Secure Linux GRUB

GRUB is a default linux boot loader. If hacker has physical access to our server, then they don’t need any password to access the server as root user. They can just reboot the server and reset the root password by login through single user mode, that’s dangerous. To protect our server from this vulnerability what I suggest is to set password for GRUB. Please find below steps which will guide you to setup password for GRUB.

Step 1: Login to the server via SSH and execute the command “grub-md5-crypt” to generate MD5 password

[root@sherinsha ~]# grub-md5-crypt
Password: 
Retype password: 
$1$29oD/1$hkbcfjZVoo5LvUYEp1

Step 2: We have to edit the file /boot/grub/grub.conf or /etc/grub.conf

[root@tecmint ~]# vi /boot/grub/grub.conf

Step 2.1:  Add the MD5 password in grub.conf

root@sherinsha ~]# cat /etc/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg. elevator=noop
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sdb1 elevator=noop
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$29oD/1$hkbcfjZVoo5LvUYEp1
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-642.6.1.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-642.6.1.el6.x86_64 ro root=UUID=1dec3e23-c884-4c37-b805-0dc0cf7dd2f5 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
    initrd /initramfs-2.6.32-642.6.1.el6.x86_64.img
title CentOS (2.6.32-642.3.1.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-642.3.1.el6.x86_64 ro root=UUID=1dec3e23-c884-4c37-b805-0dc0cf7dd2f5 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
    initrd /initramfs-2.6.32-642.3.1.el6.x86_64.img
title CentOS 6 (2.6.32-642.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=UUID=1dec3e23-c884-4c37-b805-0dc0cf7dd2f5 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
    initrd /initramfs-2.6.32-642.el6.x86_64.img

STEP 3:  Further grub edit will ask for password

 

Leave a Reply

Your email address will not be published. Required fields are marked *