Aug 20

Two simple tips to secure your Linux box

Scribbled on Wednesday, August 20th, 2008

  • Posted by T

The first tip is regarding password protecting GRUB entries or if you want more then lock the whole GRUB menu. Second tip is regarding what partitions you would like to mount and what you like to remain unmounted and hence protecting your important data from any kind of misuse. OK the second case was not much of a problem until HAL and gnome-mount made every partition to be auto-mounted. Even then I was able to prevent the auto-mount of every other filesystem type but ext3.

Adding password to GRUB entry:

  • Open grub via Terminal
grub
  • Type md5crypt and press enter key
md5crypt
  • Enter the password and press enter key
Password: ***
  • Copy the md5 hashed password.
Encrypted: $1$uyPrX$Brdxeqt/iI52ta3yc.vps/

  • Paste the password in menu.lst (/etc/boot/grub/menu.lst) after the title of the entry you want to password protect
title         Arch Linux
password –md5 $1$uyPrX$Brdxeqt/iI52ta3yc.vps/
root   (hd1,0)
kernel /boot/vmlinuz26 root=/dev/disk/by-uuid/cbf00f1f-6f57-4cc4-9855-8623311aeb3a ro
initrd /boot/kernel26.img
  • And the goodness is that no one can ever crack that password by brute force because md5 hash is unidirectional and there is also a random salt added. So the next time you md5crypt the same password the hash will be different as the random salt mixed (which depend upon time) is also different.

Preventing Auto-mount on boot-up:

  • Even if HAL tries to auto-mount your partitions, you still have many options to do it. But disabling HAL daemon is surely not welcomed. It will take aways some good services too.
  • So, the best option I found was to add noauto and defaults to fstab (/etc/fstab)
LABEL=imp /media/d1 ext3 noauto,defaults 0 1

UUID=20A8FC26A8F /media/sda7   ntfs  noauto,defaults,umask=007,gid=46 0       1

  • Suppose you don’t want to use defaults then just replace it with nouser.
  • Reboot and this time partitions won’t be mounted automatically.

Summation:

  • Password protecting the entries is a good mediocre solution, you may want to password protect whole GRUB interactive editing too. Then just add that line ( password –md5 $1$uyPrX$Brdxeqt/iI52ta3yc.vps/ ) before all the entries start.
  • Of course one can always access the partition using live cd but then encryption is the option to prevent this.


Enjoyed this post? Subscribe to Full Feeds or by Email and receive free daily updates on this Blog.

Related posts:

  1. Arch Linux installation from ground up Updated on: 31 July, 2008 at 4:28 PM IST NOTE:...
  2. Look ! A virus in my Linux box :p We all live in together here. My Linux box doesn’t...
  3. Arch Linux uses SuSe’s code ! Just open /etc/profile file and see. some sections taken from...
  4. FFmpeg - Convert any audio/video format in Linux Converting an audio or video file from one format to...
  5. Funny moments in Linux Here are some pretty funny moments captured in Linux :p...

Related posts brought to you by Yet Another Related Posts Plugin.

Post a Comment

August 2008
M T W T F S S
« Jul   Sep »
 123
45678910
11121314151617
18192021222324
25262728293031
Entries (RSS) and Comments (RSS). Theme by Bob. Tweaked by T. Hosting by Whost.in. Meh ! is powered by WordPress. Best viewed in Firefox/Opera