Hi
We want to tighten up the security on some of our freepbx boxes and I want to change the MySQL root password, which is currently blank.
If we change it do we have to update any conf files? I can see /etc/freepbx.conf has entries for a ‘freepbxuser’ account but doesn’t appear to refer to the mysql root account.
Olly
For the heck of it just type
cat /etc/asterisk/*.conf | grep root
If something pops up, it probably does use root somewhere…
Also, you might want to checkout /etc/amportal.conf and/or /etc/freepbx.conf
Cheers!
Changing the mysql password isn’t recommended and it won’t do anything to help with security and this is why:
The default mysql server setup in the FreePBX distro is bound to localhost. No outsiders can login to it.
Someone can access MySQL locally but they have to have ssh access to begin with and if they are that far you are already hosed.
So don’t deal with the headache. Just leave the password as is.
Really? a blank mysql password is not a security issue? Dude for real?
Nothing should be assumed, and ssh is often not the only access to root@localhost on mysql, bad implementations of webmin and phpmyadmin, i.e. the default ones, and many can’t help themselves from installing them that way anyway, also allow such access.
I hope we all know to set up and use public key ssh access and turn off ssh password logins, build a strong firewall and IDS suite.
Many argue that http should be denied to everyone simple because there are probably unknown weaknesses hidden in your Document Root, but that also complicates any “user portals” in there.
Adding a password to the root@localhost mysql account is just being a wise virgin. For ease add it after everything else mysql wise is working.
JM2CWAE
And it’s other access routes that I was really worried about.
In this world of security awareness I’d love to see the next release include things like public key ssh access, https access by default locked to a given up, that kinda stuff. IDS included would be nice.
Olly