The primary reasons for password protecting a Linux boot loader are as follows:
-
Preventing Access to Single User Mode
— If attackers can boot the system into single user mode, they are
logged in automatically as root without being prompted for the root
password.
-
Preventing Access to the GRUB Console
— If the machine uses GRUB as its boot loader, an attacker can use the
GRUB editor interface to change its configuration or to gather
information using the
cat command.
- Preventing Access to Insecure Operating Systems — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.
Step 1: Open a shell, login as root, type the following command.
Password:
Retype password:
$1$ZqLKR0$cimxs9UxGPM11IG/U.FW41
Once you have confirmed the password, an MD5 hash of the password entered is returned.
Step 2: Edit the GRUB configuration file /boot/grub/grub.conf. Open the file and add the below things just after the timeout line.
password --md5 <password-hash>
Now the GRUB configuration file will look like this
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/sda1
# initrd /boot/initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$ZqLKR0$cimxs9UxGPM11IG/U.FW41
splashimage=(hd0,0)/boot/grub/bootimage1.xpm.gz
hiddenmenu
title CentOS (2.6.32-131.21.1.el6.x86_64)
root (hd0,0)
kernel /boot/vmlinuz-2.6.32-131.21.1.el6.x86_64 ro root=UUID=7aa8bb3f-2566-4d14-ae10-4d2c24ecbb0a rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /boot/initramfs-2.6.32-131.21.1.el6.x86_64.img
title Other
rootnoverify (hd0,0)
chainloader +1
Now reboot the system and see the access to the GRUB menu editor or command interface is being locked down. To do so he should press the p followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.
Look for the title line of the operating system that you want to secure. Add the lock directive immediately after it.
For a non Linux system, the stanza will begin like this
title Other lock
Note: A password line must be present in the main section of the /boot/grub/grub.conf file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.
Also you can set different passwords of each kernel or operating system you have.For this you have to add lock line to that particular stanza followed by a password line.
title Other lock password --md5 <password-hash>
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt.
Now the kernel or the operating system part with password protected in the GRUB configuration file will look like this.
title Other lock password --md5 $1$rjTKR0$GzSI4M.q8EREUsAw674Z5/
rootnoverify (hd0,0)
chainloader +1
Thats it..
References:
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-sec-network.html#s2-wstation-bootloader
No comments:
Post a Comment