GRUB, no doubt is the most widely used Boot Loader on Linux. So, a system’s security is incomplete until its Boot Loader is secure. The common way to secure GRUB is, “password”. But, a “cunning” attacker can by-pass this security also and may gain access to your system, if password is NOT applied correctly to the “grub.conf” entries.

The main reasons to Password Protect the GRUB Boot Loader are:

1.Block Access to Single User mode.

2.Block Access to GRUB Console.

3.Block Access to Non-Secure OS such as DOS ( In case of Dual boot ).

4.Block Booting of Particular Kernel or OS.

The Configuration file for GRUB is “grub.conf” and can be found under “/boot/grub” directory and by default it has entries like this:



#boot=/dev/sda

default=0

timeout=10

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title Fedora (2.6.31.12-174.2.22.fc12.i686)

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img

title Fedora (2.6.31.12-174.2.3.fc12.i686)

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img

[ [email protected] ~]# cat /boot/grub/grub.conf#boot=/dev/sdadefault=0timeout=10splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Fedora (2.6.31.12-174.2.22.fc12.i686)root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.22.fc12.i686.imgtitle Fedora (2.6.31.12-174.2.3.fc12.i686)root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img [email protected] ~]#

Now, First of all we need a password. For that, we will use “/sbin/grub-md5-crypt” command, like this :

Now, we need to edit the /boot/grub/grub.conf file and add the following line below the timeout line :

password --md5 <your-encrypted-password>

Replace the your-encrypted-password, with the password generated through the /sbin/grub-md5-crypt command. In my case it will be like this:

password –md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91

Now your file will look like this :



#boot=/dev/sda

default=0

timeout=10

password --md5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title Fedora (2.6.31.12-174.2.22.fc12.i686)

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img

title Fedora (2.6.31.12-174.2.3.fc12.i686)

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img

[ [email protected] ~]# cat /boot/grub/grub.conf#boot=/dev/sdadefault=0timeout=10password --md5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Fedora (2.6.31.12-174.2.22.fc12.i686)root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.22.fc12.i686.imgtitle Fedora (2.6.31.12-174.2.3.fc12.i686)root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img [email protected] ~]#

With this we have solved the first two problems. Next time, when the system boots , no one will be able to access the GRUB Console and editor without providing the password. Your system will still be able to boot normally to your default OS.

But the unauthorised person can still boot into the non-secure OS like DOS(in case of dual-boot). This can be avoided, by adding a line with the entry “lock” like this, below the title line of the non-secure OS :

title DOS

lock

This method is only successful, if you have implemented the password in the global section of the file(like we have implemented above), otherwise the attacker will remove this entry, through the GRUB editor and boot your system with non-secure OS.

This solved the third case.

Now, if you wish to block the particular Kernel or OS from booting, without password, you can add the following lines below the title line of that particular OS.

title DOS

lock

password --md5 <your-encrypted-password>

For example, i want to block my second entry from booting, without password. I would add entries like this:



#boot=/dev/sda

default=0

timeout=10

password --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title Fedora (2.6.31.12-174.2.22.fc12.i686)

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img

title Fedora (2.6.31.12-174.2.3.fc12.i686)

lock

password --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91

root (hd0,0)

kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet

initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img

[ [email protected] ~]# cat /boot/grub/grub.conf#boot=/dev/sdadefault=0timeout=10password --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Fedora (2.6.31.12-174.2.22.fc12.i686)root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.22.fc12.i686.imgtitle Fedora (2.6.31.12-174.2.3.fc12.i686)lockpassword --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91root (hd0,0)kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quietinitrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img [email protected] ~]#

Now, GRUB will show you a password prompt, whenever you try to boot your system, with this particular kernel or OS.

This resolves our fourth issue.

You still need to secure your BIOS, so that attacker or unauthorized user may NOT boot your system with a CD-ROM.

If you enjoyed this post, make sure you subscribe to my RSS feed !!!!