Securing FreeBSD with Ansible

My preferred server OS is FreeBSD. Each time I install it, I have to go through numerous steps to secure it. So, to avoid that effort, and to make sure I get it right each time, I've created an Ansible playbook to automate the entire process. You can learn about it here. Some of the tasks it completes include:

  • Making key files accessible only by root
  • Network hardening including blackhole
  • pf firewall
  • Disabling inetd and NFS
  • sendmail in queue mode
  • Clearing /tmp on reboot
  • Firewalling IP6
  • ALSR, PIE and WX
  • Restricting cron configurations to root
  • Kernel securelevel 2
  • Blowfish password encryption
  • node_exporter enabled


fbsd-secured is provided as-is. fbsd-secured is intended as an example of configurations which may, or may not, improve the security posture of FreeBSD systems. The author does not accept any responsibility for damages caused by the use of these configurations. Any user using these configuration should do their own research and must take full accountability for potential risk and/or damages resulting from using them

Leave a Reply