Chapter 10: Additional Security Features | Absolute OpenBSD: Unix for the Practical Paranoid

Overview

Hackers at the gates?
Puffy the Barbarian
defends against friends.

Securing a computer means ensuring that only authorized people use the system's resources for authorized purposes, because even if you have no important data on your system you still have valuable CPU time, memory, disk space, and bandwidth. Many folks who thought that their systems were too unimportant to bother securing found themselves an unknowing relay for an attack that disabled a major company.

An intruder can combine several hundred insecure systems into a powerful distributed network assault vehicle that can bring down major sites such as eBay or CNN. (Admittedly, websites such as Slashdot can have identical effects without intruder involvement.) You don't want to wake up one morning to learn that your ISP has suspended your account for hacking or, worse, hold an unscheduled midnight conversation with serious men in dark suits who repeatedly remind you that the death penalty can be sought for certain types of computer crime. Computer security is a serious business.

Sadly, over the last few years, it has become more and more simple to take over insecure computers. Precompiled point-and-click programs for getting unauthorized system access can now be downloaded from any number of places on the Internet and can be found through security websites such as Packet Storm. It takes just one skilled attacker to write an exploit and several thousand bored teenagers with nothing better to do can download it and make life difficult for the rest of us. Even if you don't care about your particular computer, you must secure it.

Generally speaking, operating systems are not broken into; the programs running on the operating system are. Even OpenBSD's rigorous security auditing cannot protect badly written programs from themselves, although OpenBSD does include tools to mitigate the damage such programs can cause.

This chapter focuses on securing your systems, people who may attack your systems, and special security features included in OpenBSD. Auditing a network is a topic that fills thick books, and really isn't on topic for this book. OpenBSD gives you many tools to secure it against hackers, to protect programs running on it, and to minimize the damage an intruder can cause.