ALERT ARI Asking for Apache Authentication

[Talkincat]

I installed FreePBX 2.7 on Monday and it would appear that it has somehow changed the authentication requirements for the ARI page. When I navigate to http://x.x.x.x/menu.php?id=recordings, I get a prompt for basic authentication. I can get in using the "maint" username and password, but I want my users to be able to get to this page to check their voicemail.

Can anyone help me get this page opened back up?

Thanks!

 

[tm1000]

Remove all .htaccess files in:

• /var/www/html
• /var/www/html/recordings

 

[Talkincat]

There don't appear to be any .htaccess files in either of those locations.

 

[Talkincat]

I only have a vague idea of how the .htaccess setup works, but I added a .htaccess file to /var/www/html/recordings and set the file contents to "Allow from all", but this didn't help. I then deleted that file, which also didn't help.

Any other ideas out there?

 

[wardmundy]

ARI now is considered a SIP security threat because of the potential to create unintended spawns of dialplan activity. We will write something up about how to secure it for local users shortly on Nerd Vittles. Removing password protection is NOT the answer unless you have an unlimited phone budget.

 

[jroper]

Hi

My belief is that you should only allow the ARI to be accessible to the outside world IF IT IS SECURE. PiaF has put Directory access security on this.

In standard form, your ARI access is only protected by a username which is your extension, usually 3 or 4 digits, and a number, which for most installs I've seen seems to be 4 digits.

There are methods of fraud once someone has access to the ARI, e.g. divert your phone somewhere else, or possibly use SIP injection to send calls to an expensive destination, or simply listen to your recordings or voicemails.

Also not that a failed login to the ARI does not write logs to the the http error_log, so Fail2Ban is useless in the instance. The hacker can have as many goes as he likes, and won't be blocked.

If you want to take the risk, and only if your system is not exposed to the outside world, then you can adjust /etc/pbx/httpdconf/pbx.conf to suit. But for the sake of a password that can be stored in the browser, its just not worth the risk.

Joe

 

[Talkincat]

If you want to take the risk, and only if your system is not exposed to the outside world, then you can adjust /etc/pbx/httpdconf/pbx.conf to suit. But for the sake of a password that can be stored in the browser, its just not worth the risk.

Joe

My issue at this point is that I can't get access to this page using anything other than the maint username and password, which I won't be giving out to anyone to check their voicemail. I have been through this post and tried some of what was mentioned:
http://pbxinaflash.com/community/threads/add-separate-fop-password.6904/?t=6904
I now see an ari account in /usr/loca/apache/passwd/wwwpasswd, but I can still only access the ARI page using the maint account.

To start with there was nothing in /etc/pbx/httpdconf/pbx.conf about the recordings folder, so I added the following:

#Password proctect /var/www/html/recordings
<Directory /var/www/html/recordings>
AuthType Basic
AuthName "Restricted users Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user ari maint
</Directory>

I still can only get in with maint.

Can anyone tell me what I need to do to get in with the ari account or what I need to add to /etc/pbx/httpdconf/pbx.conf to open up that directory? No one is hitting this box on port 80 from the outside.

Thanks!

 

[angoyr]

Talkincat,

From your config above, it is likely that "ari" is not configured with a password in your AuthUserFile. Your can go to that directory and create that user and a password with: "htpasswd wwwpasswd ari"
That should do it for you. Additionally, you may want to restrict access to your local network with something like "
Require user maint ari jim
<Limit GET POST>
require valid-user
order deny,allow
Deny from All
Allow from 192.168.1
</Limit>
"
I think something like that should work.

Your mileage may vary. Try this at your own risk.

Robin

 

[Talkincat]

Robin,

This is what I did originally. If I look at the contents of the wwwpasswd file, I see ari:hash where "hash" appears to be a hash of the password that I entered. I have also tried this by creating a different account with no success.

At this point, I'd rather just open the directory back up. As I said, this is on the private side of the network. Does anyone know how to get this done?

 

[nicho1ab]

Trying to create temp. secure work-around

I have my piaf on a private net behind a hardware firewall. Of course, I have the excellent IPTables and Fail2Ban setup running, thanks to piaf. On my hardware firewall I block all traffic on port 80 that is attempting to get to my piaf. However, I do allow port 80 traffic on my lan to get to the piaf. Users really like the web-based voicemail.

In ARI's config, I've disabled all modules except the voicemail module and don't have any extensions that are granted admin access. I think that these steps provide enough security to allow ARI to be available without requiring a username/password prior to getting to the login screen.

With this in mind, I deleted all text within /etc/pbx/ari.conf b/c I thought this would remove the username/password prompt when users hit the ARI login page. Even after restarting Apache I'm still prompted to login to access the main ARI page when you enter your extension and VM password. I even tried restarting amportal b/c I couldn't figure out if maybe it needed to be restarted.

Can anyone provide some guidance on what I need to change/remove to prevent the additional login that has been added as a security feature?

Thanks,

Andrew

Status Version 1.2.9 released on Date 042310
********************************************************************
* PBX in a Flash Version Daemon Status *
* Running Asterisk 1.4 *
********************************************************************

********************************************************************
* Running Asterisk Version : Asterisk 1.4.21.2
* Asterisk Source Version : 1.4.21.2
* Zaptel Source Version : 1.4.12.1
* Libpri Source Version : 1.4.10.2
* Addons Source Version : 1.4.7
********************************************************************

CentOS release 5.5 (Final) :32 Bit Kernel: 2.6.18-164.6.1.el5

 

[sanitycheck]

For people monitoring this thread, the problem still exists in PIAF 1.7.55 and, apparently, the 2.8 version of FreePBX. TM1000 suggested in this thread that the problem was fixed in FreePBX 2.8, but upgrading did not work for me.

 

[aaelghat]

I know this is an old thread, but I have a PIAF Purple system and also have this issue (I didn't use to have it, but got it when I ran update-fixes.

I deleted the .htaccess file in the recordings directory, and I don't have an ari.conf file to delete. Did anyone find a resolution to this? I have my ari stripped down so there is no call back function, etc. you can't get to settings, etc. so I'm not concerned that someone can get to someone else's voicemail.

Thanks.

 

[tm1000]

Its in pbx.conf now

 

[aaelghat]

Thanks. It wasn't in pbx.conf either. The solution to my problem was in post #54 of this thread: freepbx.org/forum/freepbx/installation/resolved-password-required-when-none-should-be?page=1