Sunday, June 20, 2010

Protecting GRUB Boot loader for CentOS

Much of the material is taken from "How Do I Secure Grub Boot Loader?" taken from http://www.cyberciti.biz/ and the book "Foundation of CentOS Linux" from aspress

Without the GRUB Password, anyone can edit the kernel parameters and boot into single-user mode and  enable them to log as root.

Step 1:
Use grub-md5-crypt command encrypt password in MD5 format:
# grub-md5-crypt

Password:
Retype password:
$1$gBrNd/$QccThGN4QFPdOiOtaTl.c0



Step 2: Edit GRUB configuration file
# vi /boot/grub/menu.lst

Insert this line into /boot/grub/menu.lst
password --md5 $1$gBrNd/$QccThGN4QFPdOiOtaTl.c0

Something like this....
# grub.conf generated by anaconda
#........
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$H7tNd/$GEYVMUDHmIkhb4xwNwywR.
title CentOS (2.6.18-164.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-164.el5.img

It's done. Horray

No comments: