Password protection for the BIOS and the boot loader can prevent unauthorized users who have physical access to your systems from booting from removable media or attaining root through single user mode. But the security measures one should take to protect against such attacks depends both on the sensitivity of the information the workstation holds and the location of the machine.
For instance, if a machine is used in a trade show and contains no sensitive information, than it may not be critical to prevent such attacks. However, if an employee's laptop with private, non-password protected SSH keys for the corporate network is left unattended at that same trade show, it can lead to a major security breech with ramifications for the entire company.
On the other hand, if the workstation is located in a place where only authorized or trusted people have access, then securing the BIOS or the boot loader may not be necessary at all.
The following are the two primary reasons for password protecting the BIOS of a computer[1]:
Prevent Changes to BIOS Settings — If an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to seed nefarious programs on the system or copy sensitive data.
Prevent System Booting — Some BIOSes allow you to password protect the boot process itself. When activated, an attacker is forced to enter a password before the BIOS to launch the boot loader.
Because the methods for setting a BIOS password vary between computer manufacturers, consult the manual for your computer for instructions.
If you forget the BIOS password, it can often be reset either with jumpers on the motherboard or by disconnecting the CMOS battery. For this reason it is good practice to lock the computer case if possible. However, consult the manual for the computer or motherboard before attempting this procedure.
The following are the primary reasons for password protecting a Linux boot loader:
Prevent Access to Single User Mode — If an attacker can boot into single user mode, he becomes the root user.
Prevent Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the use the GRUB editor interface to change its configuration or to gather information using the cat command.
Prevent Access to Non-Secure Operating Systems — If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.
There are two boot loaders that ship with Red Hat Linux for the x86 platform, GRUB and LILO. For a detailed look at each of these boot loaders, consult the chapter titled Boot Loaders in the Red Hat Linux Reference Guide.
You can configure GRUB to address the first two issues listed in Section 4.2.2 Boot Loader Passwords by adding a password directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log in as root, and type:
/sbin/grub-md5-crypt |
When prompted, type the GRUB password and press
Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:
password --md5 <password-hash> |
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt[2].
The next time you boot the system, the GRUB menu will not let you
access the editor or command interface without first pressing
Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment. For this you need to edit a different part of the /boot/grub/grub.conf file.
Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.
For a DOS system, the stanza should begin similar to the following:
title DOS lock |
Warning | |
---|---|
You must have a password line in the main section of the /boot/grub/grub.conf file for this to work properly. Otherwise an attacker will be able to access the GRUB editor interface and remove the lock line. |
If you wish to have a different password for a particular kernel or operating system, add a lock line to the stanza followed by a password line.
Each stanza you protect with a unique password should begin with lines similar to the following example:
title DOS lock password --md5 <password-hash> |
Finally, remember that the /boot/grub/grub.conf file is world-readable by default. It is a good idea to change this, as it has no affect on the functionality of GRUB, by typing the following command as root:
chmod 600 /boot/grub/grub.conf |
LILO is a much simpler boot loader than GRUB and does not offer a command interface, so you need not worry about an attacker gaining interactive access to the system before the kernel is loaded. However, there is still the danger of attackers booting in single-user mode or booting into an insecure operating system.
You can configure LILO to ask for a password before booting any operating system or kernel on the system by adding a password directive in to the global global section of its configuration file. To do this, open a shell prompt, log in as root, and edit /etc/lilo.conf. Before the first image stanza, add a password directive similar to this:
password=<password> |
In the above directive, replace the word <password> with your password.
Important | |
---|---|
Anytime you edit /etc/lilo.conf, you must run the /sbin/lilo -v -v command for the changes to take affect. If you have configured a password and anyone other than root can read the file, LILO will install, but will alert you that the permissions on the configuration file are wrong. |
If you do not want a global password, you can apply the password directive to any stanza corresponding to any kernel or operating system to which you wish to restrict access in /etc/lilo.conf. To do this, add the password directive immediately below the image line. When finished, the beginning of the password-protected stanza will resemble the following:
image=/boot/vmlinuz-<version> password=<password> |
In the previous example, replace <version> with kernel version and <password> with the LILO password for that kernel.
If you want to allow booting a kernel or operating system without password verification, but do not want to allow users to add arguments without a password, you can add the restricted directive on the line below the password line within the stanza. Such a stanza begins similar to this:
image=/boot/vmlinuz-<version> password=<password> restricted |
Again, replace <version> with kernel version and <password> with the LILO password for that kernel.
If you use the restricted directive, you must also have a password line in the stanza.
Warning | ||
---|---|---|
The /etc/lilo.conf file is world-readable. If you are password protecting LILO, it essential that you only allow root to read and edit the file since all passwords are in plain text. To do this, type the following command as root:
|
[1] | Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type and not the other. |
[2] | GRUB also accepts plain text passwords, but it is recommended you use the md5 version because /boot/grub/grub.conf is world-readable by default. |