Protecting Your Root Password
Last week's tip covered some ways of getting into a system when you don't have (or have forgotten) the root password. Obviously, being able to do this has disadvantages when the person doing it is an attacker trying to get at the system for nefarious reasons. (Or even users fiddling with the system without authorization.)Tip of the Trade: Last week's tip showed how to get into a system when you don't have the root password. Helpful, but not always a good thing. This week, we look at the flipside: password-protecting all GRUB entries.
It's possible to password-protect all GRUB entries: They can still be booted, but they can't be edited from the GRUB startup screen without the password. Log in as root, and type grub. At the GRUB prompt, enter:
then type in the new password when prompted. A hash value looking something like this:
will be returned. Make a note of it, and exit GRUB.
Now edit /boot/grub/menu.lst, and add this line:
password --md5 $1$LfYJ1/$RZu3Ra2OYO8Cl9TvLsQqF.
(using the encrypted value GRUB gave you) before any of the boot menu entries, and you're done.
You can also prevent a particular boot entry from being booted without the password. Add the line:
after the title line in the relevant boot entry. To lock the recovery mode entries, it's preferable to change the line lockalternative=false to lockalternative=true: This will maintain the lockdown even if the kernel is updated.
This will not protect your system against boot from a LiveCD: To do this, edit the BIOS to remove the CD/DVD drive from the boot options, then password-protect it. Remember that if you forget this password, you won't be able to re-edit the BIOS if you do need to boot from a CD!
Finally, bear in mind that a serious attacker will not be thwarted by these measures. If you need more protection, look at your site's overall physical security, and consider encrypting your hard drives.