FreeBSD Server Security Best Practices

1. System Updates and Patches

Keep the system updated

Regularly update your FreeBSD system:
freebsd-update fetch freebsd-update install
Update installed packages

Keep all installed packages up to date:
pkg update && pkg upgrade

2. Firewall Configuration

Enable and configure PF firewall

Edit /etc/rc.conf to enable PF:
pf_enable="YES"
Create and configure /etc/pf.conf with appropriate rules
Use strict firewall rules

Example of basic PF rules:
block in all
pass out all keep state
pass in on lo0
pass in proto tcp to any port 22 keep state

3. SSH Hardening

Disable root login via SSH

Edit /etc/ssh/sshd_config:
PermitRootLogin no
Use key-based authentication

Disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
Change default SSH port

Edit /etc/ssh/sshd_config:
Port 2222

4. User and Permission Management

Use strong passwords

Enforce strong password policies using pam_passwdqc
Implement least privilege principle

Grant users only the permissions they need for their tasks
Use sudo for administrative tasks

Install and configure sudo:
pkg install sudo

5. File System Security

Use appropriate mount options

Edit /etc/fstab to include secure mount options:
/dev/ada0p2 /home ufs rw,noexec,nosuid 2 2
Enable filesystem quotas

Prevent disk space abuse by implementing quotas

6. Network Security

Disable unnecessary network services

Review and disable unneeded services in /etc/rc.conf
Use TCP Wrappers

Configure /etc/hosts.allow and /etc/hosts.deny

7. Monitoring and Auditing

Enable and configure auditd

Edit /etc/rc.conf:
auditd_enable="YES"
Use intrusion detection systems

Install and configure tools like Snort or OSSEC

Warning:

Implementing these security measures requires careful consideration and testing. Incorrect configuration may lead to system instability or lockouts. Always test changes in a non-production environment first.

Additional Resources