Secure Linux boot loaders
Results 1 to 10 of 10

Thread: Secure Linux boot loaders

  1. #1
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Posts
    2,583

    Secure Linux boot loaders

    Secure your Linux machine against physical exploits

    No operating system is more vulnerable then when someone has physical access to it such as pulling out the systems power plug from the wall, taking the hard drive out and putting it into another case etc. It is the data on the system is what they are after and they might be planning to install a back door or just have some fun at your expense, there are a quite a few dangerous things a malicious user could use or just learned and is eager to test out on your system. These types of users can put a floppy disk or a CD into your drive and reboot the machine, That simple action would allow them to boot into a live CD session and gain access to your file systems, copy data and make unwanted edits Etc.
    However there are ways to protect your system from these types of attacks

    Bios passwords
    This will prevent most users from attempting to do damage or other things but there are users who know how to get around this. There are software tools that will erase the bios password, reset the password or show what the password is, the other things that could be done are changing Jumper settings on the motherboard, Taking out the battery on the motherboard or just simply opening the case and taking out the Hard drive and putting it into another case.

    Lilo/Grub
    Once the BIOS finishes its booting tasks, the next danger point is the boot loader Lilo and Grub these boot loaders let you pass arguments to the kernel and /sbin/init, one of these options is to tell the Linux machine to boot into single user mode (in most distros you are allowed in as root with no password needed) from there you can do all kinds of things as an example create new user accounts change the root password Etc.
    Lilo and grub allow you to set passwords to prevent other users from typing in arguments directly to the kernel or /sbin/init

    LILO
    Lilo lets you set a separate password for each individual image or menu option. You will need to log in as root to make the changes. This file is located in /etc/lilo/lilo.conf
    you should see something like this near the bottom of your /lilo.conf file
    image=/boot/vmlinux-2.4.20-20.9
    Label=linux
    initrd=/boot/initrd-2.4.20-20.9.img
    read-only
    root=/dev/hda3
    add the following line to /etc/lilo.conf
    Password= your password


    Then once you have done this save and exit the file and type /sbin/lilo -v at the command prompt. This command will load the new boot loader rules so the next time you reboot the system the changes will take effect. The password is stored in plain text so if someone happens to get a good look at the contents of the /etc/lilo.conf file could tell what the password is. Since the lilo password is stored in plain text. I recommend doing the following
    To make /etc/lilo.conf readable by root only, type in
    chmod 600 /etc/lilo.conf at the command prompt

    Grub
    Grub has a bit more of a sophisticated password approach to it then Lilo does. You can only have one password in grub, but grub allows you to store the password in an encrypted fashion
    this is easier if you are logged in as root if you are not logged in as root open the command prompt and type su and type in the root password
    after you have root privileges type the following
    /sbin/grub-md5-crypt
    when prompted type in the password that you want to use for grub and press the enter key
    next open the grub config file this is located in /boot/grub/grub.conf
    look for the word timeout and put in the following line under it
    password –md5 <password-hash> change the password hash with the output from /sbin/grub-md5-crypt
    example
    # grub.conf generated by anaconda
    #
    # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
    # all kernel and initrd paths are relative to /boot/, eg.
    # root (hd0,1)
    # kernel /vmlinuz-version ro root=/dev/hdc3
    # initrd /initrd-version.img
    #boot=/dev/hdc
    default=0
    timeout=10
    password-md5 $1dfgj$hSHJH$ermZtty1
    splashimage=(hd0,1)/grub/splash.xpm.gz
    title Red Hat Linux (2.4.20-31.9)
    root (hd0,1)
    kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
    initrd /initrd-2.4.20-31.9.img

    The next time you boot up the system grub’s menu will not let you get to the editor or command line without pressing p and then typing in the grub password. You won’t have to rerun grub to run this feature.

    Dual boot systems
    For those of you who have dual boot systems example windows and Linux
    look for the word Title of the other O.S. such as dos

    Example
    # grub.conf generated by anaconda
    #
    # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
    # all kernel and initrd paths are relative to /boot/, eg.
    # root (hd0,1)
    # kernel /vmlinuz-version ro root=/dev/hdc3
    # initrd /initrd-version.img
    #boot=/dev/hdc
    default=0
    timeout=10
    password-md5 $1dfgj$hSHJH$ermZtty1
    splashimage=(hd0,1)/grub/splash.xpm.gz
    title Red Hat Linux (2.4.20-31.9)
    root (hd0,1)
    kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
    initrd /initrd-2.4.20-31.9.img
    title DOS
    lock
    password –Md5 <password-hash>

    after the words title Dos add the following
    lock
    password -- md5 <password-hash>

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    May want to add this to the lilo section:

    Source: Man page for lilo.conf

    restricted

    A password is only required to boot the image if kernel parameters are specified on the command line (e.g. 'single'). May be used on a single `image=' or `other=' to override a different global setting.
    Using both password and restricted can help.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    I personally swear by gag http://gag.sourceforge.net/ for dual/tri/quad... booting I cannot say if it encrypts the passwords, but if you are sophisticated enough to find and modify the bootloader then decrypting the password is trivial. It provides the ability to password protect individualy and boot up to 9 oses. It is completely idiot proof to install. Kinda ugly i guess (imo) but it has never failed me for booting *nix, win , qnx...
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    If I can boot from a CD or yank out the HD and put it in another system I am able to change the lilo or grub config and allowed to remove those passwords. There's nothing stopping me.

    None of this helps protect you against someone with physical access.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    I'm a lilo man..
    have used grub but that wasn't my thing..

    I use the restricted flag MsMittens was on about.. people are allowed to boot a kernel, but when you want to give the kernel extra boot-time-options, you'll need a pasword..

    Nice tutorial !!
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    In addition to the 'restricted'part, if you dont define it, and the box reboots by itself (maybe power out), then it will not boot again, since it awaits a password input upon boot. The restricted option help bypass that, but will still want a password if any arguements are given at the lilo prompt.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  7. #7
    if it is possible in your bios, then it isn't a bad idea to set a hdd password, this will prevent users from booting without the password and if the hdd is put in another system it will not work!

    of course there are ways to get around this too, but for normal people / skiddies this is secure enough.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    None of this helps protect you against someone with physical access.
    Well duh! One would be smart and remove the option to boot from floppy and/or CD Rom, lock the server into a secure room, remove keyboard and monitor (we do everything via command line ssh anyways!) and thus be that much more secure.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    superglue is your friend..

    To be totaly paranoid, do as MsM said and glue the ps/2, usb etc.. ports shut !!

    I've done it to a PC once.. the only trouble was reinstalling, wich I had to do on a different box, and then place the hdd back into that machine..

    But if you want to be safe from physical access, it's a way to go..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    This is cute and all, but super glue is useless against me. If I want in, I'll get in. Besides, all that effort would do nothing when I whipped out the case modding case cutter tool. I'd carve through what I wanted to get too, and keep going. Or of course the nail polish remover/Chemical access way

    Good tutorial in my opinion, but physical security, there is no patch for human error.....Except the new one I just released under the GPL. It's called a claw hammer. Works well on most users.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides