top of page

Securing FreeBSD Workstation: Security Guide for Beginners

Updated: Jan 9


If you're just starting out with FreeBSD 14.2, it's important to know how to protect your computer from potential threats. In this short guide, I'll share my knowledge and experience on ensuring basic security for a FreeBSD 14.2 Workstation. I'll explain everything in simple terms, step by step, and show you how to set up your system to make it secure and reliable. Don’t worry if something seems complicated - we’ll figure it out together. Let’s get started!



1. System Updates


Keeping the system up-to-date is a fundamental security measure. Regular updates help eliminate known vulnerabilities and enhance system stability.


Steps to Update the System:


1. Check for Updates

sudo freebsd-update fetch

This command downloads the latest updates available for your system.


2. Install Update

sudo freebsd-update install

After installing updates, it is recommended to reboot the system to apply the changes:

sudo reboot

Automating Updates:


For convenience, you can set up automatic security updates using `freebsd-update` or third-party tools by adding appropriate jobs to `cron`.


1. Open the `crontab` file for editing

sudo crontab -e

2. Add the following lines to check and install updates daily

0 2 * * * /usr/sbin/freebsd-update fetch install >> /var/log/freebsd-update.log 2>&1

This job runs every day at 2 AM, logging the output to `/var/log/freebsd-update.log`.


Alternative: using periodic for Updates


FreeBSD provides a built-in mechanism called periodic for automating system tasks, including security checks and updates. To enable daily security updates:


1. Edit /etc/periodic.conf`:

sudo vi /etc/periodic.conf

2. Add the following lines:

daily_status_security_inline="YES"

daily_status_security_output="/var/log/security.log"

This will ensure that security updates are checked and applied daily.



2. Configuring the Firewall (PF)


Using PF (Packet Filter) allows effective control over incoming and outgoing network traffic, protecting the system from unauthorized access.


Enabling PF:


1. Open the /etc/rc.conf` file for editing:

sudo vi /etc/rc.conf

2. Add the following lines:

pf_enable="YES
pf_rules="/etc/pf.conf"
pf_flags=""

Setting Up PF Rules:


Create a minimal configuration in the /etc/pf.conf` file:

# Set default block policy
set block-policy return

# Skip traffic on the loopback interface
set skip on lo0

# Block all incoming traffic
block in all

# Allow outgoing traffic and enable stateful filtering
pass out all keep state

# Allow incoming SSH connections with logging
pass in on egress proto tcp from any to any port 22 keep state log

Applying and Starting PF:


1. Apply the rules:

sudo pfctl -f /etc/pf.conf

2. Start the PF service:

sudo service pf start

3. Ensure PF is enabled and running:

sudo pfctl -s all

Adding Additional Rules:


For example, to allow access to a web server on ports 80 and 443:

pass in on egress proto tcp from any to any port {80, 443} keep state

Add this line to /etc/pf.conf` and reload PF:

sudo pfctl -f /etc/pf.conf
sudo pfctl -e

Verifying PF Rules:


Before applying new rules, always verify their syntax:

sudo pfctl -nf /etc/pf.conf


3. Disabling Unnecessary Services


Minimizing the number of running services reduces the system's attack surface. I always strive to disable services that are not in use.


Viewing Active Services:

Use the sockstat command to view current network connections and running services:

sockstat -4

Disabling Unnecessary Services:


After you have identified the services that are not required, you can turn them off. For example, if you are not using an FTP server, disable it.


1. Open the /etc/rc.conf` file for editing:

sudo vi /etc/rc.conf

2. Disable the service using the sysrc command. For example, to disable FTP:

sudo sysrc ftpd_enable="NO"

3. Restart the system or the respective services to apply the changes:

sudo service ftpd stop

Example of Disabling Multiple Services:


Suppose you are not using CUPS and sendmail:

sudo sysrc cupsd_enable="NO"
sudo sysrc sendmail_enable="NO"

Using service for Management:


Instead of manually editing configuration files, you can use the `service` command to manage services:

sudo service sshd stop
sudo sysrc sshd_enable="NO"


4. Using sudo


Operating as root increases security risks. Instead, I prefer using sudo to perform administrative tasks.


Installing sudo:

sudo pkg install sudo

Configuring sudo


Below are the steps for configuring sudo on FreeBSD using both the standard approach (using the wheel group) and the alternative approach (using User_Alias).



