ARI Password Warnings in FreePBX Dashboard
Description of the Issue
You may see a warning message in the FreePBX Dashboard, regarding an ARI password vulnerability.
ARI (Asterisk REST Interface) is not used by most clients, but can still be a vulnerability.
This is because the ARI was setup by the author to use a default password. This is not best practice, as it allows a 3rd party to know that password, and possibly use it to gain limited access.
The default firewall settings in our systems are set to block the ARI access ports. But if a user happens to disable the firewall for some reason, it could leave ARI vulnerable to access.
Resolving the Issue
There are 2 parts to ensuring your system is not vulnerable to the ARI password issue.
- Keep your FreePBX firewall enabled at all times. You may temporarily disable it for testing. But do not leave it disabled more than a few hours at a time, and be sure it is enabled when you are done with testing. It is a good idea to check the firewall status periodically by reviewing the Summary chart in the Dashboard. You should see a green check mark next to Firewall.
- Randomize the ARI username and password. This prevents a 3rd party from knowing either the ARI username or the ARI password. Repeated attempts to "guess" will resolve in the 3rd party getting banned by the firewall's "fail2ban" module.
To randomize the password, do the following...
- Log into your phone system via SSH command line. This can be done using the Bitvise software, or other SSH clients such as Putty.
If you need instructions for setting up Bitvise, go to the link below.
Bitvise SSH Tunnel Setup
You'll need to have your root password available. If you don't have it, refer back to your Welcome email that included your phone system passwords, or open a ticket to request the password. - Once logged into the SSH command line, you will need to generate 2 random passwords (or strings of characters). You can make up a password yourself, or use a password generator tool.
First password will be used for the username and needs to be 15 characters long.
Second password will be used for the password and needs to be 30 characters long.
Enter the following 4 commands at the command line, and wait for each to be completed before proceeding to the next command.
fwconsole setting FPBX_ARI_USER [paste the 15 character string]
fwconsole setting FPBX_ARI_PASSWORD [paste the 30 character string]
fwconsole r
fwconsole restart
The 3rd command takes a few seconds, and the 4th and final command may take a couple of minutes.
Calls in progress may be dropped during the restart, so it is a good idea to perform these update commands during lunch time or after business hours.
Optional Pay Support
If you prefer, we can have one of our admins perform this update for you.
The cost is $10, which is a onetime fee.
If you would like to request us to perform the update, simply open a support ticket using the Tools or Contact menu on our website, and authorize us to perform the "ARI Password Update".
