SSHGuard on FreeBSD 11.0

SSHGuard is a service that automatically creates firewall rules to block the IP address of anyone trying to brute-force attack SSH on your server. IMO it is essential for any internet facing server.

Unfortunately there is a bug in the current version (1.7.1) in ports, which will prevent the service from starting on FreeBSD 11.0:

ipfw: failed to request table info: No such process

SSHGuard is trying to reference a ipfw lookup table which has not yet been created. To fix this bug you need create the table manually with:

/sbin/ipfw -q table 22 create

You should now be able to start the service.

My New FreeBSD Server Checklist

Below are the steps I take to personalise new FreeBSD servers which I run on my home network. The steps could easily be automated, I just don’t deploy new FreeBSD servers at home often enough to justify it.

# Update the base system:

$ freebsd-update fetch
$ freebsd-update install
# If kernel was patched don't forget to:
$ shutdown -r now

# Schedule future security updates to be applied daily:

$ printf '@daily                                  root    freebsd-update cron' >> /­­etc/­cron

# Map the root account to your email address and send a test mail:

$ printf 'root:' >> /­­etc/­­aliases
$ newaliases
$ service restart sendmail
$ printf 'test\n' | mail -s "test message" root

# Set the timezone:

$ tzsetup

# Now the timezone is set, we need to enable the NTP daemon so that our servers time stays in sync. I use the default FreeBSD servers in /­etc/ntp.conf:

$ printf 'ntpd_enable="YES"\nntpd_sync_on_start="YES"' >> /­etc/rc.conf

# Now start the NTP daemon:

$ service ntpd start

# Configure the firewall to only allow SSH:

$ printf 'firewall_enable="YES"\nfirewall_quiet="YES"\nfirewall_type="workstation"\nfirewall_myservices="22/tcp"\nfirewall_allowservices="any"\nfirewall_logdeny="YES"' >> /­etc/rc.conf

# Limit the number of logs per IP address, to prevent the logs filling up with traffic from a single persistent user:

$ printf 'net.inet.ip.fw.verbose_limit=5' >> /­etc/sysctl.conf
$ sysctl net.inet.ip.fw.verbose_limit=5

# Start the firewall:

$ service ipfw start

# Install subversion using pkg and then pull down the ports tree:

$ pkg install subversion
$ svn checkout /usr/ports

# Install some tools I can’t live without:

$ cd /­usr/ports/shells/zsh && make install clean
$ zsh
$ cd /­usr/ports/*/vim-lite && make install clean
$ cd /­usr/ports/*/git && make install clean
$ cd /­usr/ports/*/screen && make install clean

# Change the default shell for your user to zsh – note, you need to be careful here, as using a shell from ports could get bricked, you might want to compile zsh statically and then transfer it into /bin/ if you are concerned about this. Otherwise, do this and don’t forget to change the username:

$ chsh -s usr/local/bin/zsh YOUR_USER

# Alias vi -> vim because old habits die hard, we also want to set the variable WITHOUT_X11 to try and stop X11/graphical components finding their way onto our server:

$ printf 'alias vi=vim\nexport WITHOUT_X11=YES' >> ~/.zshrc

# Create a .vimrc file with mouse support disabled (who uses a mouse in vim?!) and with the background set to dark, so we don’t get dark blue comments:

$ printf 'set background=dark\nset mouse-=a' >> ~/.vimrc

# Install oh-my-zsh, a handy tool for enhancing your zsh command-line experience.

$ sh -c "$(curl -fsSL"

# Change the theme and plugins for oh-my-zsh:

$ sed -i '.bak' 's/ZSH_THEME=\".*\"/ZSH_THEME=\"pygmalio\"/;s/plugins=\(.*\)/plugins=\(git screen nyan vi-mode\)/' "$HOME/.zshrc"

That’s about it to get what I consider my ‘baseline’.