Fedora Boot Lockdown

While Linux in general is one of the more secure OS's out there, on a default install Fedora will let a physical user (someone sat at the machine) who knows how to get root access to the machine. Simply by adding the -s kernel parameter in GRUB you can enter single-user mode which doesn't prompt for the root password. We're going to change that and a little more. These are just a few little tips to help secure your Linux box from a physical attack.

GRUB First

First we're going to lock down GRUB to stop people messing with the kernel parameters in the first place. We do this by adding a password to GRUB so that it is required in order to access any option other than booting the selected OS.

Get an MD5 hash for your desired password by running the command 'grub-md5-crypt' and entering your password.

[root@savnet-wrk-01 ~]# grub-md5-crypt
Password:
Retype password:
$1$MnmRG1$JGu6dfGNjJyWaaplw6rlg/

Copy the entire line that the command outputs and open /etc/grub.conf. Find the line 'timeout=' and below it add the line 'password --md5 grub-md5-crypt_output'. e.g.

default=0
timeout=10
password --md5 $1$MnmRG1$JGu6dfGNjJyWaaplw6rlg/
splashimage=(hd0,2)/boot/grub/splash.xpm.gz
#hiddenmenu
title Fedora Core
        root (hd0,2)
        kernel /boot/vmlinuz-2.6.14-1.1656_FC4 ro root=LABEL=/ rhgb quiet
        initrd /boot/initrd-2.6.14-1.1656_FC4.img
title Microsoft Windows XP
        rootnoverify (hd0,0)
        chainloader +1

And last for GRUB, if you are running an in-secure OS, such as MS-DOS, Win311 etc. you can lock the OS option so that the password is required to boot that OS. Below the 'title' line in /etc/grub.conf for the OS add 'lock' on a new line. For example if we wanted to password protect Windows XP in the above file we would add:

title Microsoft Windows XP
        lock
	rootnoverify (hd0,0)
        chainloader +1

Inittab Second

Next we can modify inittab so that should someone try to get around GRUB's password by using their own boot loader, we'll get Fedora to ask for a root password should they use the single-user mode.

Open /etc/inittab in your favourite editor, find the line 'id:5:initdefault:' the 5 may be a 3 on your system and add '~~:S:wait:/sbin/sulogin' below it:

id:5:initdefault:
~~:S:wait:/sbin/sulogin

Anyone entering single-user mode will now be required to type a password, if they press Ctrl+D the system will continue to startup normally.

If you run a server you may also want to stop Ctrl+Alt+Del from shutting down or rebooting the PC, this can also be stopped from inittab. Simply find the line that reads: 'ca::ctrlaltdel:/sbin/shutdown -t3 -r now' and add a hash in front of it:

# Trap CTRL-ALT-DELETE
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

You can always add a BIOS password, but keep this in mind, if a person has physical access to your machine and can get the case off, not much is going to stand in their way.

Linux/Unix

Fedora
Tutorials

MS Windows

Windows 7 Beta
Server 2003
Windows Vista
Windows XP

Programming

C/C++
Gameboy Advance
Java
PHP

Misc Stuff

Amstrad MegaPC 386SX
Folding@Home
XFSWare
more...

Latest Additions

How to stop Assassin's Creed stuttering during kills
5th Jan 2010

Warning to users of Symantec/Norton Anti-Virus and Internet Security
11th Mar 2009

How to change the Netbeans IDE look and feel
11th Mar 2009

How Bandwidth Throttling has the Opposite Effect
13th Feb 2009

Using Dual Monitor Wallpapers on Windows XP & Vista
31st Dec 2008