Topic: Too many login attempts admin LOCK
Step to by step guide to unlock the locked admin user in vicidial due to too many login attempts within 15 minutes. you may notice the alert message "Too many login attempts ,try again in 15 minutes: |6666|LOCK|". In this blog tutorial, I have provided the steps to unlock admin also prevent or secure you vicidial from brute force attacks
Root Cause: Vicidial user Getting Locked
Below are the listed root cause for the alert message "Too many login attempts try again in 15 minutes" also the user id getting locked.
1. Vicidial Brute force Protection
2. Brute force Attack - Leaked Known credentials
Vicidial Brute force attack by hackers, as the default admin username used in vicidial is 6666, the hackers try to brute force attack with the default password 1234 and also with other known leaked credentials to gain the access to the vicidial admin portal.
Solution: unlock user or avoid user-id Lock
I have provided two solutions here, one is temporary
workaround and other one for permanent solution. under the temporary
workaround the issue persists again once brute force attack
I recommend the permanent solution like firewall and hardening the vicidial.
In Temporary workaround you can Unlock the affected admin user-id
by following below methods.
To proceed with temporary solution , you need to have the SSH /console access to the vicidial server with Mysql username and password, if you are using default Mysql login credentials like cron/1234 or root with no password is fine else you need to he credentials.
Option 1: unlock user from mysql
Run the below mysql command to unlock the user id 6666.
mysql -e "use asterisk; update vicidial_users set failed_login_count='0' where user='6666';"
note: if you are using user id apart from 6666 which is getting locked, just replace user= with the user-id which is LOCKED in the above command.
if above Command fails run the below mysql cli commands
mysql -puse asteriskupdate vicidial_users set failed_login_count='0' where user='6666';
note: for vicibox mysql no password set for root user , or use default mysql credentials mysql -ucron -p1234
Option 2: unlock user using another admin user id
Option 3: Increase the Lock threshold value
The default lock threshold set in vicidial for failed attempts are 10 for the duration of 15 minutes, you can override this threshold value by editing the source code located in web folder of vicidial server.
using your favorite editor like vi or nano edit the functions.php file and change the values mentioned below.
$LOCK_over = ($STARTtime - 900)$LOCK_trigger_attempts = 10;
Vicibox Firewall-Dynamic Portal
The Vicibox dynamic portal is a best option for vicidial security, which provides access to the vicidial for the IP's which are whitelisted either by admin or whitelisted by user by authenticating them-self from a predefined URL which listens on port 446 and 81.
Vicidial Allow IP Lists Feature
Using the Allow IP lists Feature , you can restrict admin/agent/API access to the White Listed IP by admin for User Group wise.
Change the Default web directory Path of vicidial Portals
so that only users who know this path can access.
I have a detailed post on securing the vicidial webserver module apache where i have provided steps change the default URL path names and folders.
FQDN ,instead of Direct IP access
As the Hackers try to access your server IP instead of FQDN ,unless they know the FQDN
you can restrict the Web access only to FQDN Check out the workaround provided in the Vicidial Forum
Securing and Hardening Vicidial servers
As the vicidial is a open source software and the source code is open to public, the default values like usernames, passwords, folder names, database name and tables, Mysql user names are exposed and easy cake for hackers. you need to secure and harden your vicidial servers to avoid any security breach.
It is always best to secure the vicidial servers either not exposing to internet or restricting the access to the vicidial servers and hardening and patching the security misconfigurations.
use strong password, avoid passwords like P@ssw0rd, 1234,pass1234, etc.
If you like my post , share and subscribe , for professional support reach out to me on skype and telegram : striker24x7