How to Prevent someone else from reseting your root password in NIX

If you are an even slightly security-consious sysadmin, the previous sections must have set off alarms while you were reading them. Is it really that easy to hack Linux? Yes and No. It all it comes down to the following: Physical Access is Root Access. Meaning, if you give someone physical access to a system, then you are giving them a very good chance of getting root access on your box. This is true for Windows, Linux, or any other OS out there.

But… you say that you need to give some people physical access to the server? There are some precautions you can take to slow down attackers and stop the noob’s. In this section I will talk about various ways you can make your computer more secure against these types of attacks. So lets get started.
3.1.1 Password protecting GRUB and LILO

First, edit the /etc/inittab file and insert the following line, right after the “initdefault” line: ~~:S:wait:/sbin/sulogin. This will require a password to boot into single-user mode by making init run ‘sulogin’ before dropping the machine to a root shell. ‘sulogin’ requires the user to input the root password before continuing.

Unfortunately, the above step won’t protect us against people who know what they are doing and pass init=/bin/bash to the kernel at the LILO prompt. To prevent unauthorized access I would suggest that you password protect LILO/GRUB by following these steps:

How to Protect LILO:

Open a shell prompt and log in as root
Open /etc/lilo.conf in your favorite text editor
Add the following line before the first image stanza: password=<password> , where <password> is your password.
Run /sbin/lilo -v to let the changes take effect
Type chmod 600 /etc/lilo.conf to give only root access to read and edit the file since all passwords are in plain text
Relax a bit, as your system is a little bit more secure

How to password-protect GRUB

Open a shell prompt and log in as root
Type /sbin/grub-md5-crypt and press enter
Enter the password you chose for GRUB when prompted. This will return an MD5 hash of your password
Open /boot/grub/grub.conf in your favorite text editor
Add password –md5 <password-hash> below the timeout in the main section (Replace <password-hash> with the hash you got in the previous step)
Save and exit
The next time you reboot, the GRUB menu will not let you access the editor or command interface without first pressing [p] followed by the GRUB password.

njoy the simplicity…….


About victimizeit
This is Atul.. working for IBM as a DataStage Developer. I may not be an expert on any particular DataStgae technology, but I'm sure I do know a few things about DB2, AIX, Unix, Windows, and DataBase. In this blog, I'll give out some tips on these subjects. If you find them useful, great, I'll be happy. Thanks for stopping by !!

What is your opinion ?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: