Error: Tried to authenticate with nonexistent user 'root'

vaibhav · August 8, 2020, 2:32pm

I’ve seeing the following error non-stop in asterisk -rvvvvv

[2020-08-08 07:11:51] NOTICE[27619]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:51] NOTICE[27619]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'
[2020-08-08 07:11:52] NOTICE[27638]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:52] NOTICE[27638]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'
[2020-08-08 07:11:54] NOTICE[27639]: manager.c:3515 authenticate: 52.255.203.221 tried to authenticate with nonexistent user 'root'
[2020-08-08 07:11:54] NOTICE[27639]: manager.c:3552 authenticate: 52.255.203.221 failed to authenticate as 'root'

Google search points to incorrect manager.conf settings but in my case, it looks fine.

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+

[admin]
secret = xxxxxxx
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

What should I be looking at to fix the issue?

dicko · August 8, 2020, 4:49pm

If you can, change the bindaddr to 127.0.0.1

or add

[root]
deny=0.0.0.0/0.0.0.0

to /etc/asterisk/manager_custom.conf and reload. but that way maybe someone not root will then try.

Adding

^%(__prefix_line)s%(log_prefix)s .*:  <HOST>  failed to authenticate as '[^']*'$

to your fail2ban might be useful.

vaibhav · August 11, 2020, 1:57am

@dicko in which file do I add this?

drwxr-xr-x 2 root root 4096 Jul 28 18:44 action.d
-rw-r--r-- 1 root root 1525 Aug 19  2014 fail2ban.conf
drwxr-xr-x 2 root root 4096 Aug  5  2018 fail2ban.d
-rw-r--r-- 1 root root  172 Aug  5  2018 fail2ban.local
drwxr-xr-x 2 root root 4096 Jul 28 18:44 filter.d
-rw-r--r-- 1 root root 2296 Aug  7 21:31 jail.conf
drwxr-xr-x 2 root root 4096 Aug  5  2018 jail.d
-rw-r--r-- 1 root root 2118 Aug  9 18:09 jail.local

or is there an option in FreePBX?

Thanks

dicko · August 11, 2020, 3:52am

The regexes are in the filters which are in /etc/fail2ban/filters.d/ but if you have to ask this question, be VERY careful of what you are doing , because of . . . . and . . .

No option that I know of in FreePBX.

vaibhav · August 11, 2020, 4:05am

hmm… good point. I think I will wait & watch. If I see more such attacks, then I will cautiously try with the regex.

Thanks.

system · August 18, 2020, 4:05am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.