Comments on: FreePBX Backdoor Passwords Pose Asterisk Security Threat

By: Karmena

Karmena — Fri, 20 May 2011 00:53:57 +0000

Thank you for putting this post out, but I really don't understand. So you're saying, just by re-formating my system, and changing the default password, extension passwords, etc, I'll be safe? How do I get rid of the default usernames and passwords? Does the latest FreePBX have that taken care of, or is it still there? So if I've been using FreePBX for years, and have been updating, making sure my passwords are secure etc., how should I go ahead and REFORMAT YEARS WORTH OF STUFF? I'm really confused, since that means my business goes down for about a week or more! I know security is important, but so is feeding my children. And saying that I should use another product, instead of what I have built and customized and put my sweat and blood into... I mean if someone who was able to get into their server with the backdoor read this... they'll think its a doomsday message, "my life is finished!", "all my hard work goes down the drain!" "all is lost!" Is there a way to recover and start over, without having downtime? I'm just scard for those who read this, and don't know what to know what to do after the system has been compromised in such a cruel fashion

By: Trousle Undrhil

Trousle Undrhil — Thu, 28 Apr 2011 20:48:53 +0000

While this might sound like a dumb question, I follow the camp of "There is no such thing as a dumb question." So, here it goes: What is considered a weak password? Something that I can guess on my own in a few hours? Something that a hacker with the latest CPU and cracking software can guess in a few hours? How many digits should be the minimum for a password? Should there be a maximum number of digits? [WM: Six to eight alphanumeric characters with a couple of uppercase letters thrown in is virtually impossible to crack.]

By: Kerry Garrison

Kerry Garrison — Mon, 18 Apr 2011 18:53:32 +0000

Excellent roundup of password issues. People think their phone system is safe and it is often the worst protected system on their network. I have heard many many times "its secure because its Linux", anyone saying that shouldn't be installing these systems. A weak password is almost an open invitation to get hacked.

By: Tony

Tony — Fri, 15 Apr 2011 23:21:58 +0000

Another reason people should move to FreePBX 2.9 as soon as it is final. We added a option in Advanced Setting to disable the backdoor MySQL username and password login and the default setting of this is to disable the backdoor. These were all things added to FreePBX as we started building a FreePBX Distro and focused on making sure it was secure, hence why we random generate MySQL and AMI username and password for each system and make you setup your own FreePBX admin page the first time you attempt to log in. Default password are dangerous and most people never change them.

By: Rafael Cortes

Rafael Cortes — Fri, 15 Apr 2011 15:48:45 +0000

Besides changing the password, and following all the security tips that Ward provides, it is a good idea to talk to your sysadmin, or hire an external one that knows how to block and filter outgoing communications in your firewall. That usually stops bots, and "phone home" types of attacks, even from the "authorized" services (Like Trixbox did back in the day when they got aquired).

The PBX should not begin any outgoing request except for specific ones to your providers, and the update server if so you wish, everything else SHOULD be blocked, and even the authorized ones should be filtered and monitored.

…just my 2 cents.

(Ward, greetings from Puerto Rico)

By: David

David — Fri, 15 Apr 2011 12:36:53 +0000

Thanks Ward. Yet again, our two systems are still sleeping safe at night while others didn’t know their kitchen window was left wide open.

By: Andrew

Andrew — Fri, 15 Apr 2011 12:24:29 +0000

Yet another reason I’m glad that I’ve been using PBX in a Flash. Your focus on security in a niche market that often neglects security is very much appreciated.