28
Chapter 4. Workstation Security
2. Prevent Booting the System    Some BIOSes allow you to password protect the boot process
itself. When activated, an attacker would be forced to enter a password for the BIOS to launch
the boot loader.
Because the methods for setting a BIOS password vary between computer manufacturers, you should
consult the manual for your computer.
If you forget the BIOS password, it can often be reset either with jumpers on the motherboard or
by disconnecting the CMOS battery. However, you should check the manual for your computer or
motherboard before attempting this procedure.
4.2.2. Boot Loader Passwords
The following are the primary reasons for password protecting a Linux boot loader:
1. Prevent Access To Single User Mode   If an attacker can boot into single user mode, he be 
comes the root user.
2. Prevent Access To the GRUB Console   If the machine uses GRUB as its boot loader, an
attacker can use the edit the command's interface to change its configuration or to gather infor 
mation using the
cat
command.
3. Prevent Access To Non Secure Operating Systems   If it is a dual boot system, an attacker can
select at boot time an operating system, such as DOS, which ignores access controls and file
permissions.
There are two boot loaders that ship with Red Hat Linux, GRUB and LILO. The next two sections
will describe how to password protect these applications.
4.2.2.1. Password Protecting GRUB
You can configure GRUB to address the first two issues listed in Section 4.2.2 by adding a password
directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log
in as root, and type:
/sbin/grub md5 crypt
When prompted, type the GRUB password and press [Enter]. This will return an MD5 hash of the
password.
Next, edit the GRUB configuration file:
/boot/grub/grub.conf
. Open the file and below the time 
out line in the main section of the document, add the following line:
password   md5 password hash
Replace password hash with the value returned by
/sbin/grub md5 crypt
2
.
The next time you boot the system, the GRUB menu will not let you access the editor or command
interface without first pressing [p] followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting into a non secure
operating system in a dual boot environment. For this you need to edit a different part of the
/boot/grub/grub.conf
file.
Look for the
title
line of the non secure operating system and add a line that says lock directly
beneath it.
2. GRUB also accepts plain text passwords, but it is recommended you use the md5 version because
/boot/grub/grub.conf is world readable by default.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved