Blog

November 27, 2011
|

How to secure AsteriskNow, how to change the default passwords in AsteriskNow

AsteriskNow uses the following default passwords

  • Admin, admin
  • Freepbx and fpbx

If the asterisk server is exposed to internet then you must change the default passwords.

Changing ‘admin’ password

Asterisk Manager Password

Edit /etc/asterisk/manager.conf.  [admin] must match AMPMGRUSER=admin below.

[admin]
secret=<newstrongMGRpassword>

Edit /etc/asterisk/extensions_additional.conf (I know you shouldn’t edit this directly but you need to since you can’t “Apply Changes” to regenerate this file yet)

Find the AMPMGRPASS and replace the old password with your <newstrongMGRpassword>

Edit /etc/amportal.conf

# AMPMGRUSER: the user to access the Asterisk manager interface
AMPMGRUSER=admin
# AMPMGRPASS: the password for AMPMGRUSER
AMPMGRPASS=<newstrongMGRpassword>

Flash Operator Panel Password

Edit /etc/amportal.conf

# FOPPASSWORD: the secret code for performing transfers and hangups in the Flash Operator Panel
FOPPASSWORD=<newstrongFOPpassword>

ARI Admin password

Edit /etc/amportal.conf and add the following to the end of /etc/amportal.conf

# ARI_ADMIN_USERNAME
ARI_ADMIN_USERNAME=ariadmin
# ARI_ADMIN_PASSWORD
ARI_ADMIN_PASSWORD=<newstrongARIpassword>

Changing the ‘freepbx’ password

From a command prompt as root run the command “mysql” without the quotes. Depending on if you’ve overridden the username/password combination you might need to pass switches “mysql –u root –p” or some combination to login.

Once inside the mysql prompt run the SQL statement “use mysql”

Then run the SQL statement “UPDATE user set Password=PASSWORD(‘newsecretpassword’) WHERE User=’freepbx’;

Then run the SQL statement “flush privileges”;

Exit the mysql prompt

Use a text editor to open /etc/amportal.conf

Find the AMPDBPASS line and change the value fpbx to your newsecretpassword that you set earlier in MySQL

Text editor next on /etc/asterisk/cdr_mysql.conf

Find the fpbx password value and replace the old password with your newsecretpassword

Text editor next on /etc/asterisk/extensions_additional.conf (I know you shouldn’t edit this directly but you need to since you can’t “Apply Changes” to regenerate this file yet)

Find the fpbx password value and replace the old password with your newsecretpassword

Now that you’ve changed these files execute a amportal restart command and you should be good to go

Recommend a reboot but you may get away with

# amportal restart

Once the Asterisk is up and running, connect to asterisk process:

# asterisk -rvvvvvvv
pbx*CLI>

While connected to the CLI, browse around FreePBX.  This should cause the following output on the CLI.

== Manager ‘admin’ logged on from 127.0.0.1
== Manager ‘admin’ logged off from 127.0.0.1
== Manager ‘admin’ logged on from 127.0.0.1
== Manager ‘admin’ logged off from 127.0.0.1
== Manager ‘admin’ logged on from 127.0.0.1
== Manager ‘admin’ logged off from 127.0.0.1
pbx*CLI>

This shows that FreePBX is able to sucessfully logon to the running process.

Protecting apache web folders using .htaccess

.htaccess is used to protect directories within apache. In order to enable it, do the following

  • Backup httpd.conf (etc/httpd/conf/)
  • If not enabled, enable

;LoadModule rewrite_module modules/mod_rewrite.so
to
LoadModule rewrite_module modules/mod_rewrite.so

  • We need to change the AllowOverride directive also from

<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Satisfy all
</Directory>
to

<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
Satisfy all
</Directory>

  • There might be more than one location within httpd.conf for AllowOverride. Make sure to change all locations.
  • Save httpd.conf
  • Then create .htaccess files under various www folders (/var/www/html)

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Web Access Control”

AuthType Basic

<LIMIT GET>

order deny,allow

deny from all

allow from 192.168

allow from aa.bb.cc.dd.ee

</LIMIT>

  • Restart Apache

/etc/rc.d/initd/httpd configtest

/etc/rc.d/initid/httpd restart