Setting Up and Securing SSH on FreeBSD 13: A Comprehensive Guide

Here will guide you through the process of enabling SSH on your FreeBSD 13 system, configuring the appropriate firewall rules to allow inbound connections, and changing the default SSH port for enhanced security.

Prerequisites

  • A FreeBSD 13 system with root privileges

Step 1: Update the System

Before you start, make sure your system is up to date. Open a terminal window and run the following commands:

pkg update
pkg upgrade

Step 2: Enable the SSH Service

To enable SSH on your FreeBSD system, edit the /etc/rc.conf file using a text editor like vi or ee:

sudo vi /etc/rc.conf

Add the following line to the file:

sshd_enable="YES"

Save the file and exit the text editor.

Step 3: Start the SSH Service

Start the SSH service with the following command:

sudo service sshd start

Step 4: Configure Firewall Rules for SSH

By default, FreeBSD uses PF (Packet Filter) as its firewall. First, create a backup of the original PF configuration file:

sudo cp /etc/pf.conf /etc/pf.conf.bak

Next, open the PF configuration file using a text editor:

sudo vi /etc/pf.conf

Add the following lines to allow inbound SSH connections:

pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state

Save the file and exit the text editor.

Step 5: Enable and Start the PF Firewall

Edit the /etc/rc.conf file again to enable the PF firewall:

sudo vi /etc/rc.conf

Add the following line to the file:

pf_enable="YES"

Save the file and exit the text editor.

Start the PF firewall with the following command:

sudo service pf start

Step 6: Change the Default SSH Port

In this example, we'll change the default SSH port from 22 to 33556. You can choose a different port number if you prefer, but make sure it's not already in use by another service.

First, create a backup of the original SSH configuration file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Next, open the SSH configuration file using a text editor:

sudo vi /etc/ssh/sshd_config

Find the line that starts with #Port 22 and change it to the desired port number. Remove the # at the beginning of the line to uncomment it. For example:

Port 33556

Save the file and exit the text editor.

Step 7: Configure Firewall Rules for the Custom SSH Port

Update the firewall rules to allow inbound connections on the custom SSH port. First, delete the previous SSH rule:

Edit the PF configuration file again:

sudo vi /etc/pf.conf

Remove the previous SSH rule:

pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state

Add a new rule for the custom SSH port:

pass in on $ext_if proto tcp from any to any port 33556 flags S/SA keep state

Save the file and exit the text editor.

Restart the PF firewall to apply the new rules:

sudo service pf restart

Step 8: Restart the SSH Service

Restart the SSH service to apply the changes with the following command:

sudo service sshd restart

Step 9: Verify the Custom SSH Port

You can verify that the SSH service is listening on the custom port by running the following command:

sudo sockstat -4 -l | grep ssh

The output should display the new port number (e.g., 33556) in the "Local Address" column.

Step 10: Connect to the Custom SSH Port

To connect to your FreeBSD system via SSH on the custom port, use the following command from a remote machine (replace username with your actual username, and 10.20.30.40 with the IP address of your FreeBSD system):

ssh -p 33556 username@10.20.30.40

Celebrate!

You have now successfully set up and secured SSH on your FreeBSD 13 system. You've enabled the SSH service, configured the appropriate firewall rules to allow inbound connections, and changed the default SSH port to enhance security. With these changes in place, you can remotely manage your FreeBSD system with confidence.

Remember to always keep your system up to date and monitor the security of your SSH service to maintain a secure environment.