Before we start, let’s get this clear… there’s very little you can do to stop an experienced hacker who has physical access to your computer. There are so many ways of gaining root access to a computer if you have physical access to it – and the right know how – that the only way of stopping this is to make sure no unauthorised person comes into physical contact with your box. But there are still a few things you can do to slow down the geeks, and stop the noobs in their tracks.
First, install StartUp-Manager. It’s an intuitive graphical frontend to the boot/grub/menu.lst file. In a terminal, do this:
sudo aptitude intall startupmanager
Once the installation is complete, we can start the real work. Fire up StartUp-Manager… System > Administration > Startup-Manager.
Let’s hide the bootloader menu:
On the “Boot options” tab, uncheck the “Show bootloader menu” option in the “Misc.” section. While you’re at it you might want to reduce the timeout seconds (to something like 3).
Let’s restrict access to the bootloader menu:
The easiest way for someone to gain root access to your computer is to edit the boot options served to the kernel when it loads. One way to do this is to choose “Recovery mode” in the bootloader menu. On ubuntu and many other linux distributions, this will log you in as root unless a root password has already been set. To prevent this, we will password protect the bootloader.
On the Security tab, check the Password protect bootloader and Password protect rescue mode options. Enter a strong but easy to remember password in the Change password section. Or you can remove the recovery option completely by unchecking the Create boot option for recovery mode on the Advanced tab.
While you’re at it, I recommend allowing only one kernel version in the boot loader. That keeps your bootloader menu less cluttered. Use the Number of kernels to keep combo box to control this behavior.
Now, it should be more difficult for someone to mess with your linux box while you’re away. 🙂