Update System
freebsd-update fetch install
pkg update && pkg upgrade
Secure Root Access
# Create admin user
adduser # Add to wheel group
# Disable root SSH login
# /etc/ssh/sshd_config
PermitRootLogin no
# Use sudo
pkg install sudo
visudo # Uncomment wheel group
SSH Hardening
# /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
PasswordAuthentication no # Use keys only
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers youruser
# Restart SSH
service sshd restart
Firewall (PF)
# /etc/pf.conf
ext_if = "em0"
set skip on lo0
set block-policy drop
scrub in all
block all
pass out quick on $ext_if
# Only allow SSH
pass in on $ext_if proto tcp to port 22
# Rate limit SSH
pass in on $ext_if proto tcp to port 22 \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 3/60)
Sysctl Hardening
# /etc/sysctl.conf
# Hide processes from other users
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
# Prevent users from seeing kernel messages
security.bsd.unprivileged_read_msgbuf=0
# Randomize PIDs
kern.randompid=1
# Disable core dumps
kern.coredump=0
Audit System
# Enable audit
sysrc auditd_enable="YES"
service auditd start
# Audit configuration
# /etc/security/audit_control
dir:/var/audit
flags:lo,aa,ex,fc,fd,fw,fm,ad
minfree:5
File Permissions
# Secure home directories
chmod 700 /home/*
# Secure /tmp
chmod 1777 /tmp
# Immutable important files
chflags schg /etc/passwd
chflags schg /etc/master.passwd
Fail2Ban Alternative
# Install blacklistd (built-in)
sysrc blacklistd_enable="YES"
service blacklistd start
# Configure /etc/blacklistd.conf
[ssh]
location=/var/run/sshd.pid
type=stream
protocol=tcp
owner=root:wheel
name=sshd
event=/etc/blacklistd.conf.events/sshd
Security Checklist
- System updated
- Root SSH disabled
- Key-only SSH auth
- Firewall enabled
- Unnecessary services disabled
- Audit logging enabled
- Strong passwords enforced
- Regular security audits
advanced | System Administration | Updated 2025-01-15
- freebsd
- security
- hardening
- firewall
- audit