© 2026 Gregory D. Weber
Activities of December 4, 2024. Published March 18, 2026.
I create a new server on Hetzner Cloud, install FreeBSD, secure ssh, and set DNS records. The first thing I should do after installing the OS is securing ssh, so that crackers, also called hackers, cannot login by guessing a password.
Using my Hetzner Cloud console, I created a CPX11 server (2 AMD VCPUs , 2 GB RAM , 40 GB SSD, 1 TB/month data out) at Hetzner’s Ashburn, Virginia data center.
For this server and its IPv4 address, Hetzner will charge me $5.59 per month, or $0.009 per hour.
The server name in their control panel is main.gdweber.org
Public addresses are 5.161.46.252 and 2a01:4ff:f0:da52::/64
On my desktop computer at home, I edit edit ~/.ssh/config to provide nicknames for this host with these addresses. I will need these nicknames until I can set up DNS records for the server.
Using the Hetzner control panel, I attached the ISO which they provide for FreeBSD 14.1 and rebooted the server.
I then followed the prompts in the FreeBSD installation procedure with these options:
Being in the wheel group allows me to become root with
su -.
There might be some risk in using the same password for root and MY-USER-NAME, but since I won’t be using passwords to log in, I’ll accept that for the convenience.
I then dropped into a shell to check on network configuration.
ifconfig reports the public IPv4 address above,
5.161.46.252, but a different IPv6 address from 2a01:4ff:f0:da52::/64,
and none of the 185. addresses from DHCP.
I rebooted and then realized that I should have first detached the ISO. At the console I see lots of messages “vm_fault: pager read error, pid 1 (init)”. I had to power off the server, hard.
After removing the ISO I rebooted again, then tested a couple of things:
I ping the server at its IPv4 address, from my desktop at home. It responds.
I try to login as root via ssh; it is denied. That is what I want.
I try to login via ssh using my (non-root) user name with password; that succeeds. That is what I expected, but not what I want.
Passwords are too insecure; there are many crackers (“hackers”) out there trying to guess them. They are worse than flies in a Minnesota summer, worse than mosquitoes in an Indiana woods! After installing the operating system, the first thing any system administrator needs to do, if the system is open to the internet, is secure ssh so that it requires a key pair to get in.
I have already created a keypair for openssh. On the server, I add my public key to /root/.ssh/authorized_keys and to /home/MY-USER-NAME/.ssh/authorized_keys .
On the server, I edit /etc/ssh/sshd_config, making these changes incrementally and testing after each:
PubkeyAuthentication yesReload the ssh service (service sshd reload), test to
see if public key authentication works: it does.
PermitRootLogin yesReload the ssh service and test: root login works.
PasswordAuthentication noHm, this line was commented out, but isn’t the default no? and it was accepting passwords!
Ah, I have to do this:
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yesI’m not sure why UsePAM has to be yes, but that’s what it says in the the FreeBSD Forums article sshd “PasswordAuthentication no” has no effect.
I test this: it works, but I’d like to know why I should say
UsePAM yes. Concerned about crackers attempting a root
login, I go back to
PermitRootLogin noI reload and test: okay, I cannot login as root. Instead of ssh
direct to root, I will login as MY-USER-NAME and then su -
to become root.
At my domain name registrar, Porkbun, I use their web tool add an A record with Host blank and Answer 5.161.46.252.
It looks a little bit like this:
Type Host Answer TTL
A gdweber.org 5.161.46.252 600Testing: ssh gdweber.org works.
For the time being, I will not do anything with IPv6. Although really, I wish I could do everything with IPv6. It’s time for IPv4 to die!