1. Vim Install
Install Vim, which you are familiar with as an editor, as follows
# pkg install -y vim
Edit the ".shrc" to make Vim available as the standard editor, and log in again to reflect the change.
FreeBSD15 has sh as default shell.
You can check the current SHELL with the following command
# echo $SHELL
/bin/sh
# vim ~/.shrc
Add the following content
alias vi='vim'
Configuration Reflection
# shutdown -r now
Create a new ".vimrc" to set up the environment for using Vim, and fill in the following information
# vi ~/.vimrc
Add the following content
set nocompatible
set encoding=utf-8
set nobackup
set tabstop=4
set clipboard=unnamed
set number
syntax on
highlight Comment ctermfg=LightCyan
set wrap
set backspace=indent,eol,start
set autoindent
Rebooting will reflect this.
2.Use of locate database
On FreeBSD, I get the following error when using updatedb
# /usr/libexec/locate.updatedb
>>> WARNING
>>> Executing updatedb as root. This WILL reveal all filenames
>>> on your machine to all login users, which is a security risk.
The error message is
I am running updatedb as root user.
This would allow all logged in users to see all file names. This is a security risk.
On FreeBSD, scripts under PERIODIC are run by cron, so use the update script for the locate database that cron will run
# /etc/periodic/weekly/310.locate
Rebuilding locate database:
Try searching for the keyword "sshd"
# locate sshd
/etc/pam.d/sshd
/etc/rc.d/sshd
/etc/ssh/sshd_config
/usr/libexec/sshd-auth
/usr/libexec/sshd-session
/usr/local/share/vim/vim92/ftplugin/sshdconfig.vim
/usr/local/share/vim/vim92/syntax/sshdconfig.vim
/usr/ports/deskutils/py-paperless-ngx/files/sshd_config.in
/usr/ports/security/openssh-portable/files/extra-patch-pam-sshd_config
/usr/ports/security/openssh-portable/files/patch-sshd.8
/usr/ports/security/openssh-portable/files/patch-sshd.c
/usr/ports/security/openssh-portable/files/patch-sshd_config
/usr/ports/security/openssh-portable/files/patch-sshd_config.5
/usr/ports/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf
/usr/ports/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd.conf
/usr/sbin/sshd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3. SSH Connection Security Measures
3.1 SSH port changed, root user login disabled
# vi /etc/ssh/sshd_config
Line 16 : Change the SSH port number to 2244
Port 2244
Line 35 : Remove the comment to prevent SSH connections as root
PermitRootLogin no
Reflecting Settings
# service sshd restart
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 1445.
Performing sanity check on sshd configuration.
Starting sshd.
3.2 Use public key authentication method
① Creating public and private key pairs --- logging in as a general user to create them
If you do not specify the destination and file name, id_ed25519 and id_eed25519.pub will be created in /home/(user name)/.ssh/.
On the way, enter the password for the key.
# su - huong
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/huong/.ssh/id_ed25519):
Created directory '/home/huong/.ssh'.
Enter passphrase for "/home/huong/.ssh/id_ed25519" (empty for no passphrase): [Password]
Enter same passphrase again: [Password]
Your identification has been saved in /home/huong/.ssh/id_ed25519
Your public key has been saved in /home/huong/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hEaxu2mv6EY3F8ZltS3SQc4qFRvQTCKUIOvYTruMvog huong@Lepard
The key's randomart image is:
+--[ED25519 256]--+
| . .o=oo=+o+ |
| o ..+ .=B + |
| . +..o+ * . |
| + . o+. o . |
|. + ..S.. |
| o .. oo.. |
| o. .+o |
|oo ..o . |
|Eo+oo ... |
+----[SHA256]-----+
$ cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh/
➁Save the generated private key id_ed25519 to the Windows directory \Users\user\.ssh using WinSCP.
➂Edit SSH configuration file
$ su -
# vi /etc/ssh/sshd_config
Line 61 : Remove Comments
PasswordAuthentication no
Restart SSH service
# service sshd restart
④How to connect usingTabby Terminal
Specify the key using the option [-i c:\USERS\xxxxx\.ssh\id_ed25519]
C:\Users\xxxxx>ssh huong@192.168.11.83 -p 2244 -i c:\USERS\xxxxx\.ssh\id_ed25519
Enter passphrase for key 'c:\USERS\xxxxx\.ssh\id_ed25519': ←Enter the password set during public key creation
Last login: Wed Jun 17 00:43:15 2026 from 192.168.11.14
FreeBSD 15.1-RELEASE (GENERIC) releng/15.1-n283562-96841ea08dcf
Welcome to FreeBSD!
⑤SSH connection using authentication with public-key cryptography
SSH connections using public-key cryptography for authentication can be established in the same manner as on other Linux systems. Please refer to the following instructions.
4. Firewall Settings
FreeBSD has the following firewalls
・pf
・ipfw
・ipf
In this case, we will use ipfw to configure the firewall
4.1 Check if ipfw works
# ipfw list
...
