Saturday, February 12, 2011

Password protect grub and lilo and bios too.

 3.1.1 Password protecting GRUB and LILO

First, edit the /etc/inittab file and insert the following line, right after the "initdefault" line: ~~:S:wait:/sbin/sulogin. This will require a password to boot into single-user mode by making init run 'sulogin' before dropping the machine to a root shell. 'sulogin' requires the user to input the root password before continuing.

Unfortunately, the above step won't protect us against people who know what they are doing and pass init=/bin/bash to the kernel at the LILO prompt. To prevent unauthorized access I would suggest that you password protect LILO/GRUB by following these steps:
How to Protect LILO:
  • Open a shell prompt and log in as root
  • Open /etc/lilo.conf in your favorite text editor
  • Add the following line before the first image stanza: password=<password> , where <password> is your password.
  • Run /sbin/lilo -v to let the changes take effect
  • Type chmod 600 /etc/lilo.conf to give only root access to read and edit the file since all passwords are in plain text
  • Relax a bit, as your system is a little bit more secure
How to password-protect GRUB
  • Open a shell prompt and log in as root
  • Type /sbin/grub-md5-crypt and press enter
  • Enter the password you chose for GRUB when prompted. This will return an MD5 hash of your password
  • Open /boot/grub/grub.conf in your favorite text editor
  • Add password --md5 <password-hash> below the timeout in the main section (Replace <password-hash> with the hash you got in the previous step)
  • Save and exit
  • The next time you reboot, the GRUB menu will not let you access the editor or command interface without first pressing [p] followed by the GRUB password.

3.1.2 Password-protecting the BIOS

There are two primary reasons for password-protecting the BIOS of a computer:
  • Prevent Changes To BIOS Settings: if an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM.
  • Prevent Booting the System: Some BIOSes allow you to password protect the boot process itself. When activated, an attacker would be forced to enter a password for the BIOS to launch the boot loader.
Because the methods for setting a BIOS password vary between computer manufacturers, you should consult the manual for your computer. If you forget the BIOS password, it can often be reset either with jumpers on the motherboard or by disconnecting the CMOS battery. However, you should check the manual for your computer or motherboard before attempting this procedure.
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)