how to set GRUB boot loader password using grub-md5-crypt command. Type grub-md5-crypt command to create password in MD5 format: # grub-md5-cryptOutput:
Password:<ENTER-YOUR-PASSWORD> Retype password:<ENTER-YOUR-PASSWORD> $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0 Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same. #2 Add MD5 password to grub configuration file Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file) # vi /boot/grub/menu.lstNext edit file and add a password line as follows:password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0At end end it should look like as follows: default 0 timeout 5 password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0 title Debian GNU/Linux, kernel 2.6.13.4-cust-en-smp root (hd0,0) kernel /boot/vmlinuz root=/dev/hda3 ro savedefault boot Save and close the file. Optional>: If you dual boot (e.g. home computer/workstation) with Windows XP/NT-2000, consider adding lock command to Windows XP right after title command title Windows NT/2000/XP lock root (hd0,1) savedefault makeactive chainloader +1 Please note that lock option can be also added to the failsafe entry too. Enable Authentication for Single-User Mode To enable authentication for single-user mode, open the /etc/inittab, file: # vi /etc/inittab Add the following line to the file: ~~:S:wait:/sbin/sulogin Save and close the file. Disable Interactive Hotkey Startup at Boot A few Linux distribution like Fedora, CentOS or RHEL allows the console user to perform an interactive system startup by pressing [I] key. Using interactive boot, attacker can disable the firewall and other system services. Open /etc/sysconfig/init file: # vi /etc/sysconfig/init Modify the setting as follows: PROMPT=no Setup Time-out for Login Shells You can configure any Linux system to automatically log users out after a period of inactivity. You can configure BASH and TCSH time-out. Setup Screen Locking When your user temporarily leave console screen locking screen should be deployed to prevent passersby from abusing the account. You must train all users to lock the screen when they must leave console. There are several ways to lock your Linux server or desktop. The vlock program (one of many program to lock screen) locks one or more sessions on the console. Vlock can lock the current terminal (local or remote) or the entire virtual console system, which completely disables all console access. The vlock program unlocks when either the password of the user who started vlock or the root password is typed. To install the vlock package, enter: # yum install vlock vlock is a program to lock one or more sessions on the Linux console. This is especially useful for Linux machines which have multiple users with access to the console. One user may lock his or her session(s) while still allowing other users to use the system on other virtual consoles. To lock console, enter: $ vlock The -a option can be used lock all console sessions and disable VC switching, enter: $ vlock -a GUI Screen Locking Most GUI manger can be locked in order to prevent passersby from abusing their login. The Gnome screen can be locked by visting Lock Screen from the System menu. Also, make sure you have enabled a screen saver and it is set to start within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop > Screen Saver > Start automatically > Require password to stop. You can visit KDE Control Center. Expand Appearance & Themes and then click on Screen Saver. Disable Ctrl+Alt+Delete Anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is commented out: ca::ctrlaltdel:/sbin/shutdown -t3 -r now For the change to take effect type in the following at a prompt: # init q
