HxHippy

FreeBSD Security Hardening

Hardening FreeBSD systems against attacks and unauthorized access.

Last updated: 2025-01-15

Immediate Steps

Update System

freebsd-update fetch install
pkg update && pkg upgrade

Secure Root Access

# Create admin user
adduser  # Add to wheel group

# Disable root SSH login
# /etc/ssh/sshd_config
PermitRootLogin no

# Use sudo
pkg install sudo
visudo  # Uncomment wheel group

SSH Hardening

# /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
PasswordAuthentication no  # Use keys only
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers youruser

# Restart SSH
service sshd restart

Firewall (PF)

# /etc/pf.conf
ext_if = "em0"
set skip on lo0
set block-policy drop

scrub in all
block all
pass out quick on $ext_if

# Only allow SSH
pass in on $ext_if proto tcp to port 22

# Rate limit SSH
pass in on $ext_if proto tcp to port 22 \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 3/60)

Sysctl Hardening

# /etc/sysctl.conf
# Hide processes from other users
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0

# Prevent users from seeing kernel messages
security.bsd.unprivileged_read_msgbuf=0

# Randomize PIDs
kern.randompid=1

# Disable core dumps
kern.coredump=0

Audit System

# Enable audit
sysrc auditd_enable="YES"
service auditd start

# Audit configuration
# /etc/security/audit_control
dir:/var/audit
flags:lo,aa,ex,fc,fd,fw,fm,ad
minfree:5

File Permissions

# Secure home directories
chmod 700 /home/*

# Secure /tmp
chmod 1777 /tmp

# Immutable important files
chflags schg /etc/passwd
chflags schg /etc/master.passwd

Fail2Ban Alternative

# Install blacklistd (built-in)
sysrc blacklistd_enable="YES"
service blacklistd start

# Configure /etc/blacklistd.conf
[ssh]
location=/var/run/sshd.pid
type=stream
protocol=tcp
owner=root:wheel
name=sshd
event=/etc/blacklistd.conf.events/sshd

Security Checklist

  • System updated
  • Root SSH disabled
  • Key-only SSH auth
  • Firewall enabled
  • Unnecessary services disabled
  • Audit logging enabled
  • Strong passwords enforced
  • Regular security audits
advanced System Administration Updated 2025-01-15
  • freebsd
  • security
  • hardening
  • firewall
  • audit