Note: it is Considered Wise(tm) to backup any files before you edit them to something likeorigfile-dist where origfile is the name of the file you’re about to modify.

I tortured my system with the following:

1. Login to the machine as root.
   Add your own user account.
   Put that account in de group wheel, so you will be able to su to root.
2. If you’re just a little paranoid, you should edit /etc/sshd_config:
   «PermitRootLogin yes» -> «PermitRootLogin no»
   This disables root logins over the network and that’s a Good Thing(tm).
3. Different versions of OpenBSD have different services enabled/disabled by default. Check /etc/inetd.conf and /etc/rc.conf and disable what you don’t like and enable what pleases you. Use a portscanner like nmap to double check you haven’t forgotten anything to turn on or off.
4. OpenBSD’s 2.7 /etc/inetd.conf file contains some lines I like to comment out:

       ..
       finger
       ..
       comsat
       ntalk
       ..
       daytime
       time
       ..
       rstatd/1-3
       rusersd/1-3
       ..

   So I commented them out (-:

5. If portmap makes you puke, edit /etc/rc.conf and change portmap=YES into something better. For instance: portmap=NO.
6. /etc/inetd.conf contains a line for the ident daemon:
   ident stream tcp nowait nobody /usr/libexec/identd identd -elo
   But I’d like to run it through the tcp_wrapper, so I changed it to:
   ident stream tcp nowait nobody /usr/libexec/tcpd identd -elo
7. /etc/hosts.allow and /etc/hosts.deny define which hosts may or may not use certain system facilities. If you’re paranoid you place only one line in /etc/hosts.deny:

   ALL: ALL

   After that you define the hosts that do may connect to your system in /etc/hosts.allow, e.g.:

   in.proftpd: 192.168.0. trusted-host.microsoft.com .no-evil-here.net
   identd: ALL
   

8. cron is a neat, but powerful scheduler for Unices. But you might not want to have anyone being able to use it. For limited access create a file in /var/cron called allow if only a limited set of people may have a crontab. Create a deny file in that same directory if you want everyone to be able to use cron except a few nasty bastards you don’t like/trust enough.

   /var/cron/allow:

   root
alex
forge


9. Remote syslog. It is possible for whisper in syslogd‘s ear that it should send it’s log entries not only to the various files in /var/log, but also to a remote host listening to the UDP syslog port (udp/514).
   Fire up /etc/syslog.conf in vi and place anywhere you like the following line:

   *.*			@192.168.5.14

   Now syslogd will send ALL entries feeded to it also to udp/192.168.5.14:514. Be careful to only use tabs when editing /etc/syslog.conf. Spaces are poison forsyslogd.

After installation of MySQL, you should edit the file /usr/local/bin/safe_mysqld:
Look for the line with a #-sign in front of ulimit -n 256. Remove that comment token and MySQL has some room to breathe.

Explanation: by default, a user is permitted to open only 64 files at a time. When you are greedy and want more, you should execute a ulimit -n 256 for instance. The MySQL binary package in de OpenBSD packages directory does not raise its limit of 64 files by default, so it runs out of file descriptors rather fast, leading to strange, seamingly inconsistent, errors.