-
June 28th, 2004, 05:09 PM
#1
Secure Linux boot loaders
Secure your Linux machine against physical exploits
No operating system is more vulnerable then when someone has physical access to it such as pulling out the systems power plug from the wall, taking the hard drive out and putting it into another case etc. It is the data on the system is what they are after and they might be planning to install a back door or just have some fun at your expense, there are a quite a few dangerous things a malicious user could use or just learned and is eager to test out on your system. These types of users can put a floppy disk or a CD into your drive and reboot the machine, That simple action would allow them to boot into a live CD session and gain access to your file systems, copy data and make unwanted edits Etc.
However there are ways to protect your system from these types of attacks
Bios passwords
This will prevent most users from attempting to do damage or other things but there are users who know how to get around this. There are software tools that will erase the bios password, reset the password or show what the password is, the other things that could be done are changing Jumper settings on the motherboard, Taking out the battery on the motherboard or just simply opening the case and taking out the Hard drive and putting it into another case.
Lilo/Grub
Once the BIOS finishes its booting tasks, the next danger point is the boot loader Lilo and Grub these boot loaders let you pass arguments to the kernel and /sbin/init, one of these options is to tell the Linux machine to boot into single user mode (in most distros you are allowed in as root with no password needed) from there you can do all kinds of things as an example create new user accounts change the root password Etc.
Lilo and grub allow you to set passwords to prevent other users from typing in arguments directly to the kernel or /sbin/init
LILO
Lilo lets you set a separate password for each individual image or menu option. You will need to log in as root to make the changes. This file is located in /etc/lilo/lilo.conf
you should see something like this near the bottom of your /lilo.conf file
image=/boot/vmlinux-2.4.20-20.9
Label=linux
initrd=/boot/initrd-2.4.20-20.9.img
read-only
root=/dev/hda3
add the following line to /etc/lilo.conf
Password= your password
Then once you have done this save and exit the file and type /sbin/lilo -v at the command prompt. This command will load the new boot loader rules so the next time you reboot the system the changes will take effect. The password is stored in plain text so if someone happens to get a good look at the contents of the /etc/lilo.conf file could tell what the password is. Since the lilo password is stored in plain text. I recommend doing the following
To make /etc/lilo.conf readable by root only, type in
chmod 600 /etc/lilo.conf at the command prompt
Grub
Grub has a bit more of a sophisticated password approach to it then Lilo does. You can only have one password in grub, but grub allows you to store the password in an encrypted fashion
this is easier if you are logged in as root if you are not logged in as root open the command prompt and type su and type in the root password
after you have root privileges type the following
/sbin/grub-md5-crypt
when prompted type in the password that you want to use for grub and press the enter key
next open the grub config file this is located in /boot/grub/grub.conf
look for the word timeout and put in the following line under it
password –md5 <password-hash> change the password hash with the output from /sbin/grub-md5-crypt
example
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/hdc3
# initrd /initrd-version.img
#boot=/dev/hdc
default=0
timeout=10
password-md5 $1dfgj$hSHJH$ermZtty1
splashimage=(hd0,1)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-31.9)
root (hd0,1)
kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
initrd /initrd-2.4.20-31.9.img
The next time you boot up the system grub’s menu will not let you get to the editor or command line without pressing p and then typing in the grub password. You won’t have to rerun grub to run this feature.
Dual boot systems
For those of you who have dual boot systems example windows and Linux
look for the word Title of the other O.S. such as dos
Example
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/hdc3
# initrd /initrd-version.img
#boot=/dev/hdc
default=0
timeout=10
password-md5 $1dfgj$hSHJH$ermZtty1
splashimage=(hd0,1)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-31.9)
root (hd0,1)
kernel /vmlinuz-2.4.20-31.9 ro root=LABEL=/ hda=ide-scsi
initrd /initrd-2.4.20-31.9.img
title DOS
lock
password –Md5 <password-hash>
after the words title Dos add the following
lock
password -- md5 <password-hash>
-
June 28th, 2004, 05:44 PM
#2
May want to add this to the lilo section:
Source: Man page for lilo.conf
restricted
A password is only required to boot the image if kernel parameters are specified on the command line (e.g. 'single'). May be used on a single `image=' or `other=' to override a different global setting.
Using both password and restricted can help.
-
June 28th, 2004, 09:52 PM
#3
I personally swear by gag http://gag.sourceforge.net/ for dual/tri/quad... booting I cannot say if it encrypts the passwords, but if you are sophisticated enough to find and modify the bootloader then decrypting the password is trivial. It provides the ability to password protect individualy and boot up to 9 oses. It is completely idiot proof to install. Kinda ugly i guess (imo) but it has never failed me for booting *nix, win , qnx...
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
-
June 29th, 2004, 01:18 PM
#4
If I can boot from a CD or yank out the HD and put it in another system I am able to change the lilo or grub config and allowed to remove those passwords. There's nothing stopping me.
None of this helps protect you against someone with physical access.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 29th, 2004, 01:45 PM
#5
I'm a lilo man..
have used grub but that wasn't my thing..
I use the restricted flag MsMittens was on about.. people are allowed to boot a kernel, but when you want to give the kernel extra boot-time-options, you'll need a pasword..
Nice tutorial !!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
June 29th, 2004, 04:24 PM
#6
In addition to the 'restricted'part, if you dont define it, and the box reboots by itself (maybe power out), then it will not boot again, since it awaits a password input upon boot. The restricted option help bypass that, but will still want a password if any arguements are given at the lilo prompt.
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
June 29th, 2004, 06:06 PM
#7
if it is possible in your bios, then it isn't a bad idea to set a hdd password, this will prevent users from booting without the password and if the hdd is put in another system it will not work!
of course there are ways to get around this too, but for normal people / skiddies this is secure enough.
-
June 29th, 2004, 07:02 PM
#8
None of this helps protect you against someone with physical access.
Well duh! One would be smart and remove the option to boot from floppy and/or CD Rom, lock the server into a secure room, remove keyboard and monitor (we do everything via command line ssh anyways!) and thus be that much more secure.
-
June 30th, 2004, 08:29 AM
#9
superglue is your friend..
To be totaly paranoid, do as MsM said and glue the ps/2, usb etc.. ports shut !!
I've done it to a PC once.. the only trouble was reinstalling, wich I had to do on a different box, and then place the hdd back into that machine..
But if you want to be safe from physical access, it's a way to go..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
June 30th, 2004, 08:41 AM
#10
This is cute and all, but super glue is useless against me. If I want in, I'll get in. Besides, all that effort would do nothing when I whipped out the case modding case cutter tool. I'd carve through what I wanted to get too, and keep going. Or of course the nail polish remover/Chemical access way
Good tutorial in my opinion, but physical security, there is no patch for human error.....Except the new one I just released under the GPL. It's called a claw hammer. Works well on most users.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|