checked your FreePBX call log or received your phone bill. That was then.
Here’s the latest bad guy scenario. The intruder logs into your FreePBX GUI using the default administrator password using a very sophisticated script which extracts all of your extension numbers, all of your trunk credentials, and, of course, all of your passwords. The script then hides a BOT on your server that “phones home” whenever any change is made in your account names or passwords. Finally, rather than using your server to make calls, the bad guys now use their own servers with your provider credentials to make free calls. So the first notice you receive of the intrusion is when your credit card is maxed out because you stupidly chose credit card auto-replenishment when you set up your VoIP account with your favorite provider.
SO… how do you fix it? Well, first you need to check whether your system is vulnerable. Using a browser, attempt to log into FreePBX at http://yourIPaddress/admin and use the following username:password combinations:
Be aware that on some systems using Fail2Ban such as PBX in a Flash, three consecutive failed logins may lock you out of your system for a lengthy period of time. On these systems, we recommend you first stop Fail2Ban: service fail2ban stop. Don’t forget to restart it after your testing: service fail2ban start.
If you gain access to your system using any of the above credentials and the web interface your server is exposed to the Internet, then you’ve got a problem. Do NOT just change your password thinking all is well. As mentioned, your new credentials are likely being transmitted to the bad guys before you can say “I’m S-C-R-E-W-E-D.” Instead, you should reformat your drive, contact all of your trunk providers and change your credentials. Then reinstall a NEW system using your new credentials AND new extension passwords. DON’T FORGET TO CHANGE YOUR DEFAULT PASSWORD! On PBX in a Flash and Incredible PBX systems, it’s easy. Just log into your server as root, enter the command passwd-master, and answer the prompts. Think up a very secure password… as if your bank account depended on it. It does! Finally, read our Primer on Asterisk Security. Be safe!
Originally published: Friday, April 15, 2011
Changes in PBX in a Flash Distribution. In light of the events outlined in our recent Nerd Vittles article and the issues with Asterisk 1.8.4, the PIAF Dev Team has made some changes in our distribution methodology. As many of you know, PBX in a Flash is the only distribution that compiles Asterisk from source code during the install. This has provided us enormous flexibility to distribute new releases with the latest Asterisk code. Unfortunately, Asterisk 1.8 is still a work in progress to put it charitably. We also feel some responsibility to insulate our users from show-stopping Asterisk releases. Going forward, the plan is to reserve the PIAF-Purple default install for the most stable version of Asterisk 1.8. Currently, we think that dubious title belongs to Asterisk 18.104.22.168 even though it has its own share of surprises. Other versions of Asterisk 1.8 (newer and older) will be available through a new configuration utility which now is incorporated into the PIAF 22.214.171.124.2 ISO.
Here’s how it works. Begin the install of a new PIAF system in the usual way by booting from the CD and pressing Enter to load the most current version of CentOS 5.6. When the CentOS install finishes, your system will reboot. Remove the CD, accept the license agreement, and choose the PIAF-Purple option to load the default version of Asterisk 1.8. Or exit to the Linux CLI if you want a different version. Log into CentOS as root with your root password. Then issue a command like this: piafdl -p 184 (loads Asterisk 1.8.4), piafdl -p 1833 (loads Asterisk 126.96.36.199), or piafdl -p 1832 (loads Asterisk 188.8.131.52). If there should ever be an outage on one of the PBX in a Flash mirrors, you can optionally choose a different mirror for the payload download by adding piafdl -c for the .com site, piafdl -d for the .org site, or piafdl -e for the .net site. Then add the payload switch of your choice, e.g. piafdl -c -p 184.
Bottom Line: If you use the piafdl utility to choose a particular version of Asterisk 1.8, you are making a conscious decision to accept the consequences of your particular choice. We would have preferred implementation of a testing methodology at Digium® before distribution of new Asterisk releases; however, that doesn’t appear to be in the cards. So, as new Asterisk 1.8 releases hit the street, they will be made available through the piafdl utility until such time as our PIAF Pioneers independently establish their reliability.
whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.
Some Recent Nerd Vittles Articles of Interest…