Discussion re: AMI bindaddr default setting


(Lorne Gaetz) #1

https://issues.freepbx.org/browse/FREEPBX-22019

Currently, for all supported versions of FreePBX, the AMI bindaddr is set to 0.0.0.0 by default. For security, I think starting in 16, bindaddr should be set to 127.0.0.1 by default and users will have to change it manually if they need remote access to the service.

The file, manager.conf can be safely edited, so there is no problem with actually forcing the FreePBX admin to make the change for the cases where it might be needed. If there is a problem here, it will be from any internet resources describing how to set up remote AMI connections to FreePBX, they will not include any steps to enable AMI for remote connections. I propose to mitigate this by displaying a notification at the top of the “Asterisk Manager Users” page indicating the current settings for bind address and bind port.

I should stress that there is no major security concern here with existing settings, as the FreePBX admin user is created with ACL locked to localhost. The above setting falls into the area of good practice, and would erect another barrier should a malicious user manage to breech breach the PBX firewall AND breech breach admin login authentication.

Any contrary minded opinions here?


#2

+1

One could probably expand the allowed network to the LAN for a somewhat common scenario where there might be other AMI clients not on the PBX itself and the PBX is hardware/virtual within the LAN.

manager show users
manager show connections