GRUB, no doubt is the most widely used Boot Loader on Linux. So, a system’s security is incomplete until its Boot Loader is secure. The common way to secure GRUB is, “password”. But, a “cunning” attacker can by-pass this security also and may gain access to your system, if password is NOT applied correctly to the “grub.conf” entries.

The main reasons to Password Protect the GRUB Boot Loader are:

1.Block Access to Single User mode.
2.Block Access to GRUB Console.
3.Block Access to Non-Secure OS such as DOS ( In case of Dual boot ).
4.Block Booting of Particular Kernel or OS.

The Configuration file for GRUB is “grub.conf” and can be found under “/boot/grub” directory and by default it has entries like this:

[root@geekride ~]# cat /boot/grub/grub.conf
#boot=/dev/sda
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.31.12-174.2.22.fc12.i686)
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet
initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img
title Fedora (2.6.31.12-174.2.3.fc12.i686)
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root  rhgb quiet
initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img
[root@geekride ~]#

Now, First of all we need a password. For that, we will use “/sbin/grub-md5-crypt” command, like this :

[root@geekride ~]# grub-md5-crypt
Password:
Retype password:
$1$dYUlS/$WzIQzqcOmkxouCUWC0OU91
[root@geekride ~]#

Now, we need to edit the /boot/grub/grub.conf file and add the following line below the timeout line :

password --md5 <your-encrypted-password>

Replace the your-encrypted-password, with the password generated through the /sbin/grub-md5-crypt command. In my case it will be like this:

password –md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91

Now your file will look like this :

root@geekride ~]# cat /boot/grub/grub.conf
#boot=/dev/sda
default=0
timeout=10
password --md5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.31.12-174.2.22.fc12.i686)
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet
initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img
title Fedora (2.6.31.12-174.2.3.fc12.i686)
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root  rhgb quiet
initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img
[root@geekride ~]#

With this we have solved the first two problems. Next time, when the system boots , no one will be able to access the GRUB Console and editor without providing the password. Your system will still be able to boot normally to your default OS.

But the unauthorised person can still boot into the non-secure OS like DOS(in case of dual-boot). This can be avoided, by adding a line with the entry “lock” like this, below the title line of the non-secure OS :

title DOS
lock

This method is only successful, if you have implemented the password in the global section of the file(like we have implemented above), otherwise the attacker will remove this entry, through the GRUB editor and boot your system with non-secure OS.

This solved the third case.

Now, if you wish to block the particular Kernel or OS from booting, without password, you can add the following lines below the title line of that particular OS.

title DOS
lock
password --md5 <your-encrypted-password>

For example, i want to block my second entry from booting, without password. I would add entries like this:

root@geekride ~]# cat /boot/grub/grub.conf
#boot=/dev/sda
default=0
timeout=10
password --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.31.12-174.2.22.fc12.i686)
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.22.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root rhgb quiet
initrd /initramfs-2.6.31.12-174.2.22.fc12.i686.img
title Fedora (2.6.31.12-174.2.3.fc12.i686)
lock
password --md5 $1$dYUlS/$WzIQzqcOmkxouCUWC0OU91
root (hd0,0)
kernel /vmlinuz-2.6.31.12-174.2.3.fc12.i686 ro root=/dev/mapper/vg_geekride-lv_root  rhgb quiet
initrd /initramfs-2.6.31.12-174.2.3.fc12.i686.img
[root@geekride ~]#

Now, GRUB will show you a password prompt, whenever you try to boot your system, with this particular kernel or OS.

This resolves our fourth issue.

You still need to secure your BIOS, so that attacker or unauthorized user may NOT boot your system with a CD-ROM.

If you enjoyed this post, make sure you subscribe to my RSS feed!!!!