Good morning!
I was building a new system from our template today and saw a new user called “Sangoma” under Admin → Administrators. This was not showing on any existing systems or our template system so I am wondering, is this normal? I am seeing this on a couple of other new systems I was working on today as well.
Thanks!
What version of fpbx? This administrator is not created by default by FreePBX, unless that was the name chosen as part of the initial setup that walks thru system setup and administrator creation after install.
You can see if this account has recently been used to login by looking for occurrences of the following in freepbx_security.log or it’s rotated cousins:
[2023-03-16 18:07:33] [freepbx_security.NOTICE]: Authentication successful for <<username>> from <<source_ip_of_login>
Hi Lorne,
These systems are running 16.0.26 and haven’t been updated yet. I’ll take a look at that log and get back to you in a few minutes.
Thanks!
Hi Lorne,
This is what I am seeing. Lots of “Unexpected Activity” via RestApps and a couple of authentication failures. Nothing about that user.
[2023-03-15 17:10:57] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 17:11:08] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 17:11:19] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 17:11:29] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 17:11:40] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 17:11:51] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 72.251.235.155 [] []
[2023-03-15 19:08:56] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-15 19:08:56] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-15 19:08:56] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-15 19:08:56] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-15 22:35:00] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 198.235.24.143 [] []
[2023-03-16 01:11:42] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 198.199.109.53 [] []
[2023-03-16 02:11:18] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 172.105.139.231 [] []
[2023-03-16 06:06:26] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 74.82.47.2 [] []
[2023-03-16 06:06:47] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 74.82.47.2 [] []
[2023-03-16 06:06:50] [freepbx_security.NOTICE]: [Restapps] WARNING!!!! Unexpected activity has been detected from: 74.82.47.2 [] []
[2023-03-16 14:29:38] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-16 14:29:38] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-16 14:29:38] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
[2023-03-16 14:29:38] [freepbx_security.NOTICE]: Authentication failure for admin from 72.251.235.155 [] []
Any suggestions as to what the “Unexpected activity” is? I also see this on another new system as well.
Thanks!
You are being ‘probed’ nd perhaps penetrated by various attacking hosts on several cloud hosters. What prophylactic measures have you taken?
Typically our process is to clone our template and create a new system with new licensing. I think where the issue lies is A, us not using the new system right away and B, not having the firewall enabled on our template system. Just wanted to verify that this user wasn’t something created by Sangoma by an update. From the looks of it, it appears not.
Just a quick update. I found this user on another system that has been around for quite awhile. This system is running on version 15. Firewall is turned on, has been for quite awhile, and access is restricted from anything but whitelisted IPs. This is also showing the same “Unexpected Activity” as the previous systems but from a different IP address. RestApps port is unrestricted to avoid any issues on this system.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.