vicidial Too many login attempts try again in 15 minutes

Topic: Too many login attempts admin LOCK

        Step to by step guide to unlock the locked admin user in vicidial due to too many login attempts within 15 minutes. you may notice the alert message "Too many login attempts ,try again in 15 minutes: |6666|LOCK|". In this blog tutorial, I have provided the steps to unlock admin also prevent or secure you vicidial from brute force attacks


Too many login attempts try again in 15 minutes

Root Cause: Vicidial user Getting Locked

Below are the listed root cause for the alert message "Too many login attempts try again in 15 minutes" also the user id getting locked.

1. Vicidial Brute force Protection

    By default, Vicidial source code enabled with Brute force protection, which will Lock the User ID if 10 Failed Attempts detected and the counter will be reset every 15 minutes. If there are no failed attempts after 15 minutes the particular user id will be unlocked immediately but if the attack continuous then the user id will be in lock mode until the attack stops. 

2. Brute force Attack - Leaked Known credentials

    Vicidial Brute force attack by hackers, as the default admin username used in vicidial is 6666, the hackers try to brute force attack with the default password 1234 and also with other known leaked credentials to gain the access to the vicidial admin portal.

Solution: unlock user or avoid user-id Lock

    I have provided two solutions here, one is temporary workaround and other one for permanent solution. under the temporary workaround the issue persists again once brute force attack continues.

I recommend the permanent solution like firewall and hardening the vicidial.

Temporary workaround 

In Temporary workaround you can Unlock the affected admin user-id by  following  below methods.
To proceed with temporary solution , you need to have the SSH /console access to the vicidial server with Mysql username and password, if you are using default Mysql login credentials like cron/1234 or root with no password is fine else you need to he credentials.

Option 1: unlock user from mysql

Run the below mysql command to unlock the user id 6666.

mysql -e "use asterisk; update vicidial_users set failed_login_count='0' where user='6666';"

note: if you are using user id apart from 6666 which is getting locked, just replace user= with the user-id which is LOCKED in the above command.

if above Command fails run the below mysql cli commands

mysql -p
use asterisk
update vicidial_users set failed_login_count='0' where user='6666';

note: for vicibox mysql no password set for root user , or use default mysql credentials mysql -ucron -p1234

Option 2: unlock user using another admin user id

    If you have another Admin credentials, which is not Locked, then access the vicidial admin portal in another Browser and login with another admin credentials, Followed to that modify the affected user-id which is locked and press just submit, which will unlock that user.

Option 3: Increase the Lock threshold value

    The default lock threshold set in vicidial for failed attempts are 10 for the duration of 15 minutes, you can override this threshold value by editing the source code located in web folder of vicidial server.

To increase the threshold you need to edit the file named as functions.php located in vicidial folder of web root directory

for vicibox the path is /srv/www/htdocs/vicidial
for scratch install the path will be /var/www/html/vicidial

using your favorite editor like vi or nano edit the functions.php file and change the values mentioned below.

vi /srv/www/htdocs/vicidial/functions.php
$LOCK_over = ($STARTtime - 900)
$LOCK_trigger_attempts = 10; 

Permanent Workarounds:

    The permanent workaround, I recommend is to secure and harden the vicidial servers like firewall, IP list ACL, changing default usernames, default URL path names etc.
Follow the below solutions for permanent solution for vicidial security

Vicibox Firewall-Dynamic Portal

    The Vicibox dynamic portal is a best option for vicidial security, which provides access to the vicidial for the IP's which are whitelisted either by admin or whitelisted by user by authenticating them-self from a predefined URL which listens on port 446 and 81.

I have detailed post on configuring the dynamic portal for vicibox setup and scratch install setups.

Vicidial Allow IP Lists Feature

    Using the Allow IP lists Feature , you can restrict admin/agent/API access to the White Listed IP by admin for User Group wise.

     Steps to enable Allow IP List and Restrict IP to whitelist per user groups.
Enabling Allow IP List      

Navigate : ADMIN > SYSTEM SETTINGS > Allow IP List : 1

Adding the IP's to white List.

Navigate : ADMIN > IP Lists 

Select : ViciWhite IP List , Activate it by Setting YES, Followed to that Added the IP which need to access or you can say list of White Listed IP's

Enabling the IP white list in User Groups.
Navigate to Respective Usergroups ,Click Modify
User Groups > ADMIN > Modify   and enable the below options

Admin IP Whitelist : ViciWhite
Agent IP Whitelist  : ViciWhite
API IP Whitelist      : ViciWhite

Change the Default web directory Path of vicidial Portals

     The default path to access vicidial is https://serverip/vicidial/admin.php and for agent /agc/vicidial.php. This is well known path.

Change this default path name to some other path name like https://serverip/xkskiiiww/vicidial/admin.php
so that only users who know this path can access.

I have a detailed post on securing the vicidial webserver module apache where i have provided steps change the default URL path names and folders.

FQDN ,instead of Direct IP access

    As the Hackers try to access your server IP instead of FQDN ,unless they know the FQDN

you can restrict the Web access only to FQDN Check out the workaround provided in the Vicidial Forum

Securing and Hardening Vicidial servers

  As the vicidial is a open source software and the source code is open to public, the default values like usernames, passwords, folder names, database name and tables, Mysql user names are exposed and easy cake for hackers. you need to secure and harden your vicidial servers to avoid any security breach.

Conclusion:

    It is always best to secure the vicidial servers either not exposing to internet or restricting the access to the vicidial servers and hardening and patching the security misconfigurations.  

use strong password, avoid passwords like P@ssw0rd, 1234,pass1234, etc.

dont use the Default Credentials likes, 6666, admin,bob etc

If you like my post , share and subscribe , for professional support reach out to me on skype and telegram : striker24x7

1 Comments
  • Ajit Kumar
    Ajit Kumar April 4, 2022 at 9:23 AM

    vicidial too many login attempts try again in 15 minutes 6666

Add Comment
comment url