I think I will be a new OpenBSD user. I want to learn about this OS using it. I read that OpenBSD is friendly to new users who aren`t security experts. After the installation, how do I know if default security is applied? What should be my best pratices to keep me secure while I study and discover OpenBSD?
Please give me your advice and opinion.
Thanks in Advance.

After the installation, how do I know if default security is applied?
As you travel further down the road of experience, you will find out that the word "security" is both nebulous & subjective.

Yet to answer your question, users of any operating system need to be vigilant about what protocols & ports are accessible to the outside world. Password strength is another topic in which you should be familiar.

As a newbie, you will save yourself significant time & frustration by:

...taking the time to seriously study the official FAQ:

http://openbsd.org/faq/index.html
reading on both general Unix usage & what few OpenBSD books are available. Perhaps the best title is Michael Lucas' Absolute OpenBSD:

http://www.amazon.com/Absolute-OpenBSD-UNIX-Practical-Paranoid/dp/1886411999/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1213829712&sr=8-1

Although somewhat dated, this book is still very worthwhile for all users of OpenBSD. Note that the book is also available for purchase in PDF form from No Starch Press.

One of the catchphrases of OpenBSD is, "Secure by Default." See www.openbsd.org/security.html (http://www.openbsd.org/security.html) for an overview of security features, including "Secure by Default."

As mentioned there, the default installation has few services running, and each is considered secure enough to be exposed directly on the Internet without fear of successful attack. As the home page of the Project website states, there have been two known remote attack vectors in the last 10 years, but no known exploits of them.

Once you change anything in the default installation -- make a configuration change, install a 3rd party package -- you are no longer running a default install, and the choices YOU make will affect your security. Knowledge is necessary, and it is gained by experience and understanding of your specific environment and specific needs.

For example: during install, you are asked if you would like to have an OpenSSH daemon started during bootup. If you request the OpenSSH server to be started, you need to know that the default configuration allows the "root" superuser to log on, and, the default configuration allows authentication via passwords. So, if you enable the SSH daemon during install, you are immediately responsible for ensuring the strength of the root password on any network the OS is exposed to, including the Internet, if directly connected to it. Poor decisions right then, such as "root" having no password or a poor password such as "root" -- will make your OS immediately insecure.

Why is this the default configuration? Primarily for ease of initial provisioning the OS remotely. Would you want a production server to have this configuration? Perhaps, depending on exposure and the strength of passwords used.

I'm one of those admins who believes passwords are an awful way to secure anything. An 8-byte ASCII password can be broken in a few days by scripted attack. So I configure all production SSH daemons I administer to deny root logon, and also to deny password authentication. Instead I configure alternate, stronger authentications such as public keys and S/Key one-time-passphrases. The specific authentication depends upon the server and its services.

Understanding your environment, and the changes you wish to make, then comprehending the impact of your choices are necessary steps to success.

A noob can secure his network with openbsd.

I disagree, spirit.

OpenBSD makes a fine network router, and an excellent firewall.

However, setting up a firewall properly requires detailed knowledge of the network applications in use, a clear understanding of TCP/IP, and competency with PF.

I have seen countless noobs stumble with PF configurations, due to lack of knowledge of PF, lack of knowledge of their network application requirements, lack of understanding of TCP/IP. For proof, I refer you to the long history of PF problems and questions posted in the "OpenBSD Security" subforum at bsdforums.org, on the misc@ mailing list, on Usenet, on IRC, and on the PF mailing list.

jggimi makes an excellent point which bares repeating (in the fear of beating yet another horse into an unrecognizable blob... :rolleyes:).

Throwing OpenBSD blindly at a problem is no guarantee that the result is secure. Understanding what problems need to be solved & understanding how to implement these solutions with OpenBSD (& actually doing it...) is an entirely different situation.

'm one of those admins who believes passwords are an awful way to secure anything. An 8-byte ASCII password can be broken in a few days by scripted attack. So I configure all production SSH daemons I administer to deny root logon, and also to deny password authentication. Instead I configure alternate, stronger authentications such as public keys and S/Key one-time-passphrases. The specific authentication depends upon the server and its services.

This is a bit OT, but you have a "MaxAuthTries" option which defaults to 6 ... Preventing brute-force attacks.
Or am I missing something?

That parameter does stop the initial session, carpetsmoker. Big deal... the script kiddies just reestablish another TCP session and continue, no time really lost.

Modern ssh attack scripts attempt to brute force password authentication anyway, even if you have it disabled in sshd_config. So I also use PF to block scripted attacks and log the blocked IPs in a database. If you're blocked at my servers, I can give you a reason and a date/time of the misbehavior.