hi
I’m using FreePBX16.
I run fwconsole -l session in the CLI and see a lot of sessions.
I don’t know whose sessions these are… to interrupt them I run fwconsole session -l. The sessions disappear, but appear again a minute later. After 5 minutes there are a huge number of them.
How are these sessions identified? Who generates them?
Those are PHP session IDs. Something is accessing your FreePBX web interface. You might want to check your external firewall and limit/block access to the HTTP/S port(s). Here is some related documentation.
How can I find out what IP addresses these requests are coming from?
Maybe check httpd access logs?
/var/log/httpd/access_log
Thanks for the tip.
The appearance of these new session IDs:
[root@pbx]# fwconsole session -l
6mg202s6h518avkdcimclfol2g
930g3i4pm4gv41o4ugblihgu9r
giprfcnsltc9sfqq99c6a58a8f
pcjdttlqdtaiiul985bdovdjra
Coincides exactly in time with the appearance of these log entries:
127.0.0.1 - - [04/Sep/2024:09:13:57 +0500] “POST /admin/ajax.php HTTP/1.1” 200 4 “http://127.0.0.1” “asterisk-libcurl-agent/1.0”
127.0.0.1 - - [04/Sep/2024:09:14:15 +0500] “POST /admin/ajax.php HTTP/1.1” 200 4 “http://127.0.0.1” “asterisk-libcurl-agent/1.0”
127.0.0.1 - - [04/Sep/2024:09:14:30 +0500] “POST /admin/ajax.php HTTP/1.1” 200 4 “http://127.0.0.1” “asterisk-libcurl-agent/1.0”
127.0.0.1 - - [04/Sep/2024:09:15:06 +0500] “POST /admin/ajax.php HTTP/1.1” 200 4 “http://127.0.0.1” “asterisk-libcurl-agent/1.0”
I tracked it like this: tail -f /var/log/httpd/access_log
All tabs in the browser of this PBX were closed for me.
Is this normal?
what are these sessions created for?
It looks like these are normal. I have a bunch of these on my instances as well. Can’t really give you the technical explanation of what they are as I am not super familiar with what’s setup for asterisk to connect to the web front end but these seem to be a normal part of FreePBX.
If you reset all sessions (fwconsole session -k), will they also start appearing after some time?
Yes they would.
Thank you.
I will be calm about these strange sessions.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.