HowTo – Secure GRUB bootloader for VMware ESX and Linux
Here are a couple of really good reasons on why you need to secure your server’s boot loader regardless if you’re using GRUB or LiLo. In this article I am only going to cover how to configure GRUB.
- Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
- Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the use the GRUB editor interface to change its configuration or to gather information using the cat command.
Now lets go ahead and secure your server/workstation:
- ssh to your server host with root access
- type: grub to enter the grub console
- type: md5crypt to create a md5 encrypted password (document your password unencrypted and encrypted versions)
- open your favorite editor or download the files via your favorite ftp app. We need: menu.lst and grub.conf they’re located here: /boot/grub
- Add the below line to the top of menu.lst and grub.conf:
password –md5 “your_encrypted_password” - Now add “lock” below each titled o/s choice that you want to prevent from booting without a password.
The method I described above will prevent modification of grub boot options AND only allow you to boot those items that were not password protected with the “lock” command.
I went ahead and manuallly modified menu.lst and grub.conf.
Here is an example of a sample file that you can use as a guide. Replace “your_encrypted_password” with the md5 hash that you generated earlier with the md5crypt command.
I found the following sites useful while writing this article:
