Wednesday, September 28, 2011

Linux Security - Securing GRUB

GRUB is the GRand Unified Bootloader, it is a boot loader package from the GNU Project.
By default GRUB is vulnerable because it allows for the ability to freely edit at the GRUB prompt (by pressing 'e'), meaning that anyone who gains access to the machine can simply edit the boot line (where your OS and kernel number are mentioned) and add 'init 1' at the end of it, thereby causing the system to boot in run level 1 (single user mode - no authentication).

To prevent this, you can set a password to prevent any malicious activities (editing in the manner mentioned above). To do this you'll need to use grub-md5-crypt whose residence varies from distro to distro, on RHEL it's under /boot/grub.

At the shell prompt, you'll type:
./grub-md5-crypt

this will prompt you to choose a password, so choose a strong one, preferably a long one comprised of upper-case letters, numbers and symbols. This password will be hashed and the output (hashed password) will be there for you to grab, do so and head to /etc/grub.conf (cd /etc/grub.conf). Now all you have to do is place this line under the line where "timeout=5 (or any other number)" is mentioned:

password --md5 YourHashedPasswordInsteadofThisLine

All you have to do now is reboot your system and check at the bottom of the GRUB menu where a "Press c to enter password" line should appear, meaning that editing the GRUB line is now password-protected by default.

1 comment:

  1. Amazing because typical! This can be my personal very first time commenting however I've been subsequent your site for a long time: )#) adore the appearance upon EACH from the felines encounters; )#) extremely adorable hair styles, as well.

    fifa 14 buy fifa coins
    lol boost

    ReplyDelete