Standard Approach using the wheel Group


This is the most common and recommended method for granting administrative privileges to users.


1. Open the /usr/local/etc/sudoers file for editing:

   Use the visudo command to safely edit the sudoers file:

sudo visudo

2. Uncomment the wheel group line:

Locate the following line in the file:

# %wheel ALL=(ALL) ALL

Remove the # at the beginning to uncomment it:

%wheel ALL=(ALL) ALL

3. Save and exit:

Save the changes and exit the editor. In vi, you can do this by pressing Esc , then typing :wq and pressing Enter .


4. Add the user to the wheel group:

Use the pw command to add the user to the wheel group:

sudo pw usermod your_user -G wheel

Replace your_user with the actual username.


5. Verify the user's group membership:

Check that the user has been added to the `wheel` group:

 id your_user

You should see `wheel` listed in the user's groups.


6. Test sudo access:

Log in as the user and test sudo by running a command with elevated privileges:

sudo whoami

If configured correctly, the output should be root.



Alternative Approach using User_Alias


This method is useful if you want to grant sudo privileges to specific users without adding them to the wheel group. It also allows for more granular control over permissions.


1. Open the /usr/local/etc/sudoers file for editing:

Use the `visudo` command:

sudo visudo

2. Define a User_Alias:

Add a User_Alias to group one or more users. Replace your_user with the actual username:

User_Alias ADMINS = your_user

You can add multiple users by separating them with commas:

User_Alias ADMINS = user1, user2, user3

3. Grant privileges to the User_Alias:

Add a rule to grant sudo privileges to the users in the ADMINS alias:

ADMINS ALL=(ALL) ALL

4. Save and exit:

Save the changes and exit the editor. In vi, press Esc , then type :wq and press Enter .


5. Test sudo access

Log in as one of the users in the ADMINS alias and test sudo:

sudo whoami

If configured correctly, the output should be root.



5. Configuring Passwords and User Accounts


Strong passwords and proper user account configurations are key security elements.



Using Strong Passwords:


1. Ensure your passwords are at least 12 characters long, including uppercase and lowercase letters, numbers, and special characters.


2. To enforce a password change at the next login:

sudo passwd -e your_user

Disabling Root Login via SSH:


1. Open the SSH configuration file:

sudo vi /etc/ssh/sshd_config

2. Find the PermitRootLogin line and set it to:

PermitRootLogin  no

3. Restart the SSH service to apply changes:

sudo service sshd restart

Restricting SSH Access


1. Allow only specific users to log in via SSH. In sshd_config, add:

AllowUsers your_user

2. Save the changes and restart SSH:

sudo service sshd restart

Two-Factor Authentication (2FA)


For additional protection, you can set up 2FA using PAM and Google Authenticator.


1. Install google-authenticator:

sudo pkg install google-authenticator

2. Configure the user:

google-authenticator

3. Open the /etc/pam.d/sshd file and add the line:

auth required pam_google_authenticator.so

4. In sshd_config, ensure the following lines are enabled:

ChallengeResponseAuthentication  yes

5. Restart SSH:

sudo service sshd restart

Now, logging in via SSH will require entering a one-time code from the Google Authenticator app.



6. System Auditing


Monitoring security events helps in timely detection of suspicious activities.


Installing auditd :

sudo pkg install audit

Configuring auditd:


1. Open the /etc/rc.conf file:

sudo vi /etc/rc.conf

2. Add the line to enable auditd:

auditd_enable="YES"

3. Configure audit parameters in the /etc/security/audit_control file. Example configuration:

dir:/var/audit
flags:lo,ad
minfree:5
naflags:lo,ad
policy:cnt
filesz:10M
expire-after:30d

- flags determine the events to audit. For example, lo for system calls and ad for file access auditing.

- expire-after sets the log retention period.


4. Create the audit log directory and set proper permissions:

sudo mkdir -p /var/audit
sudo chown root:wheel /var/audit
sudo chmod 700 /var/audit

5. Start the auditd service:

sudo service auditd start

Analyzing Audit Logs:


Use the praudit utility to read logs:

sudo praudit /var/audit/current | less

For automation, scripts can be used, or integration with SIEM systems can be considered.



7. Data Encryption


Encryption protects data both in transit and at rest.


