A sysadmin has published a comprehensive guide documenting security hardening steps needed after a vanilla FreeBSD install, arguing the operating system's default configurations prioritize backward compatibility over user security. The guide catalogs years of FreeBSD's decisions to maintain outdated or insecure configurations in their base system.

FreeBSD's approach to OpenSSH exemplifies this pattern. The project maintained the HPN-SSH patchset for years despite upstream removing it, re-enabled tcp_wrappers after upstream abandoned it, and repeatedly re-enabled insecure encryption ciphers for compatibility. This resulted in at least six security advisories specifically related to OpenSSH modifications, including FreeBSD-SA-14:24.sshd and FreeBSD-SA-16:14.openssh.

The Sendmail mail transfer agent presents similar issues. FreeBSD ships Sendmail by default despite the project acknowledging in 1996 that it has "a rather poor reputation for security related problems." The operating system has since published at least seven Sendmail-related security advisories, with the author noting FreeBSD sometimes imports updates "with no mention of the included security fixes."

The guide recommends installing OpenSSH from ports with all FreeBSD-specific options disabled, and provides configuration snippets to revert risky local changes. For most users, the author argues these non-standard patches introduce unnecessary complexity and vulnerability without meaningful benefit.