• Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
• Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the use the GRUB editor interface to change its configuration or to gather information using the cat command.

• ssh to your server host with root access
• type: grub to enter the grub console
• type: md5crypt to create a md5 encrypted password (document your password unencrypted and encrypted versions)
• open your favorite editor or download the files via your favorite ftp app. We need: menu.lst and grub.conf they’re located here: /boot/grub
• Add the below line to the top of menu.lst and grub.conf:
  password –md5 “your_encrypted_password” 
• Now add “lock” below each titled o/s choice that you want to prevent from booting without a password.

The method I described above will prevent modification of grub boot options AND only allow you to boot those items that were not password protected with the “lock” command.

I went ahead and manuallly modified menu.lst and grub.conf.

Here is an example of a sample file that you can use as a guide. Replace “your_encrypted_password” with the md5 hash that you generated earlier with the md5crypt command.

grub.conf

I found the following sites useful while writing this article:

http://ubuntuguide.org/wiki/Ubuntu:Edgy/Security

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-boot-sec.html#S2-WSTATION-BOOTLOADER

http://www.linux.com/feature/53569