diff --git a/FreeBSD-OpenSSH-Hardening-Guides.md b/FreeBSD-OpenSSH-Hardening-Guides.md
new file mode 100644
index 0000000..2ae3aa1
--- /dev/null
+++ b/FreeBSD-OpenSSH-Hardening-Guides.md
@@ -0,0 +1,240 @@
+> **Note**
+>
+> Taken from: https://github.com/bsdlabs/ssh-hardening
+
+# Server
+
+## Backup ssh config, install ssh-audit
+
+ sudo -s # we need root for most of this
+ cp -a /etc/ssh /etc/ssh.bak # backup ssh config just in case
+ pkg install -y security/py-ssh-audit # install ssh-audit (you can make intall if you like)
+
+## Enable and start sshd, then run ssh-audit, saving the output
+
+ service sshd enable
+ service sshd start
+ uname -a > ssh-audit.out
+ echo "# before hardening" >> ssh-audit.out
+ ssh-audit --no-colors localhost >> ssh-audit.out || true
+
+## Remove existing key-pairs, disable DSA & ECDSA
+
+ rm -f /etc/ssh/ssh_host_*
+ sysrc sshd_dsa_enable="no"
+ sysrc sshd_ecdsa_enable="no"
+ sysrc sshd_ed25519_enable="yes"
+ sysrc sshd_rsa_enable="yes"
+
+## Regenerate RSA and Ed25519 keys
+
+ ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+ ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+
+## Remove Diffie-Hellman moduli smaller than 3071
+
+ awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
+ mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+## Restrict supported key exchange, cipher, and MAC algorithms
+
+ printf "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com\n" >> /etc/ssh/sshd_config
+
+## Restart sshd and run ssh-audit again, appending output
+
+ service sshd restart
+ echo "# after hardening" >> ssh-audit.out
+ ssh-audit --no-colors localhost >> ssh-audit.out
+
+
+ Send (pastebin) the contents of ssh-audit.out
+
+```
+FreeBSD cirrus-task-0000000000000000 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n262122-2ef2c26f3f13: Thu Apr 13 12:00:00 UTC 2023 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
+# before hardening
+# general
+(gen) banner: SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
+(gen) software: OpenSSH 9.3 running on FreeBSD (2023-03-16)
+(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 4.4
+ `- [info] A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+
+# host-key algorithms
+(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256://vc4mr/g2BTKIdK3NERXkgPB2N3eUWu1w9ogRzl+jU
+(fin) ssh-rsa: SHA256:LTh9CSdUlWAIEENm9zuouPcLYS3Z2gfGVvarLy2Hrcs
+
+# algorithm recommendations (for OpenSSH 9.3)
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
+(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
+(rec) -hmac-sha1 -- mac algorithm to remove
+(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
+(rec) -hmac-sha2-256 -- mac algorithm to remove
+(rec) -hmac-sha2-512 -- mac algorithm to remove
+(rec) -umac-128@openssh.com -- mac algorithm to remove
+(rec) -umac-64-etm@openssh.com -- mac algorithm to remove
+(rec) -umac-64@openssh.com -- mac algorithm to remove
+
+# additional info
+(nfo) For hardening guides on common OSes, please see:
+
+# after hardening
+# general
+(gen) banner: SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
+(gen) software: OpenSSH 9.3 running on FreeBSD (2023-03-16)
+(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 4.4
+ `- [info] A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)
+
+# host-key algorithms
+(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:fadjjnDRlCNwjheWnNP0MwiaM3g2wXAyT3a+cExyV9g
+(fin) ssh-rsa: SHA256:Ch0vT4Ys23MrLX4YGHju++Zl4/jUUFty3WEjjFWfYbg
+```
+
+
+## If you want to revert the SSH configuration
+
+ rm -rf /etc/ssh
+ mv /etc/ssh.bak /etc/ssh
+
+# Client
+
+## Run the following in a terminal to harden the OpenSSH client for the local user
+
+ mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config
+
+
+ Results report
+
+```
+# general
+(gen) client IP: 127.0.0.1
+(gen) banner: SSH-2.0-OpenSSH_9.3
+(gen) software: OpenSSH 9.3
+(gen) compression: enabled (zlib@openssh.com, zlib)
+
+# key exchange algorithms
+(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
+(kex) ext-info-c
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+(key) ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 6.5
+(key) sk-ssh-ed25519@openssh.com -- [info] available since OpenSSH 8.2
+(key) sk-ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 8.2
+(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
+(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-512-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+```
+