Nomen Nescio <nobody@dizum.com> wrote:
> Sincerest thanks for the explanation Marco. 
The services running by default are secure and required for running
OpenBSD reliably. SMTP is running on localhost so it cannot be remotely
compromised. Time services (time, daytime) are secure -they will ignore
any input as syslogd does by default right now- and useful for time
synchronization (using rdate(1)) without requiring a full NTP server
running on one of the local network servers. auth is not a dangerous
service either and required for sending email to some external systems
(and for IRC too, but it is not the main reason it is enabled by default).
Some MTAs will reject or delay connections when this service is not running.
As you can see, most services are running on the loopback interface
or can be trusted (will send information but never accept input from
remote hosts). As outlined in this post, privilege separation makes
an attack against these services mostly useless even if it is successful.
> Perhaps one less thing for me to worry about.
Sure, OpenBSD is a nicely closed operating system these days. Any service
running by default is configured at its most secure defaults. Just enjoy
the quality of the operating system without worrying about security
weaknesses (at least if you do not enable unsecure services, do not
make serious management mistakes, and upgrade the operating system
at least one or two times each year).
In any case, I do not like OpenBSD because it is secure. I like it
because it is the best documented operating system I know of, it is
highly reliable, and developers care about details that other projects
will just ignore. In other words, I do not like OpenBSD because it is
secure but because it is just the best operating system available in both
servers and workstations. (I like the design of OpenVMS too, but it does
not run on the platforms I usually own and it is expensive -even under
the hobbyst program, the requirement to upgrade the licenses each year
makes it a dangerous choice-)
Cheers,
Igor.