A Quick Guide To Securing Your System From Physical Attacks

So, your network is behind a firewall, and your system is hardened? Have you took a moment to think about the actual physical security of your network and machines? Though an unlikely risk in a home based environment, it is important to consider physical attacks as a factor to prevent. In this article, I will go over two easy to do tasks that will move your system(s) another step closer to physical security.

Password Your BIOS:

Just about every BIOS these days has an option to set a password in order to boot the system. You will need to reboot your computer and boot into your BIOS, then find the option related to passwords. Setting a password on your BIOS will ensure that anyone booting your machine will not be able to load your operating system without supplying the proper password upon initial boot of the machine. Setting a password on your BIOS will also prevent someone from throwing in a bootable CD-ROM or floppy disk and loading something like a live CD or password cracker.

Password Your Boot Manager:

Another measure of security to take is to password your boot manager, if you have one. A boot manager is usually loaded after the BIOS and is present on systems that have a dual-boot setup. Such systems like those running Linux and Windows, or more than one operating system. Without the adequate security precautions and passwords in place, someone with physical access to your machine will have the ability to boot your kernel into single user mode, or with root privileges with a few extra parameters at the boot manager prompt. So with that said, I will explain how to password LILO and GRUB, as they are the two most popular boot managers to date.

Passwording LILO:

There are two different ways you can tell LILO to prompt for a password.

  1. Always
  2. If someone tries to pass special kernel parameters at boot

If you want LILO to always prompt for a password before loading your kernel image, you will want to make the following changes to your /etc/lilo.conf configuration file:

Under the global options area, add:

password=passwordhere
mandatory

Obviously, replace passwordhere with something more suitable.

Save the /etc/lilo.conf configuration file and execute LILO in order to reinstall the configuration changes:

/sbin/lilo

If you want LILO to only prompt for a password if someone tries to pass kernel parameters at the boot prompt, add the following lines instead:

password=passwordhere
restricted

Again, be sure to replace passwordhere with something more suitable.

Save the /etc/lilo.conf configuration file and execute LILO in order to reinstall the configuration changes:

/sbin/lilo

Passwording GRUB:

If you use GRUB instead of LILO, here is what you’ll want to do in order to set a password.

As the root user, run:

grub-md5-crypt
Password:
Retype Password:
$1$bCOp17$HFxXT4G56tOIc9Xq2s/CE.

You will be prompted twice for a password. Then you will receive a long output of characters, which is your hash. Take that output and copy/paste it into your grub.conf (usually located in /boot/grub/) like so:

password –md5 $1$bCOp17$HFxXT4G56tOIc9Xq2s/CE.

A lot of people may think that taking precautions for physical security is a bit dramatic and should be done by the paranoid only. I disagree. Practicing good security is essential to ensuring your computers are safe no matter what the case may be. Do you lock your doors when you go to sleep? If you find the answer to be pretty logical, then chances are you’ll agree that a BIOS password along with a boot loader password is essential for protecting your machines from physical attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>