Secure your Linux machine against physical exploits

No operating system is more vulnerable then when someone has physical access to it such as pulling out the systems power plug from the wall, taking the hard drive out and putting it into another case etc. It is the data on the system is what they are after and they might be planning to install a back door or just have some fun at your expense, there are a quite a few dangerous things a malicious user could use or just learned and is eager to test out on your system. These types of users can put a floppy disk or a CD into your drive and reboot the machine, That simple action would allow them to boot into a live CD session and gain access to your file systems, copy data and make unwanted edits Etc.
However there are ways to protect your system from these types of attacks

Bios passwords
This will prevent most users from attempting to do damage or other things but there are users who know how to get around this. There are software tools that will erase the bios password, reset the password or show what the password is, the other things that could be done are changing Jumper settings on the motherboard, Taking out the battery on the motherboard or just simply opening the case and taking out the Hard drive and putting it into another case.

Lilo/Grub
Once the BIOS finishes its booting tasks, the next danger point is the boot loader Lilo and Grub these boot loaders let you pass arguments to the kernel and /sbin/init, one of these options is to tell the Linux machine to boot into single user mode (in most distros you are allowed in as root with no password needed) from there you can do all kinds of things as an example create new user accounts change the root password Etc.
Lilo and grub allow you to set passwords to prevent other users from typing in arguments directly to the kernel or /sbin/init

LILO
Lilo lets you set a separate password for each individual image or menu option. You will need to log in as root to make the changes. This file is located in /etc/lilo/lilo.conf
you should see something like this near the bottom of your /lilo.conf file
image=/boot/vmlinux-2.4.20-20.9
Label=linux
initrd=/boot/initrd-2.4.20-20.9.img
read-only
root=/dev/hda3
add the following line to /etc/lilo.conf
Password= your password


Then once you have done this save and exit the file and type /sbin/lilo -v at the command prompt. This command will load the new boot loader rules so the next time you reboot the system the changes will take effect. The password is stored in plain text so if someone happens to get a good look at the contents of the /etc/lilo.conf file could tell what the password is. Since the lilo password is stored in plain text. I recommend doing the following
To make /etc/lilo.conf readable by root only, type in
chmod 600 /etc/lilo.conf at the command prompt

Grub
Grub has a bit more of a sophisticated password approach to it then Lilo does. You can only have one password in grub, but grub allows you to store the password in an encrypted fashion
this is easier if you are logged in as root if you are not logged in as root open the command prompt and type su and type in the root password
after you have root privileges type the following
/sbin/grub-md5-crypt
when prompted type in the password that you want to use for grub and press the enter key
next open the grub config file this is located in /boot/grub/grub.conf
look for the word timeout and put in the following line under it
password –md5 <password-hash> change the password hash with the output from /sbin/grub-md5-crypt
example
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/hdc3
# initrd /initrd-version.img
#boot=/dev/hdc
default=0
timeout=10
password-md5 $1dfgj$hSHJH$ermZtty1
splashimage=(hd0,1)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-31.9)
root (hd0,1)
kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
initrd /initrd-2.4.20-31.9.img

The next time you boot up the system grub’s menu will not let you get to the editor or command line without pressing p and then typing in the grub password. You won’t have to rerun grub to run this feature.

Dual boot systems
For those of you who have dual boot systems example windows and Linux
look for the word Title of the other O.S. such as dos

Example
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/hdc3
# initrd /initrd-version.img
#boot=/dev/hdc
default=0
timeout=10
password-md5 $1dfgj$hSHJH$ermZtty1
splashimage=(hd0,1)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-31.9)
root (hd0,1)
kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
initrd /initrd-2.4.20-31.9.img
title DOS
lock
password –Md5 <password-hash>

after the words title Dos add the following
lock
password -- md5 <password-hash>