In this post I will cover some basic things that are security related to Linux OS. Do not expect a very advanced level for securing you Linux, since I’m also novice to all this stuff. Since security topic is quite big I intend to extend it in several parts. Today I will write about physical, BIOS and GRUB boot loader security issues in LINUX OS.
Well, as you may know then regular Linux OS can be turned in to the server with just couple commands, so security can be related as for regular desktop version and server version of Linux.
You have probably read a lot of articles about how to secure your machine from outside attacks but physical security of you machine is also considered a great threat. Do not let you server machine lay around in unattended room so anyone can accesses it or even worse steal it. Put it behind the locked doors or even better use data center solutions if you can afford it.
Ok, someone have physical accesses to your server machine. He may want to reboot your machine and try to load his OS from bootable USB stick or other bootable media to gain access to your machine. So, you need to make sure that access to systems hardware is secured. First thing you need to put password for entering BIOS, some BIOS’es supports also putting password for booting up into system, you can enable that one if you are paranoid with security. Second thing you want to do is to disable any bootable devices on system that are not needed for proper run of your machine, so nobody can stick USB in your machine and reboot in his OS and do stuff with your machine. Some may already know but BIOS security can also be breached quite easily, by removing battery or jumping a pins on motherboard which allows BIOS hardware reset. The BIOS password is stored in CMOS memory that is maintained while the PC is powered off by a small battery, which is attached to the motherboard. If you remove this battery, all CMOS information (including the BIOS password) will be lost. You will need to re-enter the correct CMOS setup information to use the machine. Some advanced server machines have option of alerting user if BIOS was breached and modified but I have not seen that option on regular desktop machines or laptops which can also serve as servers.
If you are seriously paranoid with security then you can decrypt all your partion with open-source disk encryption software http://www.truecrypt.org/ which also allows preboot authentication. This software is quite impressive and offers military strength encryption. I tested myself and can recommend it. Thought not sure how this will impact on server’s performance.
GRUB boot loader security
Next important thing is to secure you boot loader. Linux uses GNU GRUB boor loader (short for GNU GRand Unified Bootloader). GRUB is the reference implementation of the Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer, or select a specific kernel configuration available on a particular operating system’s partitions.
By default, anyone with physical access to your system has the ability to reboot the machine and gain administrative (root) access to your file system. No authentication is needed. So it is strongly advised to secure this part. I remember once I had problems logging in system and teacher easily changed root password since boot loader was not secured.
While searching around I came up with this site where quite well is explained how to secure your boot loader.
And if you are not yet secured your boot loader, check this site out and you will see how easily it to reset your password when there is physical access to your system with no security on boot loader.
LinuxCBT Security Edition video tuttorials