Thank you, Dave, for sharing your input.
I downloaded FreePBX 14 iso and install it on a VM and I can confirm that the passwords for cxpanel and firewall users is NOT secret. They were the same for both my production and VM FreePBX servers.
I agree that the risk of unauthorized access to FreePBX from LAN is low but better be safe than sorry. We know that such incidents have happened in the past and can happen in the future. In the Fortigate exploit example, hackers were able to access LAN net and from there they were able to crack the provisioning services. By having the same Asterisk Manager Interface users and passwords across all FreePBX server, hackers do not have to guess or crack any password and the step by step on how to make SIP calls using AMI is outlined publicly https://www.hackingarticles.in/penetration-testing-on-voip-asterisk-server-part-2/
- My plan is to change the passwords for AMI users
admin,cxpanelandfirewallto make them stronger. - Also, I appreciate if someone can tell if the current FreePBX fail2ban regex are able to recognize failed AIM login / calls attempts?
Appreciate anyone’s thoughts.