Introduction
	A server on the public Internet is probed constantly. The good news is that a few well-understood measures stop the overwhelming majority of attacks: stay patched, run a firewall, harden SSH, and block repeat offenders. This page covers each on FreeBSD 15 and Rocky Linux 10. It complements the day-to-day routines on Server Maintenance.
	Stay Patched
	Most compromises exploit known, already-fixed bugs, so keeping software current is the highest-value thing you do. On FreeBSD 15, update the base system and packages separately: # freebsd-update fetch && freebsd-update install # base system # pkg update && pkg upgrade # packages # pkg audit -F # flag installed packages with known vulnerabilities On Rocky Linux 10, dnf handles everything: # dnf upgrade --security # install only security fixes # dnf upgrade # install all available updates You can automate updates — a cron job on FreeBSD, or dnf-automatic on Rocky Linux.
	The Firewall
	A firewall blocks everything except the ports you intend to expose. FreeBSD uses pf; Rocky Linux uses firewalld. FreeBSD (pf) — write a ruleset in /etc/pf.conf (default block, then allow SSH, web, and mail), then enable it: # sysrc pf_enable=YES # service pf start # pfctl -sr # show the active rules Rocky Linux (firewalld) — allow services by name and reload: # firewall-cmd --permanent --add-service=ssh # firewall-cmd --permanent --add-service=http --add-service=https # firewall-cmd --permanent --add-service=smtp --add-service=smtp-submission # firewall-cmd --permanent --add-service=imaps --add-service=pop3s # firewall-cmd --reload # firewall-cmd --list-all # confirm what is now allowed Restrict administrative services such as Webmin (port 10000) to your own address rather than the whole Internet.
	Harden SSH
	Switch from passwords to key-based authentication: generate a key pair on your own computer with ssh-keygen, copy the public half to the VPS (ssh-copy-id, or append it to ~/.ssh/authorized_keys), and confirm you can log in with the key. Then disable password authentication so guessing attacks have nothing to guess. On both systems this is a setting in the SSH daemon's configuration: PasswordAuthentication no PermitRootLogin no Restart SSH afterward (service sshd restart / systemctl restart sshd). Keep your existing session open and test a new login in a second window before you close it, so a mistake can't lock you out.
	Block Repeat Offenders
	fail2ban watches your logs and temporarily bans addresses that fail to log in too many times. It works on both systems (FreeBSD enforces bans through pf; Rocky Linux through firewalld): # FreeBSD: pkg install py311-fail2ban (then enable the fail2ban service) # Rocky Linux: dnf install fail2ban fail2ban-firewalld # systemctl enable --now fail2ban # Either system, once running: # fail2ban-client status sshd # currently-banned IPs for SSH # fail2ban-client set sshd unbanip 203.0.113.99 # release one address TIP: Always whitelist your own address(es) in fail2ban's jail.local so you can never lock yourself out. On Rocky Linux, leave SELinux in enforcing mode — it is a powerful extra layer; sealert explains any denial in plain English and suggests a fix.
	Documentation
	FreeBSD Handbook: Security Rocky Linux Documentation (see the SELinux and firewall guides)