By Xiujun Ma in Security

How to Configure SSH on FreeBSD for Maximum Security

Secure Shell (SSH) is an essential tool for managing servers remotely, but an improperly configured SSH server can expose your system to serious risks. In this post, we’ll walk through best practices to harden SSH on FreeBSD and lock down remote access.

Step 1: Install and Enable OpenSSH

FreeBSD includes OpenSSH by default, but make sure the SSH service is enabled:

sysrc sshd_enable=YES
service sshd start

You can also restart it anytime with:

service sshd restart

Step 2: Backup Your SSH Configuration

Always back up your original SSH config before making changes:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Then open the config file:

vi /etc/ssh/sshd_config

Step 3: Change the Default SSH Port

Changing the default port from 22 to something less predictable helps avoid automated brute-force attacks:

Port 2222

Don’t forget to update your firewall settings accordingly.

Step 4: Disable Root Login

Logging in directly as root is risky. Disable it and use a normal user with sudo instead:

PermitRootLogin no

Step 5: Use Key-Based Authentication

Disable password authentication and use SSH keys for access.

  1. Generate a key on your local machine:
ssh-keygen -t ed25519
  1. Copy your public key to the FreeBSD server:
ssh-copy-id -p 2222 youruser@yourserver
  1. On the server, set:
PasswordAuthentication no
PubkeyAuthentication yes

Step 6: Limit User Access

You can allow only specific users or groups to connect via SSH:

AllowUsers youruser

Step 7: Set Idle Timeout and Login Attempts

To auto-kick idle connections and prevent brute-force attempts:

LoginGraceTime 30
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 0

This disconnects idle sessions after 5 minutes.

Step 8: Enable Logging and Monitor SSH Access

SSH logs are saved to /var/log/auth.log. Check it regularly:

tail -f /var/log/auth.log

You can also use fail2ban (available via ports or pkg) to ban IPs after failed login attempts.

pkg install py39-fail2ban

Step 9: Reload SSHD

After editing sshd_config, check for syntax errors:

sshd -t

Then restart the service:

service sshd restart

Final Thoughts

SSH is your server’s lifeline — treat it with care. Changing ports, disabling root login, using key-based authentication, and keeping logs under watch are simple yet powerful ways to harden your FreeBSD system.

By implementing these steps, you significantly reduce the attack surface and improve your system’s resilience against unauthorized access.