SSH and FreePBX



  • As I'm experimenting with FreePBX, I'm looking at how to properly secure the system. One thing that interests me is SSH. Ideally, I wouldn't want to SSH in as root to do CLI administrative tasks. So my first idea is to create another user and add them to the wheel group, and use that account to do CLI tasks.

    Here's how I did this (logged in as root).

    Note: This did not work for the part that requires me to actually run commands with sudo.

    useradd eddie
    passwd eddie (followed the prompts to give him a password)
    usermod -aG wheel eddie

    This seems to create the user without a problem. However, if I then SSH (or just login as the user from the console in Vultr) into my server with my newly created user, I see these warnings after logging in.
    PHP Warning: include_once(/etc/freepbx.conf): failed to open stream: Permission denied in /var/lib/asterisk/bin/fwconsole on line 12

    PHP Warning: include_once(): Failed opening '/etc/freepbx.conf' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwconsole on line 12

    PHP Fatal error: Class 'Symfony\Component\Console\Application' not found in /var/www/html/admin/libraries/FWApplication.class.php on line 11

    The first two errors make sense as /etc/freepbx.conf and /var/lib/asterisk/bin/fwconsole have permissions for the user and group asterisk.

    Here's the curious thing. To test whether or not I can actually use sudo, I attempted sudo cat /etc/shadow and received the following error message.

    eddie is not in the sudoers file. This incident will be reported.

    I confirmed that the wheel group is in the sudoers file (/etc/sudoers) and that the user eddie is in the wheel group (/etc/group).

    How do you folks deal with SSH and FreePBX? Do use the above idea (but implement it in a different way so that it actually works) and then edit /etc/ssh/sshd_config so that you cannot SSH as root? Do you turn off SSH altogether and just login as root from the Vultr console? Do you not care and just SSH as root when needed? I also assume if you use SSH at all, you'll likely set up RSA keys.


  • Service Provider

    @EddieJennings said in SSH and FreePBX:

    As I'm experimenting with FreePBX, I'm looking at how to properly secure the system. One thing that interests me is SSH. Ideally, I wouldn't want to SSH in as root to do CLI administrative tasks. So my first idea is to create another user and add them to the wheel group, and use that account to do CLI tasks.

    Here's how I did this (logged in as root).

    Note: This did not work for the part that requires me to actually run commands with sudo.

    useradd eddie
    passwd eddie (followed the prompts to give him a password)
    usermod -aG wheel eddie

    This seems to create the user without a problem. However, if I then SSH (or just login as the user from the console in Vultr) into my server with my newly created user, I see these warnings after logging in.
    PHP Warning: include_once(/etc/freepbx.conf): failed to open stream: Permission denied in /var/lib/asterisk/bin/fwconsole on line 12

    PHP Warning: include_once(): Failed opening '/etc/freepbx.conf' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwconsole on line 12

    PHP Fatal error: Class 'Symfony\Component\Console\Application' not found in /var/www/html/admin/libraries/FWApplication.class.php on line 11

    The first two errors make sense as /etc/freepbx.conf and /var/lib/asterisk/bin/fwconsole have permissions for the user and group asterisk.

    Here's the curious thing. To test whether or not I can actually use sudo, I attempted sudo cat /etc/shadow and received the following error message.

    eddie is not in the sudoers file. This incident will be reported.

    I confirmed that the wheel group is in the sudoers file (/etc/sudoers) and that the user eddie is in the wheel group (/etc/group).

    How do you folks deal with SSH and FreePBX? Do use the above idea (but implement it in a different way so that it actually works) and then edit /etc/ssh/sshd_config so that you cannot SSH as root? Do you turn off SSH altogether and just login as root from the Vultr console? Do you not care and just SSH as root when needed? I also assume if you use SSH at all, you'll likely set up RSA keys.

    I never setup alternate SSH logins on FreePBX. I only log in once a month or so to run updates.

    Unless you do something silly like set the SSH port to "Internet" in the firewall, all connections are dropped anyway.


  • Service Provider

    Remember, while yes it is a CentOS system underneath, you are using an appliance.

    Appliances often have settings configured by the manufacturer that are non-standard when you suddenly try to jump under the hood to do something.


  • Service Provider

    If you want a CentOS system setup your way, then you need to install from your own ISO and then add in FreePBX.



  • The fact this is an appliance makes sense why my above steps didn't work as planned. My goal isn't to do it my way, as much as it's to learn to configure FreePBX correctly. So I figure I'd put the SSH question there and see what the pros thought. :)


  • Service Provider

    @EddieJennings said in SSH and FreePBX:

    The fact this is an appliance makes sense why my above steps didn't work as planned. My goal isn't to do it my way, as much as it's to learn to configure FreePBX correctly. So I figure I'd put the SSH question there and see what the pros thought. :)

    Basically I just make sure that the Firewall setting is Local.

    But as you can see, FreePBX does recommend an SSH key.

    0_1497839051953_2572a1c6-7091-464f-8976-f28abdf30abb-image.png


  • Service Provider

    Restricting SSH to only IP addresses or ranges that you manage from is a big deal, too. This is where a Jump box is important.

    Or only turn on SSH when needed and turn it off when not in use.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.