how to change the default asteriskuser password

caldwell

Joined
Nov 8, 2010
Messages
22
Likes
0
Points
0
#1
A client needs an Elastix box secured. It seems that Elastix by default has a password for 'asteriskuser' which will allow login on the web interface (unembedded FreePBX, I believe). However, I can't find good documentation on how to change that password. There are lots of config files referencing either that user or that password, but I'm not sure if any/all of them need to be changed or if this is stored in a database somewhere totally separate.

Help?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
I believe later versions of FreePBX have this patched, unfortunately Elastix does not actually use FreePBX but their own forked up and old version. (dicko doesn't so can't check that vulnerability, he posted a bug in the Elastix bug-tracker on this matter, but we as yet await a valid response)

A workaround might be to go the old time honored htaccess route and not allow asteriskuser until we get clarification by PaloSanto

http://home.golden.net/htaccess.html

but a good point to bring up.
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#3
What I would do is the following:

1. mysql -uroot -p (you will need to enter the root password)
2. use mysql;
3. set password for 'asteriskuser'@'localhost' = PASSWORD('my.New_PaSSword.20o0');
(you will need to put your new password instead of my.New_PaSSword.20o0)
4. quit
5. Edit /etc/amportal.conf
Set the password for AMPDBPASS (the same used on step #3)
6. Edit /etc/asterisk/cdr_mysql.conf
Set the password for asteriskuser used on step #3
7. cd /var/wwwhtml/modules/
Execute:
grep -r "asteriskuser" *
8. Change the password for all files listed, use the same password for step #3
 

caldwell

Joined
Nov 8, 2010
Messages
22
Likes
0
Points
0
#4
jgutierrez said:
What I would do is the following:

7. cd /var/www/html/modules/
Execute:
grep -r "asteriskuser" *
8. Change the password for all files listed, use the same password for step #3
I found several instances of 'asteriskuser,' but the files there do not contain the password referenced previously in amportal.conf. Have they changed this to dynamically use the password from other sources, or am I supposed to hard code the new password in these files somewhere?

Thanks for your help.
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#5
Paste the reference file and the line that has a different password
 

caldwell

Joined
Nov 8, 2010
Messages
22
Likes
0
Points
0
#6
jgutierrez said:
Paste the reference file and the line that has a different password
This is unclear to me. Would you mind giving an example?
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#7
Paste the output of:

grep -r "asteriskuser" /etc/asterisk/*
 

caldwell

Joined
Nov 8, 2010
Messages
22
Likes
0
Points
0
#8
jgutierrez said:
Paste the output of:

grep -r "asteriskuser" /etc/asterisk/*
/etc/asterisk/cbmysql.conf:password=eLaStIx.asteriskuser.2oo7
/etc/asterisk/cbmysql.conf:user=asteriskuser
/etc/asterisk/cdr_mysql.conf:;password = eLaStIx.asteriskuser.2oo7
/etc/asterisk/cdr_mysql.conf:user = asteriskuser
/etc/asterisk/extensions_additional.conf:AMPDBUSER = asteriskuser
/etc/asterisk/res_mysql.conf:dbuser = asteriskuser
/etc/asterisk/res_mysql.conf:dbpass = eLaStIx.asteriskuser.2oo7

and for /var/www/html/modules, it is:

cdrreport/index.php: $dsn = generarDSNSistema('asteriskuser', 'asteriskcdrdb');
control_panel/index.php: $arrConf['dsn_conn_database1'] = generarDSNSistema('asteriskuser', 'asterisk');

dashboard/libs/paloSantoSysInfo.class.php: $dsn = generarDSNSistema('asteriskuser', 'asterisk');

dashboard/libs/paloSantoDataApplets.class.php: $dsnAsteriskCDR = generarDSNSistema("asteriskuser","asteriskcdrdb");

monitoring/index.php: $arrConf['dsn_conn_database'] = generarDSNSistema('asteriskuser', 'asteriskcdrdb');

myex_config/index.php: $arrConf['dsn_conn_database'] = generarDSNSistema('asteriskuser', 'asterisk');

summary_by_extension/libs/paloSantoReportCall.class.php: $pDB_cdr = generarDSNSistema('asteriskuser', 'asteriskcdrdb');
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#9
I dont see any difficult or big deal changing the password for asterisk user, according to your output, the only files to change the password will be:

/etc/asterisk/cbmysql.conf (password=eLaStIx.asteriskuser.2oo7)
/etc/asterisk/cdr_mysql.conf (password = eLaStIx.asteriskuser.2oo7)
/etc/asterisk/res_mysql.conf (dbpass = eLaStIx.asteriskuser.2oo7)
 

caldwell

Joined
Nov 8, 2010
Messages
22
Likes
0
Points
0
#10
Ah. No problem changing the /etc/asterisk files. I thought I had to make changes to files in /var/www/html/modules also. And I couldn't find the password listed there anywhere.

Thanks for the help.

Somewhere along the way, Elastix needs to remove or disable this default user though. It's a security breach which shouldn't exist.
 

jgutierrez

Joined
Feb 28, 2008
Messages
5,737
Likes
0
Points
0
#11

Members online

Latest posts

Forum statistics

Threads
30,915
Messages
130,920
Members
17,594
Latest member
knethardsolutions
Top