SSH and FreePBX
-
As I'm experimenting with FreePBX, I'm looking at how to properly secure the system. One thing that interests me is SSH. Ideally, I wouldn't want to SSH in as root to do CLI administrative tasks. So my first idea is to create another user and add them to the wheel group, and use that account to do CLI tasks.
Here's how I did this (logged in as root).
Note: This did not work for the part that requires me to actually run commands with sudo.
useradd eddie
passwd eddie(followed the prompts to give him a password)
usermod -aG wheel eddieThis seems to create the user without a problem. However, if I then SSH (or just login as the user from the console in Vultr) into my server with my newly created user, I see these warnings after logging in.
PHP Warning: include_once(/etc/freepbx.conf): failed to open stream: Permission denied in /var/lib/asterisk/bin/fwconsole on line 12PHP Warning: include_once(): Failed opening '/etc/freepbx.conf' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwconsole on line 12PHP Fatal error: Class 'Symfony\Component\Console\Application' not found in /var/www/html/admin/libraries/FWApplication.class.php on line 11The first two errors make sense as
/etc/freepbx.confand/var/lib/asterisk/bin/fwconsolehave permissions for the user and group asterisk.Here's the curious thing. To test whether or not I can actually use sudo, I attempted
sudo cat /etc/shadowand received the following error message.eddie is not in the sudoers file. This incident will be reported.I confirmed that the wheel group is in the sudoers file (
/etc/sudoers) and that the user eddie is in the wheel group (/etc/group).How do you folks deal with SSH and FreePBX? Do use the above idea (but implement it in a different way so that it actually works) and then edit
/etc/ssh/sshd_configso that you cannot SSH as root? Do you turn off SSH altogether and just login as root from the Vultr console? Do you not care and just SSH as root when needed? I also assume if you use SSH at all, you'll likely set up RSA keys. -
@EddieJennings said in SSH and FreePBX:
As I'm experimenting with FreePBX, I'm looking at how to properly secure the system. One thing that interests me is SSH. Ideally, I wouldn't want to SSH in as root to do CLI administrative tasks. So my first idea is to create another user and add them to the wheel group, and use that account to do CLI tasks.
Here's how I did this (logged in as root).
Note: This did not work for the part that requires me to actually run commands with sudo.
useradd eddie
passwd eddie(followed the prompts to give him a password)
usermod -aG wheel eddieThis seems to create the user without a problem. However, if I then SSH (or just login as the user from the console in Vultr) into my server with my newly created user, I see these warnings after logging in.
PHP Warning: include_once(/etc/freepbx.conf): failed to open stream: Permission denied in /var/lib/asterisk/bin/fwconsole on line 12PHP Warning: include_once(): Failed opening '/etc/freepbx.conf' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwconsole on line 12PHP Fatal error: Class 'Symfony\Component\Console\Application' not found in /var/www/html/admin/libraries/FWApplication.class.php on line 11The first two errors make sense as
/etc/freepbx.confand/var/lib/asterisk/bin/fwconsolehave permissions for the user and group asterisk.Here's the curious thing. To test whether or not I can actually use sudo, I attempted
sudo cat /etc/shadowand received the following error message.eddie is not in the sudoers file. This incident will be reported.I confirmed that the wheel group is in the sudoers file (
/etc/sudoers) and that the user eddie is in the wheel group (/etc/group).How do you folks deal with SSH and FreePBX? Do use the above idea (but implement it in a different way so that it actually works) and then edit
/etc/ssh/sshd_configso that you cannot SSH as root? Do you turn off SSH altogether and just login as root from the Vultr console? Do you not care and just SSH as root when needed? I also assume if you use SSH at all, you'll likely set up RSA keys.I never setup alternate SSH logins on FreePBX. I only log in once a month or so to run updates.
Unless you do something silly like set the SSH port to "Internet" in the firewall, all connections are dropped anyway.
-
Remember, while yes it is a CentOS system underneath, you are using an appliance.
Appliances often have settings configured by the manufacturer that are non-standard when you suddenly try to jump under the hood to do something.
-
If you want a CentOS system setup your way, then you need to install from your own ISO and then add in FreePBX.
-
The fact this is an appliance makes sense why my above steps didn't work as planned. My goal isn't to do it my way, as much as it's to learn to configure FreePBX correctly. So I figure I'd put the SSH question there and see what the pros thought.
-
@EddieJennings said in SSH and FreePBX:
The fact this is an appliance makes sense why my above steps didn't work as planned. My goal isn't to do it my way, as much as it's to learn to configure FreePBX correctly. So I figure I'd put the SSH question there and see what the pros thought.
Basically I just make sure that the Firewall setting is Local.
But as you can see, FreePBX does recommend an SSH key.
-
Restricting SSH to only IP addresses or ranges that you manage from is a big deal, too. This is where a Jump box is important.
Or only turn on SSH when needed and turn it off when not in use.
-
To solve the first error, simply add your user to the asterisk group
gpasswd asterisk -a eddieI've never dug into the issue with the sudo error
-
Log in as you and just use su. Disallow root login. Use key based Auth, etc.
-
And easy enough to resolve once I look.
@EddieJennings you should have reminded me to look more earlier..
/etc/sudoershas it commented out.## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
