Securing Linux for Physical Access

 

Physical access is everything, it is almost impossible to prevent machine access/password break if somebody else got physical access to some Linux machine.

But there are some steps you can make somebody work hard to access the machine physically (provided they have good knowledge of Linux).

1) Add Password to Grub
Password-protecting the bootloader is one method you may employ to enhance the physical security profile of your computer. GRUB, the GRand Unified Bootloader, is the default bootloader on virtually all Linux distributions, but on a significant number, the installer does not have support for setting a GRUB password.

  • Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user
  • Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command’s interface to change its configuration

1.1 From a shell terminal, run the grub-md5-crypt command. The password that’s requested will be the one that will be used to protect GRUB. It should not be the same as that of any user account on the system, certainly not the same as the root password. Note the md5 hash generated. You will need it in the next step

1.2 Edit /etc/grub.conf as shown in the image. Just add another line below the “timeout” line and type in password –md5 (md5 hash generated from step 1) as shown in the image. Save the file. Reboot and try to access other features of GRUB by pressing the “p” key

 

2) Disable single user mode
To block singe user or emergency login with password, append the following line in your /etc/inittab file.
su:S:wait:/sbin/sulogin
Now each time someone tries to login as single user, they will be asked for root password

 

3) Redirect output to serial console
First check your system have serial console, to check this type:-

root@localhost:~# dmesg | grep tty
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

Ok , if you got the output like above, means we are good. Next step

Now, we need to edit the GRUB configuration. Edit the /boot/grub.conf file (by typing vi /etc/grub.conf), and find this section: (only add the bold  console=ttyS0,115200n8 ) Edit grub.conf carefully it can make your system unbootable

[root@localhost ~]# vi /etc/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/VolGroup-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/md127
default=0
timeout=5
password –md5 $1$2Hsvs0$JvddxRBvNclESePZ4pE6Y.
serial --unit=0 --speed=115200
terminal --timeout=5 serial console
title CentOS (2.6.32-279.9.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-279.9.1.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_MD_U
UID=eede5ac9:8fa8c5e6:c95ed758:c950d21f rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_MD_UUID=e3497c4f:87
1d4245:e017988c:7ca7addb rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM console=ttyS0,115200n8

So we only added console=ttyS0,115200n8 in the end of kernel line. Save grub.conf and reboot to test it.

Also it is recommended to try those things one by one. Otherwise you can lock yourself out of the box !!

That’s it for now, Enjoy !!