Wrong password disables system

I am somewhat of a newbie to FreePBX and I have a problem with the system disconnecting me and not allowing any connections (http, ssh, etc) after I enter an incorrect password in the GUI. I installed TeleYapper and PHPAdmin modules and I can’t login to either module successfully. If I attempt to login to either one, my session is disconnected and I am unable to log back in to the system without a restart.

I’ve set up extensions and a trunk and have made a few calls, so the system is working well so far, but I need someone to help point me in the right direction to resolve this nagging problem.


Yeah, I did that too.

There are several places where information is protected by names and passwords. The security of your system is up to you. If your system is open to the Internet and your security is set too low, someone could use your system to make long distance calls at your expense.
Be aware that there is a major security hole in FreePBX. Using FreePBX admin security alone will not protect your system from a web attack and may compromise root access to your entire server. For this reason, we recommend that you log in as root and immediately run passwd-master. This establishes Apache .htaccess security on your FreePBX web interface. After running this conversion utility, you can only log into the FreePBX admin interface with the username maint and the password which you establish when you run the utility.

Here’s my advice. Log into the root and to change the main passwords, run passwd-master from the command line.

This does the following

  1. Changes FreePBX to authtype = none in amportal.conf,
  2. Sets up .htaccess on the admin directory which contains FreePBX
  3. Sets the wwwadmin, and MeetMe passwords to the same one as maint.
    After running the command, to access all areas including FreePBX, the username is maint with the password of whatever you set during the passwd-master script. Maint gets you to admin (FreePBX) maint, FOP, MeetMe.
    Other passwords can be set in your system, similarly, see below.

If you plug a monitor and keyboard into the PBX and power it up, at the “login as” prompt, the username is root. The default password is 123456. To reset the root password, use the command line passwd.

When you put the IP Address of the PBX in your browser it brings up the PBX in a Flash Dynamic UI: Menus - users menu with three icons: Voicemail & Recordings, Flash Operator Panel, and MeetMe Conference. The default password is passw0rd.

User Passwords

When you click on it, it says: “Use your Voicemail Mailbox and Password…” This is the same password used for the phone.
If you want to access your voicemail through the web client FreePBX, your extension must have voicemail enabled and a password entered. Your username is your extension ID (ex. 1001) and your initial password is the voicemail password configured in the extension. Unless you need more security on your voice mail, configure these passwords to be the same as the two extensions that are setup.
Click on the Main Menu icon in the upper right to get back to the PBX in a Flash - Dynamic UI: Menus - users menu.

PASSWORD - Flash Operator Panel
It is recommended to change the FOP password to something easy and simple to remember. The simple method is by logging in to your asterisk box either remotely using putty or directly on your box console.
In this example, Putty is used to log in remotely to PIAF. Once logged in, change the directory to /var/www/html/panel
cd /var/www/html/panel
Using nano as the editor, open the configuration file op_server.cfg
nano op_server.cfg
Go to the line that says security code=passw0rd
(In FOP that comes with PIAF, the default password is “passw0rd”)
Replace the “passw0rd” with the password of your choice.
Close off nano and putty. Open your web browser and go to FOP. You should be able to click on the little lock, put in your password and you will see it lock up.

From the Main Menu, you can click on the Flash Operator Panel icon. When you are in the PiaF Flash Operator Panel there is a lock icon: Open Security Code Input Box. When you click on it, it says “Please enter the Security Code”. The default password is passw0rd. All this does is let you click on the down arrow next to the extension and bring up a box that shows Call and Queue.
passwd-wwwadmin… for users needing FOP and MeetMe access

PASSWORD – MeetMe Conference
MeetMe Conference - Web MeetMe Control comes up without a password.
passwd-meetme… for users needing only MeetMe access.

When you click on Recordings… It brings up a Login screen asking for Login and password. It says: Use your Voicemail Mailbox and Password. This is the same password used for the phone, for example extension 204 has the password set to 204.

Admin Function Passwords

In the lower left of the Main Menu there is an Admin toggle. Click on it and it changes to Users and brings up a password. The default is 123456. If you have already logged in, it goes directly to the Dynamic UI: Menus - admin menu with six icons: the three from users (Voicemail & Recordings, Flash Operator Panel, and MeetMe Conference) and FreePBX Administration, Linux Webmin, and Menu Configuration. From there you can click on FreePBX Administration. It will bring up the login to the server. The User name is wwwadmin and the default password is passw0rd.
From there if you click on Administrators. Username: admin Password: admin

Any Linux Admin uses the same password, whether you log into PBX in a Flash and then click on Linux Admin or if you login using SSH and PuTTY. The username is root. The default password is 123456.
login as: root
[email protected]’s password: 123456

The Default user = asteriskuser and password = amp109. If you do not change it, the FreePBX System Status will warn you: “Default SQL Password Used”.

This is also the password for Sys Info.

AMPMGRUSER: the user to access the Asterisk manager interface



The Default username is freepbx and the default password is fpbx. If you do not change it, the FreePBX System Status will warn you: “Default Asterisk Manager Password Used”.

The default username is maint and password is 123456.
passwd-maint… This command sets FreePBX maint password. It covers Config Edit, phpMyAdmin, and Sys Info and everything covered by .htacess in /var/www/html/maint.


Use the command line passwd-webmin for users needing Webmin access to your server.

Just to clarify:

There is NO major security hole in FreePBX. That is incorrect information.

However, there is a default password in FreePBX. And that default password is well known. If you put your PBX out on Internet you will be hacked. The information given by Cliffster if followed will give you some protection.

The best solution is to put a firewall in between your PBX and Internet and only allow SIP traffic through. Don’t forget to put in good secrets for your extensions.

I got that text from somewhere long ago. Any system is insecure until you put a good password in it.

Thanks for the clarification.


For the life of me, I cannot find the script or command named passwd-master. I am running Astrerisk NOW 1.5 (CentOS 5.0). Any suggestions?

If find / -name passwd-master does not find it, then find and run these two commands:


and it will appear… or so I am told…

My understanding is that the scripts update-fixes, update-scripts and passwd-master are unique to PBX in a Flash - from my quick scan and agreement to the user license agreement.

Security by disabling the system. Got it.

Thanks for the help - I have changed all of the defaults.

How is securing your PBX from outside access disabling the system?

Please give me one example where a closed source PBX admin interface is exposed to the Internet.

sorry my english, I know is not well.

I am running a PBX in a flash system and I am having problem login in via web.

When wonking fine i can log in using maint user as admin but from now on I am only prompted to enter a password. I tried entering the maint user pwd but do not work.

any clue?

it seems that the change happened after an update. I did update-scripts and update-fixes but nothing has changed.

thanks in advance,