Error: Tried to authenticate with nonexistent user 'root'


#1

I’ve seeing the following error non-stop in asterisk -rvvvvv

[2020-08-08 07:11:51] NOTICE[27619]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:51] NOTICE[27619]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'
[2020-08-08 07:11:52] NOTICE[27638]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:52] NOTICE[27638]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'
[2020-08-08 07:11:54] NOTICE[27639]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:54] NOTICE[27639]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'

Google search points to incorrect manager.conf settings but in my case, it looks fine.

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+

[admin]
secret = xxxxxxx
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

What should I be looking at to fix the issue?


#2

If you can, change the bindaddr to 127.0.0.1

or add

[root]
deny=0.0.0.0/0.0.0.0

to /etc/asterisk/manager_custom.conf and reload. but that way maybe someone not root will then try.

Adding

^%(__prefix_line)s%(log_prefix)s .*:  <HOST>  failed to authenticate as '[^']*'$

to your fail2ban might be useful.


#3

@dicko in which file do I add this?

drwxr-xr-x 2 root root 4096 Jul 28 18:44 action.d
-rw-r--r-- 1 root root 1525 Aug 19  2014 fail2ban.conf
drwxr-xr-x 2 root root 4096 Aug  5  2018 fail2ban.d
-rw-r--r-- 1 root root  172 Aug  5  2018 fail2ban.local
drwxr-xr-x 2 root root 4096 Jul 28 18:44 filter.d
-rw-r--r-- 1 root root 2296 Aug  7 21:31 jail.conf
drwxr-xr-x 2 root root 4096 Aug  5  2018 jail.d
-rw-r--r-- 1 root root 2118 Aug  9 18:09 jail.local

or is there an option in FreePBX?

Thanks


#4

The regexes are in the filters which are in /etc/fail2ban/filters.d/ but if you have to ask this question, be VERY careful of what you are doing , because of . . . . and . . .

No option that I know of in FreePBX.


#5

hmm… good point. I think I will wait & watch. If I see more such attacks, then I will cautiously try with the regex.

Thanks.


(system) closed #6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.