Securing it

Love the new look, feel and functionality.

but… FreePBX Notices under system status are telling me

Default SQL Password Used

and Default Asterisk Manager Password Used.

both of these give additional information, but that doesn’t specify what the account is, where to change it, and what needs to be changed along with it, to ensure than nothing breaks.

I seem to recall heading down this path with a previous verion , and ended up breaking things, and reverting to a known good state…

Is there a simple (yet adequately detailed) explanation of what these entail.

OK there are two things here
You change the password in the amportal and manager.conf

nano /etc/amportal.conf

Change the amp111 and amp109

AMPDBPASS: the password for AMPDBUSER

AMPDBPASS=amp109

AMPMGRPASS: the password for AMPMGRUSER

AMPMGRPASS=amp111

nano etc/asterisk/manager.conf

[admin]
secret = amp111
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user

For MYSQL

Use which method you like to change the asteriskuser password

Using Webmin you would go into servers MySQL Database Server >>>>>>>>>>>>User Permissions >>>>>>>>>>asteriskuser
click in the check Set to…>>>>>>>>>>set password save it now go do a amportal restart

Bubba

Hi bubba

I’m using debian with asterisk and freepbx and i have the same old problem. The admin password to chage form default. I followed your instrutions and they work well, changin the admin user in asterisk and the amp passowrd. BUT when i connect to freepbx and click setup and it prompt me with the login screen…it stills works with user admin and passoword admin. So my question is where i can change this password? In trixbox there is passwd-maint that makes the job but not in freepbx. Where i have to change it? Apache? Some other freepbx file?

thanks
smaikol

ok googling and searching the forum i finally fixed the thing!

Someone should probably make a module to allow you to update these from within the interface. It is something of a pain…

That said, here’s how to do it:

1. Manager password

You need to update the manager (service) and freepbx (client).

[list=1]
[] edit /etc/asterisk/manager.conf and change the password in the [admin] section (bubba illustrates this pretty well in his post)
[
] edit /etc/amportal.conf and change the password for AMPMGRPASS (again, bubba did a nice job on this one)
[/list]

2. MySQL password

This is probably the one people screw up (I did). You have to not only change the password for the database (service), but for ALL clients to the database, this is freepbx and asterisk (asterisk and asterisk_cdr).

[list=1]
[] run mysqladmin -u asteriskuser -p password <newpassword> from the shell (where <newpassword> is replaced with the actual new password - mysqladmin will prompt for the old password). This changes the DB service.
[
] edit /etc/amportal.conf and change AMPDBPASS to the new password (replace amp109 with the new password). This changes the amp mysql client.
[] edit /etc/asterisk/res_mysql.conf and change the password = line (again, replace amp109 with your new password). This changes the asterisk mysql client
[
] edit /etc/asterisk/cdr_mysql.conf and change the password= line (again, replace amp109 with your new password). This changes the asterisk CDR mysql client
[/list]

3. The web interface password (user “maint”)

This is the password used for logging in to the freepbx interface from a web browser as user ‘maint’. There is no warning about this being set to the default, but you should change it too while you are at it.

[list=1]
[*] run passwd-maint from the shell
[/list]

4. The web interface password (user “wwwadmin”)

This is the password used for logging in to the freepbx interface from a web browser as user ‘wwadmin’. There is no warning about this being set to the default, but you should change it too while you are at it.

[list=1]
[*] run passwd-amp from the shell
[/list]

I haven’t explored this, but from what I’ve read the user “maint” is for freepbx and the other web tools, whereas “wwwadmin” is for freepbx only.

There’s one more thing that NEEDS to be done, since FreePBX doesn’t yet let you change passwords with a GUI

Got to go into /etc/asterisk/extensions_additional.conf and change the AMPMGRPASS= line there also.
Ignore the warning at the top of the file that says not to edit this file directly - you really don’t have a choice if you’re serious about changing passwords.

Until I did this last step, I was able to call out of my phone system, but internal calling did not work - ext-2-ext calling just waited silently without response.
Now it’s all good.

R

in more recent versions you have to change the password twice in /etc/amportal.conf second entry is near the bottom of the file. I found this thanks to the quote bellow.

On January 9th, 2008 xenomuta (tadpole) said:

Dude, double check /etc/amportal.conf, because the AMPDBPASS is specified twice in the file… search for amp109 in /etc/amportal.conf and you’ll see what I mean, cheers…

But it should not be under normal circumstances. it happens most often when a update does not go as planned. you can safely remove one (preferably the one you didn’t edit yet).

The first time it shows up, it is commented out by default. It is just part of the example stuff. The one at the end of the file is the active one.

Actually, on the next reload that file will be regenerated and the password will be corrected.

I probably should have mentioned that a reload should occur after changing the passwords.

  • Darrin

It will show you how to solve most of the install bugs and authentication issues with AsteriskNow 1.5 : http://techsk.blogspot.com/2009/04/asterisknow-15-installation-and.html

I followed this little guide to try and secure my PBX, and this is the error that I have gotten.

Any suggestions, as I work my way and try to undo what you’ve suggested?

Thanks

FATAL ERROR
DB Error: connect failed

Same thing happened to me…

FATAL ERROR
DB Error: connect failed

I am curious if this is a required change or not. The reason I ask is because our Asterisk box is inside our firewall and the AMI port 5038 is not forwarded. This prevents anyone from accessing the PBX unless they are on this side of the firewall.

If I am missing something then please let me know.