how to set GRUB boot loader password using grub-md5-crypt command.

Type grub-md5-crypt command to create password in MD5 format:
# grub-md5-cryptOutput:

Password:<ENTER-YOUR-PASSWORD>
Retype password:<ENTER-YOUR-PASSWORD>
$1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

Please note that you need to copy and paste the MD5 password 
($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to 
copy the same.
#2 Add MD5 password to grub configuration file

Under Debian GNU/Linux the Grub configuration file is located at 
/boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)
# vi /boot/grub/menu.lstNext edit file and add a password line as 
follows:password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0At end end it should 
look like as follows:

default         0
timeout         5
password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
title           Debian GNU/Linux, kernel 2.6.13.4-cust-en-smp
root           (hd0,0)
kernel        /boot/vmlinuz root=/dev/hda3 ro
savedefault
boot

Save and close the file.

Optional>:
If you dual boot (e.g. home computer/workstation) with Windows XP/NT-2000, 
consider adding lock command to Windows XP right after title command

title           Windows NT/2000/XP
lock
root            (hd0,1)
savedefault
makeactive
chainloader     +1

Please note that lock option can be also added to the failsafe entry too.




Enable Authentication for Single-User Mode
To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
~~:S:wait:/sbin/sulogin
Save and close the file.
Disable Interactive Hotkey Startup at Boot





A few Linux distribution like Fedora, CentOS or RHEL allows the console user to 
perform an interactive system startup by pressing [I] key. Using interactive 
boot, attacker can disable the firewall and other system services. Open 
/etc/sysconfig/init file:
# vi /etc/sysconfig/init
Modify the setting as follows:

PROMPT=no

Setup Time-out for Login Shells

You can configure any Linux system to automatically log users out after a 
period of inactivity. You can configure BASH and TCSH time-out.
Setup Screen Locking

When your user temporarily leave console screen locking screen should be 
deployed to prevent passersby from abusing the account. You must train all 
users to lock the screen when they must leave console. There are several ways 
to lock your Linux server or desktop.

The vlock program (one of many program to lock screen) locks one or more 
sessions on the console. Vlock can lock the current terminal (local or remote) 
or the entire virtual console system, which completely disables all console 
access. The vlock program unlocks when either the password of the user who 
started vlock or the root password is typed. To install the vlock package, 
enter:

# yum install vlock

vlock is a program to lock one or more sessions on the Linux console. This is 
especially useful for Linux machines which have multiple users with access to 
the console. One user may lock his or her session(s) while still allowing other 
users to use the system on other virtual consoles. To lock console, enter:

$ vlock
The -a option can be used lock all console sessions and disable VC switching, 
enter:

$ vlock -a
GUI Screen Locking

Most GUI manger can be locked in order to prevent passersby from abusing their 
login. The Gnome screen can be locked by visting Lock Screen from the System 
menu. Also, make sure you have enabled a screen saver and it is set to start 
within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop 
> Screen Saver > Start automatically > Require password to stop. You can visit 
KDE Control Center. Expand Appearance & Themes and then click on Screen Saver.
Disable Ctrl+Alt+Delete

Anyone that has physical access to the keyboard can simply use the 
Ctrl+Alt+Delete key combination to reboot the server without having to log on. 
To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is 
commented out:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

For the change to take effect type in the following at a prompt:
# init q


Reply via email to