Outgoing SSH from FreePBX (Latest) and shell not working

Hi All,

I’ve been trying to set-up an SSH and/or ftp connection from my FreePBX to home with absolutely no luck. I see on some of the wiki that there is supposed to be a System menu item in which I can configure SSH but I can’t for the life of me see it. I have configured a key and saved it and then tried to ssh-copy-id it to my chosen server from the shell but still no joy. The machine will ssh itself without issue but will not ssh anything external despite it being able to ping the other server succesfully. I just know it’ll be something daft. What am I missing guys?

Is the destination server for SSH/FTP at your home? Presumably it is behind a firewall. Will need to open up some ports, 22 for SSH to begin with.

FTP or SFTP?

inbound firewall on destination is not the issue. I have a Cloud VPS that backs up daily without issue. The issue is more to do with something on the FreePBX. None of my other linux servers suffer the issue. Just the FreePBX servers (3 off) fail to allow the native ssh client to connect to external systems. It’s like something is deliberately disabling access to external systems. I suspect the FreePBX firewall may have closed outgoing ports. I even tried to open the ports but still no external connections allowed.

sftp over ssh. Server will not connect to external hosts. It just times out.

As always with iptables

iptables -L -n

to see if waht ports are open at home

nc -z -v your.home.router 22

will check port 22 if that is where the ssh server is listening, (use ssh -vv your.home.router foe verbosity)

Nope. The FreePBX firewall does not write any iptables rules for outgoing. None.

I don’t work in support now, but for years I routinely did ssh outbound from FreePBX distro systems using both keys and password, It works fine. I tested with a randomly chosen SNG7 system I have at hand just now:

# ssh [email protected]<redacted>
The authenticity of host '<redacted> (<redacted>)' can't be established.
ECDSA key fingerprint is SHA256:8uNZifWsIYzF17XzLOmJxXuAOlIe/l0ZPpqgNXXEmMA.
ECDSA key fingerprint is MD5:eb:57:52:14:9e:9a:10:ea:27:f1:3e:97:2d:50:c2:09.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<redacted>' (ECDSA) to the list of known hosts.
[email protected]<redacted>'s password:

Last login: Thu May  5 09:10:50 2022 from 24.137.111.182
______                   ______ ______ __   __
|  ___|                  | ___ \| ___ \\ \ / /
| |_    _ __   ___   ___ | |_/ /| |_/ / \ V /
|  _|  | '__| / _ \ / _ \|  __/ | ___ \ /   \
| |    | |   |  __/|  __/| |    | |_/ // /^\ \
\_|    |_|    \___| \___|\_|    \____/ \/   \/

Thanks for the response dicko. I have now pinned down some extra information. Outbound SSH from FreePBX server is functional but only on port 22. Defining a -p is not allowing connections to be made to known hosts with known ports and known firewall / port-forwarding rules.

Then remove such rule(s) from any of your firewalls.If you are not using 22 ( A very good idea) then adjust as necessary including any NAT rules pertinent.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.