Best Security Tools for FreeBSD
FreeBSD has strong built-in security features: jails for isolation, Capsicum for capability-mode sandboxing, pf for firewalling, and a security team that takes vulnerabilities seriously. But built-in features are not enough for defense in depth. You need additional tools for intrusion detection, vulnerability scanning, file integrity monitoring, and audit logging.
This guide covers the best security tools available on FreeBSD across six categories: network IDS/IPS, vulnerability scanning, file integrity monitoring, rootkit detection, antivirus, and security auditing. Each tool is evaluated for its FreeBSD compatibility, effectiveness, and operational overhead.
TL;DR -- Quick Verdict
| Category | Recommended Tool | Alternative |
|---|---|---|
| Network IDS/IPS | Suricata | Snort 3 |
| Vulnerability scanner | Nmap + OpenVAS | Nessus (commercial) |
| File integrity | AIDE | OSSEC/Wazuh |
| Rootkit detection | rkhunter | chkrootkit |
| Antivirus | ClamAV | -- |
| Security audit | Lynis | OpenSCAP |
| Log analysis | OSSEC/Wazuh | Fail2ban |
| Firewall | pf (base system) | ipfw (base system) |
Security Tool Comparison Matrix
| Tool | Package | Category | Resource Usage | Config Complexity | FreeBSD Support |
|---|---|---|---|---|---|
| Suricata | security/suricata | IDS/IPS | High | Medium | Excellent |
| Snort 3 | security/snort3 | IDS/IPS | High | Medium-High | Good |
| Nmap | security/nmap | Scanner | Low | Low | Excellent |
| OpenVAS | security/openvas | Vuln scanner | High | High | Good |
| AIDE | security/aide | File integrity | Low | Low | Excellent |
| OSSEC | security/ossec-hids-local | HIDS | Medium | Medium | Good |
| Wazuh | security/wazuh-agent | HIDS/SIEM | Medium | Medium | Good |
| rkhunter | security/rkhunter | Rootkit detection | Low | Low | Excellent |
| chkrootkit | security/chkrootkit | Rootkit detection | Low | Low | Excellent |
| ClamAV | security/clamav | Antivirus | Medium-High | Low | Excellent |
| Lynis | security/lynis | Audit | Low | None | Excellent |
| Fail2ban | security/py-fail2ban | Brute-force protection | Low | Low | Good |
Network Intrusion Detection: Suricata and Snort
Network IDS/IPS systems monitor network traffic for malicious activity. Both Suricata and Snort run well on FreeBSD.
For a detailed comparison, see our Suricata vs Snort on FreeBSD guide.
Suricata
Suricata is the recommended IDS/IPS for FreeBSD. It is multi-threaded, supports Snort-compatible rules, and has excellent FreeBSD integration.
sh# Install Suricata pkg install suricata # Enable Suricata sysrc suricata_enable="YES" sysrc suricata_interface="em0" # Update rules (ET Open ruleset) suricata-update # Start Suricata service suricata start # Check the fast log for alerts tail -f /var/log/suricata/fast.log
Key advantages over Snort on FreeBSD:
- Multi-threaded architecture uses all CPU cores.
- Native JSON (EVE) logging for easy integration with ELK/Splunk.
- Built-in file extraction and protocol detection.
- Active development with frequent releases.
Snort 3
Snort 3 is the latest version of the venerable Snort IDS. It is a complete rewrite with a modern architecture.
sh# Install Snort 3 pkg install snort3 # Basic test run snort -c /usr/local/etc/snort/snort.lua -i em0 -A alert_fast
Snort 3 has improved significantly over Snort 2, but Suricata remains the better choice for FreeBSD due to its more mature multi-threading and better FreeBSD-specific documentation.
Vulnerability Scanning
Nmap
Nmap is essential for network reconnaissance and security auditing. Every FreeBSD administrator should have it installed.
sh# Install Nmap pkg install nmap # Basic port scan nmap -sV -sC -O target-host # Full TCP scan with service detection nmap -sS -sV -p- -A target-host # Scan your own network for open services nmap -sV -sC 192.168.1.0/24 # Check for common vulnerabilities nmap --script vuln target-host # UDP scan (slow but important) nmap -sU --top-ports 100 target-host
Nmap scripts (--script) extend functionality enormously. The NSE (Nmap Scripting Engine) includes scripts for:
- SSL/TLS vulnerability testing (
ssl-enum-ciphers,ssl-heartbleed) - HTTP enumeration (
http-enum,http-headers) - SMB vulnerabilities (
smb-vuln-ms17-010) - DNS enumeration (
dns-brute,dns-zone-transfer)
OpenVAS (Greenbone Vulnerability Management)
OpenVAS is a full-featured vulnerability scanner. It is resource-intensive but provides comprehensive vulnerability assessment.
sh# Install OpenVAS pkg install openvas # Initial setup (downloads vulnerability database -- takes a while) greenbone-nvt-sync greenbone-scapdata-sync greenbone-certdata-sync # Start services service openvas-scanner start service openvas-manager start service gsad start
OpenVAS is best run on a dedicated scanning system. It is not something you install on every server -- it scans remote targets.
