From PC-BSD Wiki
Revision as of 05:20, 21 August 2012 by Drulavigne (Talk | contribs)

Jump to: navigation, search

(Sorry for the inconvenience)

Your PC-BSD system is secure by default. This section provides an overview of the built-in security features and additional resources should you like to learn more about increasing the security of your system beyond its current level.

PC-BSD's security features include:

  • Naturally immune to viruses and other malware: most viruses are written to exploit Windows systems and do not understand the binaries or paths found on a PC-BSD system. Antivirus software is still available in the Security section of AppCafe® as this can be useful if you send or forward email attachments to users running other operating systems.
  • Potential for serious damage is limited: file and directory ownership and permissions along with separate user and group functions mean that as an ordinary user any program executed will only be granted the abilities and access of that user. A user that is not a member of the wheel group can not switch to administrative access and cannot enter or list the contents of a directory that has not been set for universal access.
  • Built-in firewall: the default firewall ruleset allows you to access the Internet and the shares available on your network. If there are no shared resources on your network, you can use Firewall Manager to further tighten the default ruleset. In addition, txt=Missing Link[1] is installed. This service can be configred to identify possible break-in attempts and to respond with an action such as creating a firewall rule to ban the intruder. Instructions for configuring fail2ban can be found here txt=Missing Link[2].
  • Built-in Host-based Intrusion Detection System: PC-BSD installs txt=Missing Link[3] which can be configured to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. If you have never used OSSEC before, take some time to read through its manual txt=Missing Link[4] to determine which features interest you and how to configure them.
  • Very few services are enabled by default: you can easily view which services are started at boot time using Service Manager or by reading through /etc/rc.conf. You can also disable the services that you do not use by disabling that service in Service Manager or by commenting out that line with a # in /etc/rc.conf.
  • SSH is disabled by default: and can only be enabled by the superuser. This setting prevents bots and other users from trying to access your system. If you do need to use SSH, change the NO to a YES in the line sshd_enable= in the file /etc/rc.conf. You can start the service right away by typing /etc/rc.d/sshd start. You will need to add a firewall rule to allow SSH connections from the systems that require SSH access.
  • SSH root logins are disabled by default: if you enable SSH, you must login as a regular user and can use su or sudo when you need to perform administrative actions. You should not change this default as this prevents an unwanted user from having complete access to your system.
  • sudo is installed: and configured to allow users in the wheel group permission to run an administrative command if they know the root password. By default, the first user you create during installation is added to the wheel group. You can use User Manager to add other users to this group. You can change the default sudo configuration using the visudo command as the superuser.
  • Automatic notification of security advisories: Update Manager will automatically notify you if an update is available as the result of a txt=Missing Link[5] that affects PC-BSD. This allows you to keep your operating system fully patched with just the click of a mouse.

If you would like to learn more about security on FreeBSD/PC-BSD systems, man security is a good place to start. These resources provide more information about security on FreeBSD-based operating systems:


  2. here
  4. manual
Personal tools