Once forgot the Zabbix Admin password

Brief guide for recovering access to any Zabbix's user by reseting its password and lock counters

Table of Contents

Resset zabbix administrator hash by default password and reset account lock

Introduction

In order to regain access to Admin user, its required to reset the failed attempts counter, source ip, penalty time and if needed, the password. This is accomplished by modifying those values from the database in use.

Exploring users table in zabbix's database

First things first, log into the database as a privileged user for zabbix's database and find out the columns in trouble

MariaDB [(none)]> use zabbix;
MariaDB [zabbix]> desc users;
+-----------------+---------------------+------+-----+---------+-------+
| Field           | Type                | Null | Key | Default | Extra |
+-----------------+---------------------+------+-----+---------+-------+
| userid          | bigint(20) unsigned | NO   | PRI | NULL    |       |
| username        | varchar(100)        | NO   | UNI |         |       |
| name            | varchar(100)        | NO   |     |         |       |
| surname         | varchar(100)        | NO   |     |         |       |
| passwd          | varchar(60)         | NO   |     |         |       |
| url             | varchar(2048)       | NO   |     |         |       |
| autologin       | int(11)             | NO   |     | 0       |       |
| autologout      | varchar(32)         | NO   |     | 15m     |       |
| lang            | varchar(7)          | NO   |     | default |       |
| refresh         | varchar(32)         | NO   |     | 30s     |       |
| theme           | varchar(128)        | NO   |     | default |       |
| attempt_failed  | int(11)             | NO   |     | 0       |       |
| attempt_ip      | varchar(39)         | NO   |     |         |       |
| attempt_clock   | int(11)             | NO   |     | 0       |       |
| rows_per_page   | int(11)             | NO   |     | 50      |       |
| timezone        | varchar(50)         | NO   |     | default |       |
| roleid          | bigint(20) unsigned | YES  | MUL | NULL    |       |
| userdirectoryid | bigint(20) unsigned | YES  | MUL | NULL    |       |
| ts_provisioned  | int(11)             | NO   |     | 0       |       |
+-----------------+---------------------+------+-----+---------+-------+
19 rows in set (0,001 sec)

Getting a glance on the related column values for the locked user

MariaDB [zabbix]> select username from users;
+----------+
| username |
+----------+
| Admin    |
| guest    |
+----------+
2 rows in set (0,000 sec)

MariaDB [zabbix]> select username,attempt_failed,attempt_ip,attempt_clock,passwd from users where username='Admin';
+----------+----------------+-----------------+---------------+--------------------------------------------------------------+
| username | attempt_failed | attempt_ip      | attempt_clock | passwd                                                       |
+----------+----------------+-----------------+---------------+--------------------------------------------------------------+
| Admin    |              4 | 192.168.111.238 |    1741033560 | $2y$10$REDACTED |
+----------+----------------+-----------------+---------------+--------------------------------------------------------------+
1 row in set (0,000 sec)

Unlocking zabbix user from db

Unlocking the user:

MariaDB [zabbix]> update users set attempt_clock=0, attempt_ip="", attempt_failed=0 where username='Admin';
Query OK, 1 row affected (0,002 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Then for the password, at Zabbix documentation website, there's the encrypted password for 'zabbix' string; that way we're free to go without diving into which kind of hash it is...

UPDATE users SET passwd = '$2a$10$ZXIvHAEP2ZM.dLXTm6uPHOMVlARXX7cqjbhM6Fn0cANzkCQBWpMrS' WHERE username = 'Admin';

Then it's possible to login as Admin user with password zabbix, don't forget to change the password and last but not least; save it into a safe password manager.