File Integrity Monitoring
File integrity monitoring (FIM) detects unauthorized changes to system files. This is critical for detecting compromises where an attacker modifies binaries, configuration files, or libraries.
AIDE (Advanced Intrusion Detection Environment)
AIDE is a lightweight file integrity checker that creates a database of file checksums and attributes, then alerts on changes.
sh# Install AIDE pkg install aide # Configure AIDE # Edit /usr/local/etc/aide.conf
Example /usr/local/etc/aide.conf:
sh# AIDE configuration for FreeBSD database_in=file:/var/db/aide/aide.db database_out=file:/var/db/aide/aide.db.new database_new=file:/var/db/aide/aide.db.new # Define check groups NORMAL = p+i+n+u+g+s+b+m+c+sha256 DIR = p+i+n+u+g LOG = p+u+g # Monitor critical paths /etc NORMAL /usr/local/etc NORMAL /usr/bin NORMAL /usr/sbin NORMAL /usr/local/bin NORMAL /usr/local/sbin NORMAL /boot NORMAL # Exclude log files and temp !/var/log !/tmp !/var/tmp !/var/run
sh# Initialize the AIDE database (run after initial system setup) aide --init mv /var/db/aide/aide.db.new /var/db/aide/aide.db # Check for changes aide --check # Update database after legitimate changes aide --update mv /var/db/aide/aide.db.new /var/db/aide/aide.db
Automate daily checks via cron:
sh# /etc/crontab 0 3 * * * root /usr/local/bin/aide --check | mail -s "AIDE report $(hostname)" admin@example.com
OSSEC / Wazuh
OSSEC is a host-based intrusion detection system (HIDS) that combines file integrity monitoring, log analysis, rootkit detection, and active response. Wazuh is a fork of OSSEC with a modern web UI, API, and better scalability.
sh# Install OSSEC (local mode -- single server) pkg install ossec-hids-local # Or install Wazuh agent (for central management) pkg install wazuh-agent
OSSEC/Wazuh is more comprehensive than AIDE alone but requires more resources and configuration. Use OSSEC/Wazuh when you need centralized security monitoring across multiple FreeBSD servers.
| Feature | AIDE | OSSEC | Wazuh |
|---|---|---|---|
| File integrity | Yes | Yes | Yes |
| Log analysis | No | Yes | Yes |
| Active response | No | Yes | Yes |
| Rootkit detection | No | Yes | Yes |
| Central management | No | Yes (server mode) | Yes (with manager) |
| Web UI | No | No (third-party) | Yes (built-in) |
| Resource usage | Very low | Medium | Medium |
Rootkit Detection
rkhunter
rkhunter (Rootkit Hunter) scans for rootkits, backdoors, and local exploits.
sh# Install rkhunter pkg install rkhunter # Update database rkhunter --update # Set baseline properties rkhunter --propupd # Run a check rkhunter --check --skip-keypress # Automate daily scan # /etc/crontab 0 4 * * * root /usr/local/bin/rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter $(hostname)" admin@example.com
chkrootkit
chkrootkit is a simpler rootkit checker that looks for known rootkit signatures in system binaries.
sh# Install chkrootkit pkg install chkrootkit # Run a check chkrootkit
Recommendation: Run both rkhunter and chkrootkit. They use different detection methods and catch different things. Neither is a replacement for file integrity monitoring (AIDE/OSSEC).
Antivirus: ClamAV
ClamAV is the primary open-source antivirus for FreeBSD. It is most useful for scanning email attachments, file uploads, and shared storage rather than real-time system protection.
sh# Install ClamAV pkg install clamav # Enable services sysrc clamav_clamd_enable="YES" sysrc clamav_freshclam_enable="YES" # Update virus signatures freshclam # Start services service clamav-freshclam start service clamav-clamd start # Scan a directory clamscan -r /home --infected --remove=no # Scan with the daemon (faster for repeated scans) clamdscan /home
ClamAV uses approximately 500-800 MB of RAM for its signature database. On memory-constrained systems, consider running scans periodically with clamscan instead of keeping clamd resident.
Security Auditing: Lynis
Lynis performs a comprehensive security audit of your FreeBSD system. It checks hardening, configuration, installed software, and suggests improvements.
sh# Install Lynis pkg install lynis # Run a full audit lynis audit system # Run with specific profile lynis audit system --profile /usr/local/etc/lynis/custom.prf # Generate a report lynis audit system --report-file /var/log/lynis-report.dat
Lynis checks hundreds of items including:
- Boot loader security
- Kernel hardening (securelevel, sysctl)
- Authentication and password policies
- File permissions
- Network configuration
- Firewall rules (pf/ipfw)
- Software vulnerabilities (via
pkg audit) - SSH configuration
- NTP synchronization
- Logging configuration
Run Lynis after initial server setup and periodically (monthly) to catch configuration drift.
