Hi,
First considering the default install, assuming that one box should be only used for exapample as a firewall, how good is the security level ? I mean I know there are only 2 remote holes in 10 years, but my qustion is do we have any experience about the level of security such as studies that demonstrated the failure to break into the default system for example ? or any other experience in regards with that ?
In security there are no definitive answers, there's no way to be 100% sure that nobody will break into a system. Now, if you are asking if the default configuration of OpenBSD is secure enough, then the answer is most likely yes. But if you are going to connect a system to the net to act as a firewall, then there are many other considerations. Sometimes an attacker is not interested in the firewall, sometimes just finding out what kind of system is enough. Maybe the attacker is not even interested in that, a coordinated attack from a network of zombie machines can cause great damage without even needing to penetrate the system. You also need to consider that most attacks come from the inside, so somebody might use an old fashioned sniffer and gather enough information to find a small loophole in your configuration and voila!
On the other side, now if we assume that one box should be used to host a website, there are ways that the code such as php + mysql will be breakable into. My question is that considering the chroot, can we consider that the supposed hacker can never evade from the chroot by any mean, even after he will be able to upload and execute files directly on the web server ?
Again, you don't need to get access to a system to gather information. What happens if the attacker exploits some bug in the web application and gets access to information that was not supposed to be available? SQL-injection attacks come to mind. Is your system controlling something really critical? You need to think about that kind of problems because the attacker has all the time in the world. In summary, a default OpenBSD installation is a very safe start. However you need to adjust the system to suit your needs.
