Monday, August 27, 2012

Password protect GRUB / Lock Single User Mode in Linux / RHEL / CENTOS


The primary reasons for password protecting a Linux boot loader are as follows:

1.       Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
2.       Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.
3.       Preventing Access to Insecure Operating Systems — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.

How to password protect GRUB

Step 1: Open a shell, login as root, type the following command.


[root@server ~]# /sbin/grub-md5-crypt
Password:
Retype password:
$1$ZqLKR0$cimxs9UxGPM11IG/U.FW41

Once you have confirmed the password, an MD5 hash of the password entered is returned.

Step 2: Edit the GRUB configuration file /boot/grub/grub.conf. Open the file and add the below things just after the timeout line.

 password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt

Now the GRUB configuration file will look like this


# grub.conf generated by anaconda
 #
 # Note that you do not have to rerun grub after making changes to this file
 # NOTICE:  You do not have a /boot partition.  This means that
 #          all kernel and initrd paths are relative to /, eg.
 #          root (hd0,0)
 #          kernel /boot/vmlinuz-version ro root=/dev/sda1
 #          initrd /boot/initrd-[generic-]version.img
 #boot=/dev/sda
 default=0
 timeout=5
 password --md5 $1$ZqLKR0$cimxs9UxGPM11IG/U.FW41
 splashimage=(hd0,0)/boot/grub/bootimage1.xpm.gz
 hiddenmenu
 title CentOS (2.6.32-131.21.1.el6.x86_64)
 root (hd0,0)
 kernel /boot/vmlinuz-2.6.32-131.21.1.el6.x86_64 ro root=UUID=7aa8bb3f-2566-4d14-ae10-4d2c24ecbb0a rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
 initrd /boot/initramfs-2.6.32-131.21.1.el6.x86_64.img
 title Other
        rootnoverify (hd0,0)
        chainloader +1

Now reboot the system and see the access to the GRUB menu editor or command interface is being locked down. To do so he should press the followed by the GRUB password. 

Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.

Look for the title line of the operating system that you want to secure. Add the lock directive immediately after it.

For a non Linux system, the stanza will begin like this

title Other lock

Note: A password line must be present in the main section of the /boot/grub/grub.conf file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.

Also you can set different passwords of each kernel or operating system you have.For this you have to add lockline to that particular stanza followed by a password line.

title Other lock password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt
Now the kernel or the operating system part with password protected in the GRUB configuration file will look like this.


title Other lock password --md5 $1$rjTKR0$GzSI4M.q8EREUsAw674Z5/
        rootnoverify (hd0,0)
        chainloader +1

That’s it….

0 comments:

Powered by Blogger.