From PC-BSD Wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Your PC-BSD® system is secure by default. This section provides an overview of the built-in security features and additional resources should you like to learn more about increasing the security of your system beyond its current level.

The security features built into PC-BSD® include:

  • Naturally immune to viruses and other malware: most viruses are written to exploit Windows systems and do not understand the binaries or paths found on a PC-BSD® system. Antivirus software is still available in the Security section of AppCafe® as this can be useful if you send or forward email attachments to users running other operating systems.
  • Potential for serious damage is limited: file and directory ownership and permissions along with separate user and group functions mean that as an ordinary user any program executed will only be granted the abilities and access of that user. A user that is not a member of the wheel group can not switch to administrative access and cannot enter or list the contents of a directory that has not been set for universal access.
  • Built-in firewall: the default firewall ruleset allows you to access the Internet and the shares available on your network. If there are no shared resources on your network, you can use Firewall Manager to further tighten the default ruleset. In addition, Fail2ban[1] is installed. This service can be configured to identify possible break-in attempts and to respond with an action such as creating a firewall rule to ban the intruder. Instructions for configuring fail2ban can be found on the fail2ban wiki[2].
  • Built-in Host-based Intrusion Detection System: PC-BSD® installs OSSEC[3] which can be configured to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. If you have never used OSSEC before, take some time to read through its manual[4] to determine which features interest you and how to configure them.
  • Very few services are enabled by default: you can easily view which services are started at boot time using Service Manager or by reading through /etc/rc.conf. You can also disable the services that you do not use by disabling that service in Service Manager or by commenting out that line with a # in /etc/rc.conf.
  • SSH is disabled by default: and can only be enabled by the superuser. This setting prevents bots and other users from trying to access your system. If you do need to use SSH, change the "NO" to a "YES" in the line sshd_enable= in the file /etc/rc.conf. You can start the service right away by typing /etc/rc.d/sshd start. You will need to add a firewall rule to allow SSH connections from the systems that require SSH access.
  • SSH root logins are disabled by default: if you enable SSH, you must login as a regular user and can use su or sudo when you need to perform administrative actions. You should not change this default as this prevents an unwanted user from having complete access to your system.
  • sudo is installed: and configured to allow users in the wheel group permission to run an administrative command after typing their password. By default, the first user you create during installation is added to the wheel group. You can use User Manager to add other users to this group. You can change the default sudo configuration using the visudo command as the superuser.
  • AESNI[5] support is loaded by default for the Intel Core i5/i7 processors that support this encryption set. This support speeds up AES encryption and decryption.
  • Automatic notification of security advisories: Update Manager will automatically notify you if an update is available as the result of a FreeBSD security advisory[6] that affects PC-BSD®. This allows you to keep your operating system fully patched with just the click of a mouse.

If you would like to learn more about security on FreeBSD/PC-BSD® systems, man security is a good place to start. These resources provide more information about security on FreeBSD-based operating systems:

  • Find matching or more contemporary documentation on the Colophon page.
  • Numerous changes to the software and default secure configuration of the recent PC‑BSD® but most notably, a switch from OpenSSL to LibreSSL for all prebuilt pkgs.
  • Addition of PersonaCrypt and Tor mode.


Other languages:German 16% • ‎English 100% • ‎French 11%
Personal tools