It is OK if the output is anything other than "Commnad not found."
4.2 Add configuration to /etc/rc.conf to use ipfw
Better to use the sysrc command than to edit the /etc/rc.conf file with a vim editor
# sysrc firewall_enable="YES" ←Enabled at server startup
firewall_enable: NO -> YES
# sysrc firewall_logdeny="YES" ←Log output to /var/log/security on denial
firewall_logdeny: NO -> YES
# sysrc firewall_script="/usr/local/etc/ipfw.rules" ←Specify additional configuration scripts
firewall_script: /etc/rc.firewall -> /usr/local/etc/ipfw.rules
4.3 Create additional configuration script (/usr/local/etc/ipfw.rules)
# vi /usr/local/etc/ipfw.rules
Additional configuration script content ----- for now open the following service ports
ftp (20,21), ssh (22), smtp (25), dns (53) , http (80), ntp(123) , https(443) pop3(110), imap(143), mail-over(587) , Modified SSH(2244)
#! /bin/sh
#
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 90 allow tcp from any to any 20 in
$IPF 100 allow tcp from any to any 20 out
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 190 allow tcp from any to any 80 in
$IPF 200 allow tcp from any to any 80 out
$IPF 210 allow tcp from any to any 110 in
$IPF 220 allow tcp from any to any 110 out
$IPF 230 allow tcp from any to any 123 in
$IPF 240 allow tcp from any to any 123 out
$IPF 250 allow tcp from any to any 143 in
$IPF 260 allow tcp from any to any 143 out
$IPF 270 allow tcp from any to any 443 in
$IPF 280 allow tcp from any to any 443 out
$IPF 290 allow tcp from any to any 587 in
$IPF 300 allow tcp from any to any 587 out
$IPF 310 allow tcp from any to any 2244 in
$IPF 320 allow tcp from any to any 2244 out
# deny and log everything
$IPF 500 deny log all from any to any
System Reboot
# shutdown -r now
Show ipfw list
# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag offset
00050 check-state :default
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state :default
00080 allow icmp from any to any
00090 allow tcp from any to any 20 in
00100 allow tcp from any to any 20 out
00110 allow tcp from any to any 21 in
00120 allow tcp from any to any 21 out
00130 allow tcp from any to any 22 in
00140 allow tcp from any to any 22 out
00150 allow tcp from any to any 25 in
00160 allow tcp from any to any 25 out
00170 allow udp from any to any 53 in
00175 allow tcp from any to any 53 in
00180 allow udp from any to any 53 out
00185 allow tcp from any to any 53 out
00190 allow tcp from any to any 80 in
00200 allow tcp from any to any 80 out
00210 allow tcp from any to any 110 in
00220 allow tcp from any to any 110 out
00230 allow tcp from any to any 123 in
00240 allow tcp from any to any 123 out
00250 allow tcp from any to any 143 in
00260 allow tcp from any to any 143 out
00270 allow tcp from any to any 443 in
00280 allow tcp from any to any 443 out
00290 allow tcp from any to any 587 in
00300 allow tcp from any to any 587 out
00310 allow tcp from any to any 2244 in
00320 allow tcp from any to any 2244 out
00500 deny log ip from any to any
65535 count ip from any to any not // orphaned dynamic states counter
65535 deny ip from any to any
5. NTP Server Settings
5.1 Rewrite the referenced NTP server in /etc/ntp.conf. Add an appropriate server in Japan.
# vi /etc/ntp.conf
Comment out lines 32 and 33, then add the following below them.
#pool 0.freebsd.pool.ntp.org iburst
#pool 2.freebsd.pool.ntp.org iburst
pool ntp.nict.jp iburst
5.2 NTP Auto-Start Configuration
# sysrc ntpd_enable="YES"
# sysrc ntpd_sync_on_start="YES"
5.3 Correct time
If the time is too far off, the NTP daemon will stop working, so use the ntpdate command to correct the time before starting the NTP daemon
# ntpdate ntp.nict.jp
16 Jun 15:54:56 ntpdate[1661]: step time server 61.205.120.130 offset -32400.626459 sec
# /etc/rc.d/ntpd start
Starting ntpd.
5.4 Time synchronization confirmation
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
ntp.nict.jp .POOL. 16 p - 64 0 0.000 +0.000 0.008
*ntp-b2.nict.go. .NICT. 1 u 11 64 1 14.120 -0.139 0.600
+ntp-b3.nict.go. .NICT. 1 u 11 64 1 10.840 -1.553 1.785
+ntp-a3.nict.go. .NICT. 1 u 9 64 1 13.282 -0.148 0.510
+ntp-k1.nict.jp .NICT. 1 u 9 64 1 6.055 -1.513 1.477
+ntp-a2.nict.go. .NICT. 1 u 7 64 1 13.758 +0.093 0.409
+Servers that pass the connection test and can be referenced at any time
– Servers off the reference list in clustering checks
* Servers declared to be in reference synchronization