Securing your system means ensuring that your computer’s resources are used only by authorized people and for authorized purposes. Even if a system has no important data, it still has valuable CPU time, memory, storage, and bandwidth. People who think that their systems are too unimportant for anyone to bother breaking into risk finding their equipment hosting pornography or relaying attacks against industrial or military sites. If you’re like me, you would rather not discover that your computers took down a government agency by having law enforcement agents kick in your door.

Taking over large numbers of remote computers gets easier all the time. Every year, more and more point-and-click toolkits for penetrating servers crop up. When one bright attacker posts an exploit, anyone can use it. Breaking into computers is big business, and if your computer is left unprotected, it will be penetrated. The only question is how.

Generally speaking, intruders don’t break into operating systems; they break into server programs running on the operating system. Even the most paranoiac, secure-by-default operating system cannot protect poorly written programs from themselves. OpenBSD features like W^X and address space layout randomization do a lot to protect the operating system from the side effects of buggy programs, but programs themselves still crash and burn. OpenBSD has undergone extensive auditing and testing to eliminate the most common security flaws, but there’s no guarantee that every security flaw has been eradicated. New features appear constantly, and can interact with older functions (and each other) in unexpected ways. For more details on the OpenBSD-specific features, check the papers and presentations collection at http://www.OpenBSD.org/papers/.

No single tool can protect your server against all threats, and no single tool is applicable to all environments. Learning about OpenBSD’s security features helps you to understand not only what the tools do, but when they should be used and when they won’t help your particular situation. The best place to start is by understanding the threat.