Full Disk Encryption with geli :


1. Initialize the disk for encryption:

sudo geli init -e aes256 -l 256 /dev/ada0p2

2. Set a password:

sudo geli attach -k /path/to/keyfile /dev/ada0p2

3. Add parameters for automatic mounting in /etc/rc.conf :

geli_ada0p2_enable="YES"
geli_ada0p2_type="UFS"
geli_ada0p2_name="encrypted"

File Encryption with gpg :


1. Encrypt a file:

gpg -c /path/to/file

You will be prompted to enter a password for encryption.


2. Decrypt a file:

gpg /path/to/file.gpg

Secure Key Storage:


Ensure that encryption keys are stored securely, such as on an external medium or within a password manager.



8. Regular Backups


Backups allow data restoration in case of loss or corruption.


Setting Up Automated Backups with rsnapshot :


1. Install rsnapshot:

sudo pkg install rsnapshot

2. Edit the configuration file /usr/local/etc/rsnapshot.conf :

snapshot_root   /var/backups/rsnapshot/
interval        daily   7
interval        weekly  4
interval        monthly 3

3. Specify Directories to Back Up

Add the paths of the directories you want to back up to the rsnapshot configuration file.

For example:

backup  /home/your_user/    localhost/
backup  /etc/               localhost/

/home/your_user/ - Backs up the user's home directory.

/etc/ - Backs up the system configuration files.

localhost/ - Specifies the local machine as the backup destination.


This tells rsnapshot to include these directories in the backup process.


4. Set up cron jobs:

sudo vi /etc/crontab

Add the lines:

0  3 * * * root /usr/local/bin/rsnapshot daily
30 3 * * 1 root /usr/local/bin/rsnapshot weekly
0  4  1 * * root /usr/local/bin/rsnapshot monthly

Verifying Backups


Regularly check the integrity of backups and the ability to restore data:

sudo rsnapshot configtest
sudo rsnapshot check

Restoring Data


To restore files, simply copy them from the backup to the desired location:

sudo cp /var/backups/rsnapshot/daily.0/home/your_user/file /home/your_user/


9. System Monitoring


Continuous monitoring helps in early detection and response to potential threats.


Using btop for Process Monitoring


1. Install btop:

sudo pkg install btop

2. Run btop:

btop

Configuring System Parameters with sysctl


View current settings:

sysctl -a

Temporarily change parameters:

sudo sysctl net.inet.ip.forwarding=0

For permanent changes, add parameters to /etc/sysctl.conf :

net.inet.ip.forwarding=0

Using Advanced Monitoring Systems


I prefer using Zabbix for detailed monitoring:


1. Install Zabbix server and agent:

sudo pkg install zabbix5-server zabbix5-agent

2. Configure the configuration files and start the services:

sudo vi /usr/local/etc/zabbix_server.conf
sudo vi /usr/local/etc/zabbix_agentd.conf
sudo service zabbix_server start
sudo service zabbix_agentd start

3. Access the Zabbix web interface to set up monitoring.


Setting Up Alerts

In Zabbix, you can configure email or other channel alerts to notify you of critical events.



10. Protection Against Malware


Although FreeBSD is less susceptible to malware attacks compared to other operating systems, precautionary measures are still necessary. ClamAV is an antivirus scanner that helps protect your workstation from known threats, as it uses signatures to detect them.


It’s important to understand that between the emergence of a new virus and the creation of a signature to detect it, your FreeBSD system remains vulnerable.

Therefore, while ClamAV is a very useful tool, it does not provide absolute protection.


Installing ClamAV


1. Install clamav:

sudo pkg install clamav

2. Set up autostart:

sudo sysrc clamd_enable="YES"

3. Update the virus databases:

sudo freshclam

4. Start the ClamAV service:

sudo service clamd start

Scanning the System


For a full system scan:

sudo clamscan -r / --bell -i

-r - recursive scanning.

--bell - sound a bell when a threat is detected.

-i - show only infected files.


