Kill FreePBX Default Password Warning Messages

wardmundy · #1 02-04-08, 07:32 PM

Unless your server is physically accessible to folks you don't trust, using the default passwords for MySQL and the Asterisk Manager does not create a risk since you must use the passwords from your PBX in a Flash server to gain access.

If you'd like to eliminate the warning messages which appear on the FreePBX System Status display in version 2.3.1.3 only, here's how.

Log into your server as root and (carefully) edit the following files and comment out the lines shown below using double-hash (//) marks at the beginning of each line:

/var/www/html/admin/header.php: lines 132, 133, 134, and 136

Code:

// default password check
$nt = notifications::create($db);
//if ($amp_conf['AMPMGRPASS'] == $amp_conf_defaults['AMPMGRPASS'][1]) {
//      $nt->add_warning('core', 'AMPMGRPASS', _("Default Asterisk Manager Password Used"), _("You are using the default Asterisk Manager$
//} else {
        $nt->delete('core', 'AMPMGRPASS');
//}

/var/www/html/admin/common/db_connect.php: lines 64, 65, 66, and 68

Code:

// Now send or delete warning wrt to default passwords:
//
$nt = notifications::create($db);

//if ($amp_conf['AMPDBPASS'] == $amp_conf_defaults['AMPDBPASS'][1]) {
//      $nt->add_warning('core', 'AMPDBPASS', _("Default SQL Password Used"), _("You are using the default SQL password that is widely kn$
//} else {
        $nt->delete('core', 'AMPDBPASS');
//}

Refresh your browser on the FreePBX System Status page after making all the changes to each file to make sure you commented out the correct lines!!

Tom Phillips · #2 02-05-08, 02:23 PM

I did this now I cant see the config.php page

wardmundy · #3 02-05-08, 02:36 PM

Put it back the way it was. You either uncommented the wrong lines or you're not using FreePBX 2.3.1.3.

Tom Phillips · #4 02-05-08, 02:55 PM

I did
this is what is back
// default password check
$nt = notifications::create($db);
if ($amp_conf['AMPMGRPASS'] == $amp_conf_defaults['AMPMGRPASS'][1]) {
$nt->add_warning('core', 'AMPMGRPASS', _("Default Asterisk Manager Password Used"), _("You are using the default Asterisk Manager$
} else {
$nt->delete('core', 'AMPMGRPASS');
}

Tom Phillips · #5 02-05-08, 02:56 PM

and this
//
$nt = notifications::create($db);

if ($amp_conf['AMPDBPASS'] == $amp_conf_defaults['AMPDBPASS'][1]) {
$nt->add_warning('core', 'AMPDBPASS', _("Default SQL Password Used"), _("You are using the default SQL password that is widely kn$
} else {
$nt->delete('core', 'AMPDBPASS');
}

wardmundy · #6 02-05-08, 03:01 PM

The dollar signs (above in red) indicated incomplete lines. That would cause your problem.

Rename both of the existing files and then unzip the attachment from the root directory (cd /) of your system. Be sure to check permissions and ownership once you've unzipped the files.

jeffmac · #7 02-05-08, 10:07 PM

Works great, Ward! I used the original instructions and had no problem. I do like having those warnings eliminated.

Bruce · #8 04-02-08, 08:41 PM

What is the command to change the Mysql password and change Asterisk Manager password without affecting the system which is heavily dependent on Mysql?

Thanks

wardmundy · #9 04-03-08, 07:38 AM

There's no way to change both of those passwords without heavily affecting your system. Unless there are people with physical access to your PBX in a Flash server that you don't trust, there is no need to make any change in these passwords.

frontline · #10 04-03-08, 09:22 AM

This would be a curious design parameter for any distribution that is not by default intended to be limited to home/in house lan based installation. FreePBX does not take this approach. In fact FreePBX lives very well with secured passwords and tracks just fine with installs and upgrades.

The problem arises with PBX ina Flash due to it's design model relying largely on closed source compiled maintenance scripts. If the option was given to supply secured passwords to the script or even better coded to track existing passwords in the manner of FreePBX the "problem" largely goes away and the installation could follow whatever security choice the user makes.

At a minimum PBX ina FLash could revert to open source scripting and allow simple password editing for those that want to put forth the effort. As it is a secured installation is left with no choice but to abandon the auto compiled script model and go it alone for updates and maintenance.

FreePBX is the source of much of the MySQL database that is being secured. Rather than hacking FreePBX to eliminate the warnings they should be petitioned to change the design if that is the desired affect.

Servers that are installed outside a local lan will be subject to physical access by people that you don't trust whether or not they are successful in breaking into code that is not always written with boiler plate security in mind. I never have a day when the logs don't reflect hacker trolling. The ability to use secured passwords is a basic requirement.