Brute-Force Protection: Fail2ban
Fail2ban monitors log files and bans IPs that show malicious behavior (failed SSH logins, web server probes, etc.).
sh# Install Fail2ban pkg install py311-fail2ban # Enable Fail2ban sysrc fail2ban_enable="YES"
Configure /usr/local/etc/fail2ban/jail.local:
sh[DEFAULT] bantime = 3600 findtime = 600 maxretry = 3 banaction = pf [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [pf] # Fail2ban uses pf tables on FreeBSD actionban = /sbin/pfctl -t fail2ban -T add <ip> actionunban = /sbin/pfctl -t fail2ban -T delete <ip>
Add the fail2ban table to /etc/pf.conf:
shtable <fail2ban> persist block quick from <fail2ban>
Note: FreeBSD's built-in pf can also do rate limiting and brute-force protection natively using max-src-conn-rate. Fail2ban adds log-based intelligence on top.
Built-in FreeBSD Security Features
Do not overlook what FreeBSD provides out of the box:
| Feature | Description | Configuration |
|---|---|---|
| pf firewall | Packet filter from OpenBSD | /etc/pf.conf |
| Jails | OS-level virtualization/isolation | jail.conf |
| Capsicum | Capability-mode sandboxing | Application-level |
| Securelevel | Kernel security level | kern.securelevel |
| pkg audit | Vulnerability check for installed packages | pkg audit -F |
| freebsd-update | Binary security patches | freebsd-update fetch install |
| security/portaudit | Port vulnerability database | pkg install portaudit |
sh# Check installed packages for known vulnerabilities pkg audit -F # Apply security patches freebsd-update fetch install # Set kernel securelevel (in /etc/rc.conf) sysrc kern_securelevel_enable="YES" sysrc kern_securelevel="1"
Recommended Security Stack
For a production FreeBSD server, implement these layers:
- Firewall: pf with strict default-deny rules.
- SSH hardening: Key-only auth, non-standard port, Fail2ban.
- File integrity: AIDE with daily checks and emailed reports.
- Rootkit detection: rkhunter weekly.
- Vulnerability scanning:
pkg audit -Fdaily, Nmap monthly. - IDS/IPS: Suricata if the server handles significant network traffic.
- Security audit: Lynis monthly.
- Log monitoring: OSSEC or centralized logging.
- Updates:
freebsd-update cronfor automated security patch checks.
sh# Daily security check script (/usr/local/bin/daily-security.sh) #!/bin/sh echo "=== Package Vulnerability Audit ===" pkg audit -F echo "=== AIDE File Integrity Check ===" /usr/local/bin/aide --check echo "=== Failed SSH Logins (last 24h) ===" grep "Failed password" /var/log/auth.log | tail -20 echo "=== Listening Services ===" sockstat -l4 echo "=== Disk Usage ===" df -h echo "=== Last System Patches ===" freebsd-update updatesready && echo "Updates available" || echo "System up to date"
FAQ
What is the most important security tool to install first on FreeBSD?
Lynis. Run it immediately after installation to identify hardening gaps. Then address its findings before deploying other tools. After that, set up AIDE for file integrity monitoring and Fail2ban for SSH protection.
Does FreeBSD need antivirus?
For the system itself, generally no -- FreeBSD malware is rare. ClamAV is useful for scanning files that pass through the system: email attachments, file uploads, shared storage accessed by Windows/macOS clients. If your FreeBSD server handles any user-uploaded content, install ClamAV.
Is Suricata or Snort better for FreeBSD?
Suricata. It has better multi-threading, native JSON logging, and stronger FreeBSD integration. Snort 3 has improved but Suricata remains the community standard for FreeBSD IDS/IPS.
How do I keep FreeBSD secure with minimal effort?
Three things: (1) Run freebsd-update cron to automatically check for security patches. (2) Run pkg audit -F daily to check for vulnerable packages. (3) Configure pf with default-deny rules and SSH key-only authentication. These three measures cover the most common attack vectors.
Should I use AIDE or OSSEC for file integrity monitoring?
AIDE if you only need file integrity monitoring on a single server. OSSEC/Wazuh if you need centralized monitoring across multiple servers, log analysis, and active response. AIDE is simpler; OSSEC is more comprehensive.
How do I harden SSH on FreeBSD?
Edit /etc/ssh/sshd_config:
shPermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 LoginGraceTime 30 AllowUsers yourusername Port 2222
Then add Fail2ban or use pf rate limiting for the SSH port. Use Ed25519 keys for authentication.
What is FreeBSD's securelevel and should I use it?
Securelevel is a kernel security mechanism that restricts certain operations even for root. Level 1 prevents loading kernel modules, changing firewall rules, and modifying immutable files. Level 2 adds restrictions on raw disk access. Use securelevel 1 on production servers that do not need frequent configuration changes. It adds a meaningful layer of protection against compromised root accounts.