Sunday, April 5, 2009

Securing GRUB Boot Loader

Lots of us tend to think that Linux OS is secure, in fact it's an illusion that comes due to a fact that less home users use it therefore less hack tool are available for an average home user.
We forget some dominant backdoors that can cause serious trouble & malicious activity on sensitive servers.
One of these "backdoors" is leaving a boot loader unsecured. Don't forget that it's extremely easy to recover root password in linux, watch and see for yourselves (I used Red Hat Enterprise 5 for the example).

First of all we will reboot the server, and wait until GRUB boot loader comes up, press (esc) to pause the countdown:
We will highlight the Linux version and press 'e' for 'edit' this will bring us to a line with the
Kernel version, we will select 'e' again and we will be able to edit the line:
in the end of the line, after "rhgb quiet" we will add "single":

The machine will boot now in single mode, the shell will be the root shell so all that's left is
type passwd and hola, we obtained the root password.

Easy huh? To prevent such scenarios, linux includes a nice feature called grub-crypt.
(found in /sbin/grub-md5-crypt)
When we will run it, a key will be generated for us (depending on the password we passed). For those who are not familiar with cryptography md5 is a wi
dely used cryptographic function with a 128bit strength hash value.

All that's left now is to add the generated key to /etc/inittab file in the following syntax:
password --md5 :generated hash key:
that's it, save the file and reboot. Now if we try to edit GRUB boot loader we will be asked to authenticate:

Note that after the hash has been set into the /etc/inittab file it cannot be seen, so it's another cool security feature.

Have fun and stay secured ;)

No comments: