Tips To Protect Linux Servers Physical Console Access November 19, 2010Posted by Tournas Dimitrios in Linux.
Linux computer console is a physical device to operate a computer / server. Here are few steps which, if taken, make it more difficult for an attacker to quickly modify a system from its console.These are 9 steps that I can think off , follow them with respect to get a good night’s sleep 🙂
- Set BIOS Password
- Set GRUB Boot Loader Password
- Enable Authentication for Single-User Mode
- Disable Interactive Hotkey Startup at Boot
- Setup Time-out for Login Shells
- Setup Screen Locking
- GUI Screen Locking
- Disable Ctrl+Alt+Delete
- Double check the previous 8 rules 🙂
Lets analyse these rules :
- Set BIOS Password :
The BIOS is boot firmware, designed to be the first code run by a PC when powered on. It controls many important system parameters, including which devices the system will try to boot from, and in which order. Assign a password to prevent any unauthorized changes to the BIOS configuration. Reboot the server. Press special key like F2 (this key may vary from system to system). Go to BIOS configuration menu to add a password. Save and close the bios by pressing F10 (again key may vary)
- Set GRUB Boot Loader Password :
By default popular Linux distro includes GRUB or Lilo as the default boot loader for x86 systems. GRUB can be used to select from different kernel images available on a particular operating system’s partitions, as well as to pass boot-time parameters to kernels. It also allows to to boot from different partitions or media. GRUB can be used to by pass all security measurement (including authentication) using single-user mode. You must password protect GRUB from modifying the boot parameters and to improve server security. See how to set GRUB boot loader password using grub-md5-crypt command.
- Enable Authentication for Single-User Mode :
Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
Save and close the file.
- Disable Interactive Hotkey Startup at Boot :
A few Linux distribution like Fedora, CentOS or RHEL allows the console user to perform an interactive system startup by pressing [I] key. Using interactive boot, attacker can disable the firewall and other system services. Open /etc/sysconfig/init file:
# vi /etc/sysconfig/init
Modify the setting as follows: PROMPT=no
- Setup Time-out for Login Shells :
You can configure any Linux system to automatically log users out after a period of inactivity. You can configure BASH and TCSH time-out.
- Setup Screen Locking :
When your user temporarily leave console screen locking screen should be deployed to prevent passersby from abusing the account. You must train all users to lock the screen when they must leave console. There are several ways to lock your Linux server or desktop.
The vlock program (one of many program to lock screen) locks one or more sessions on the console. Vlock can lock the current terminal (local or remote) or the entire virtual console system, which completely disables all console access. The vlock program unlocks when either the password of the user who started vlock or the root password is typed. To install the vlock package, enter:
# yum install vlock
vlock is a program to lock one or more sessions on the Linux console. This is especially useful for Linux machines which have multiple users with access to the console. One user may lock his or her session(s) while still allowing other users to use the system on other virtual consoles. To lock console, enter:
The -a option can be used lock all console sessions and disable VC switching, enter:
$ vlock -a
- GUI Screen Locking :
Most GUI manger can be locked in order to prevent passersby from abusing their login. The Gnome screen can be locked by visting Lock Screen from the System menu. Also, make sure you have enabled a screen saver and it is set to start within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop > Screen Saver > Start automatically > Require password to stop. You can visit KDE Control Center. Expand Appearance & Themes and then click on Screen Saver.
- Disable Ctrl+Alt+Delete :
Anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is commented out:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
For the change to take effect type in the following at a prompt:
# init q
To disable the reboot action under Ubuntu Linux, update /etc/event.d/control-alt-delete file.