Additional Tools:


1) rkhunter - to detect rootkits and other threats.

sudo pkg install rkhunter
sudo rkhunter --update
sudo rkhunter --checkall

2) chkrootkit - similar tool for checking rootkits.

sudo pkg install chkrootkit
sudo chkrootkit

Setting Up Regular Scans


Add cron jobs for regular scanning:

sudo crontab -e

Add the lines:

0 4 * * * /usr/local/bin/clamscan -r / --bell -i >> /var/log/clamscan.log

0 5 * * * /usr/local/bin/rkhunter --cronjob --quiet >> /var/log/rkhunter.log


11. Configuring the MAC Framework (Mandatory Access Control)


Instead of SELinux, on FreeBSD, I use the MAC Framework for a more flexible and powerful access control system.


Enabling the MAC Framework


1. Open the /etc/rc.conf file:

sudo vi /etc/rc.conf

2. Add the line:

mac_enabled="YES"

3. Enable specific policies. For example, for mac_biba and mac_mls:

mac_policy_mac_biba="YES"
mac_policy_mac_mls="YES"

mac_biba - Protects data integrity. Prevents low-trust processes from affecting high-trust processes. An untrusted application won’t be able to modify critical system files.


mac_mls - Protects data confidentiality. Classifies data into levels (e.g., "secret," "top secret") and controls access based on these levels. A user with low clearance won’t be able to read files marked as "secret."


4. Applying Changes. Reboot the system to apply the new settings:

sudo reboot

Configuring Policies


Policies can be configured through their respective configuration files. For example, for mac_biba:


1. Open the /etc/mac_biba.conf file:

sudo vi /etc/mac_biba.conf

2. Add necessary rules. Example:

# Allow only read access to files for unlabelled processes
deny all unlabeled read

Applying Policies

After configuring the files, restart services or the system to apply the changes.



12. Using Capsicum to Restrict Application Privileges


Capsicum is a framework for minimizing application privileges by providing them with limited capabilities.


Example of Using Capsicum with Python


1. Install necessary packages:

sudo pkg install python

2. Write a python-script file script.py with restricted privileges:

#python

import capsicum
import os

# Enter capability mode
capsicum.cap_enter()

# Attempt to perform a restricted operation
try:
    os.system('ls /root')
except Exception as e:
    print(f'Error: {e}')

3. Run the script:

python3 script.py

The script will be unable to execute the ls /root command due to restricted permissions.


Creating Restricted Shells


Capsicum can be used to create restricted shells that allow users to execute only specific commands.



13. Regular Security Audits Using Lynis


Conducting regular audits helps in identifying and addressing vulnerabilities.


Installing Lynis

sudo pkg install lynis

Running an Audit


1. Execute the command:

sudo lynis audit system

2. Review the reports generated at the end of the scan. Lynis will provide recommendations for enhancing security.


Automating Audits


Add a cron job for regular audits:

sudo crontab -e

Add the line:

0 6 * * 7 /usr/local/bin/lynis audit system --quiet >> /var/log/lynis.log

This job runs every Sunday at 6 AM.



14. Restricting Port Access and Package Management


Minimizing open ports and managing installed packages are essential steps to reduce security risks. By closing unnecessary ports and removing unused software, you can significantly decrease the attack surface of your system. Here’s how to get started:


1. Minimizing Open Ports.

Open ports can be entry points for attackers. To check which ports are open, use the sockstat command:

sockstat -4

This will show you active network connections and the services using them. If you find ports that you don’t recognize or don’t need, disable the corresponding services.


For example, to disable an FTP server:

1) Edit /etc/rc.conf :

sudo sysrc ftpd_enable="NO"

2) Stop the service if it’s running:

sudo service ftpd stop

2. Managing Installed Packages.

Unused packages can contain vulnerabilities. To view installed packages, run:

pkg info

If you find packages you no longer need, remove them:

sudo pkg delete package_name

For example, to remove Apache:

sudo pkg delete apache24

3. Regularly Check for Vulnerabilities.

FreeBSD provides a tool to check installed packages for known vulnerabilities:

sudo pkg audit -F

This will update the vulnerability database and show you any issues. Fix them by updating or removing affected packages.


***

In conclusion,

I would like to note that if you have reached the end and performed all these actions and figured out what is what in detail, you have significantly increased the security of your FreeBSD system and your level of knowledge.


I highly recommend that, as Linux is becoming more popular, think twice before enabling LINUX_COMPAT in your FreeBSD. Actively use the very well-written FreeBSD documentation and do not forget to visit the forum.


Take care and keep your system safe and clean! 😊

Comments

© 2025 Cartesian School. All Rights Reserved.

bottom of page