Security Holes & Backdoors In FreePBX
I found a chilling article by chance the consequence was extremely bad!
It seems security was not high on the agenda when FreePBX was initially developed and the developers had built some default and backdoors into a system for easy access. Whilst I think this is a terrible idea, it doesn’t seem like the project has ever cleansed it of all of these developer friendly holes (turned security issues). The article on Nerd Vittles gives a full account of the issue and the username:passwords that were used during the development. They are as follows:
admin:admin
admin:password
admin:passworm
maint:admin
maint:maint
maint:password
maint:passworm
wwwadmin:password
wwwadmin:wwwadmin
wwwadmin:admin
asteriskuser:eLaStIx.asteriskuser.2oo7
The above format is username:password and to test them just go to the administration page of FreePBX http://[server]/admin e.g http://www.dannytsang.co.uk/admin
I do not 100% agree with the starting from scratch with a fresh install because some people may have taken extra precautions (such as myself) so fixing the issue won’t be as bad as stated. There’s also a security primer on the same site which will help with securing FreePBX. The problem is the article doesn’t specifically state how to fix it except to change the default passwords? How? Also the post could go through or link how to backup the existing install so that it’s not 100% lose. I’m not complaining but more like constructive criticism because I’m in that boat.
Some of the techniques to secure web servers and Ubuntu (if FreePBX is running on Ubuntu) will apply to FreePBX and I may post more articles to help secure FreePBX.
News: FreePBX/Asterisk Security Flaw
FreePBX Backdoor Passwords Pose Asterisk Security Threat
Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security
