Posted by: Odzangba | September 10, 2007

Locking down GRUB…

Before we start, let’s get this clear… there’s very little you can do to stop an experienced hacker who has physical access to your computer. There are so many ways of gaining root access to a computer if you have physical access to it – and the right know how – that the only way of stopping this is to make sure no unauthorised person comes into physical contact with your box. But there are still a few things you can do to slow down the geeks, and stop the noobs in their tracks.

First, install StartUp-Manager. It’s an intuitive graphical frontend to the boot/grub/menu.lst file. In a terminal, do this:

sudo aptitude intall startupmanager

Once the installation is complete, we can start the real work. Fire up StartUp-Manager… System > Administration > Startup-Manager.

Let’s hide the bootloader menu:
On the “Boot options” tab, uncheck the “Show bootloader menu” option in the “Misc.” section. While you’re at it you might want to reduce the timeout seconds (to something like 3).

screenshot-startup-manager.png

Let’s restrict access to the bootloader menu:
The easiest way for someone to gain root access to your computer is to edit the boot options served to the kernel when it loads. One way to do this is to choose “Recovery mode” in the bootloader menu. On ubuntu and many other linux distributions, this will log you in as root unless a root password has already been set. To prevent this, we will password protect the bootloader.

On the Security tab, check the Password protect bootloader and Password protect rescue mode options. Enter a strong but easy to remember password in the Change password section. Or you can remove the recovery option completely by unchecking the Create boot option for recovery mode on the Advanced tab.screenshot-startup-manager-2.png

While you’re at it, I recommend allowing only one kernel version in the boot loader. That keeps your bootloader menu less cluttered. Use the Number of kernels to keep combo box to control this behavior.

screenshot-startup-manager-3.png

Now, it should be more difficult for someone to mess with your linux box while you’re away.🙂

Ciao,
Odzangba


Responses

  1. I didn’t know this app existed. Thanks!

  2. Glad you liked it.🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: