Password protect Grub Bootloader
You’re thinking a lot about computer security lately, and that’s a good thing. You certainly made the right choice going to Linux, and Debian was wise, too. That’s not the end of your thought about security I hope. This short tutorial will show you how to password protect your Grub boot loader rendering your machine un-boot-able (that’s not even close to being a real word!) to the casual snoop, or anyone else without the ability to get around this; which for all intents and purposes is just about anybody you know. This is by no means absolute security for your machine, far from it – it’s merely a wrinkle in the road.
There is a lot more to securing your Debian system than just password protecting Grub but physical security plays a large role in the overall scheme of securing your computer. However, most people shrug this off. This, along with setting your BIOS to only boot to your “hdd-0″ and disabling all other boot devices, is an important first step. Don’t forget to set a password for your BIOS as well while you’re in there. If you lock the gate with a good enough lock you’ll keep all but the most determined trespassers out – and for those malcontents we have more security in store but that’s for another tutorial.
Password protecting your boot is simple and a pretty effective front-line defense. Soon enough, wherever you go, people will envy your savvy ways.
Open a terminal…
Become root and issue the following command:
# /sbin/grub-md5-crypt
You will be prompted for a password next — please don’t use your kid’s name and birthday, we’re protecting your computer here.
If you have so little creativity or are pressed for time there are a couple software apps that will assist in password creation. Now, I use passwords – all over the place. I’m also not nearly smart enough to remember them all so I use some software. Sure I haven’t opened much of the collective in months, but when I need one created – my criteria preset – or stored there is some help. Check out revelation or search for a password generator, keeper, manager in apt or your favorite outcrop.
OK – You’ve chosen your password, back to your terminal, type it in. Again. Notice that your are greeted with the MD5 hash of the password you typed. Copy that hash. Sure, highlight it with your mouse…
Now, you’ll need to modify your menu.lst file to enable the password you just chose, so, as you are currently “root” in your terminal, let’s open that file with Gedit:
# gedit /boot/grub/menu.lst
Look for this section:
## password ['--md5'] passwd # If used in the first section of a menu file, disable all interactive editing # control (menu entry editor and command-line) and entries protected by the # command 'lock' # e.g. password top-secret # password --md5 $1A$B5zFN9$dRKe5^f3Hd1t14Lk0e6NMoE5P # password topsecret
The bold line is what we’ll change. First, un-comment the line (delete the # sign) and then replace the hash value that is there with the one you just made. Highlight it and hit ctrl+v. Scroll down in the file until you come to your boot settings – the un-commented ones – put your cursor at the end of the initrd line in the first entry, hit enter. Now you tell Grub to lock the boot process unless the correct password is entered – type lock. Do it again for your other kernels. It’ll resemble this:
title Debian GNU/Linux, kernel 2.6.8-2-k7 root (hd0,0) kernel /vmlinuz-2.6.8-2-k7 root=/dev/hda2 ro initrd /initrd.img-2.6.8-2-k7 lock savedefault boot
Save the file. Close Gedit. Exit, exit out of your terminal, slide the chair back – stand up, stretch. Go outside and greet the world – you are the master of your universe.
When the machine(r) is rebooted the process will stop at the boot loader unless the proper password is entered. When the screen first appears in the boot process, type a p for the password prompt. Type your password, hit enter, arrow to your desired OS, hit enter again, continue booting.
machiner – early AM 22Aug05
Here’s a terrifically informative article for you to read. It’s juicy.
Related Posts
