Securing Linux by
hardening GRUB boot
loader
hardening GRUB boot
loader
By Abir Ranjan Atarthy
After reading my last article "Hacking Root password of Linux" few of you have asked me how to secure Linux specially the GRUB boot loader.
So i will tell something regarding that.
INTRODUCTION
A running Linux server is prone to various types of security threats. We categorize them as
- Local Security threats
- Remote/Network Security threats
While there are many articles that have explained in great detail the Networking
security threats and mechanisms to deal with it, there are a few that have also dealt
with the local security aspect. These types of attacks primarily entail gaining illegal
root access to an unattended system by running a brute-force password cracking
program or by simply rebooting the system and passing some standard arguments to
the boot loader program.
security threats and mechanisms to deal with it, there are a few that have also dealt
with the local security aspect. These types of attacks primarily entail gaining illegal
root access to an unattended system by running a brute-force password cracking
program or by simply rebooting the system and passing some standard arguments to
the boot loader program.
TYPES OF BOOTLOADERS FOR LINUX
Basically, Linux can be loaded by two types of bootloaders. These are :
1. LILO - Linux Loader
2. GRUB - Grand Unified Bootloader
Here i will be mainly focusing on GRUB.
1. LILO - Linux Loader
2. GRUB - Grand Unified Bootloader
Here i will be mainly focusing on GRUB.
HOW TO HACK?
So let us now understand hacking.
Method1:
This is the most well known and easiest method. The procedure is to boot up
the system to init level 1 i.e. in the Single user mode. We can do so with :
This is the most well known and easiest method. The procedure is to boot up
the system to init level 1 i.e. in the Single user mode. We can do so with :
LILO: linux init 1 (for LILO)
for GRUB, simply press 'a' when the boot up screen is displayed.
And at the end of the line displayed, type init 1 and press the enter key.
With this, you will be given the root shell. Now you can change the root password by
running the 'passwd' command. After rebooting the system, hacking in would be
possible.
for GRUB, simply press 'a' when the boot up screen is displayed.
And at the end of the line displayed, type init 1 and press the enter key.
With this, you will be given the root shell. Now you can change the root password by
running the 'passwd' command. After rebooting the system, hacking in would be
possible.
How to secure?
The only way to secure the system from this menace is by prompting the user for root
password even when he boots the system in the single user mode. We can easily
achieve this by adding a single line to the /etc/inittab file.
~~:S:wait:/sbin/sulogin
This line will instruct the init to prompt for the root password by executing the 'sulogin'
program.
password even when he boots the system in the single user mode. We can easily
achieve this by adding a single line to the /etc/inittab file.
~~:S:wait:/sbin/sulogin
This line will instruct the init to prompt for the root password by executing the 'sulogin'
program.
Method2:-
Even if you have protected your system from any unauthorized attacks by the first
method, there are always other ways of your system being hacked into. Also we have
not yet protected our kernel from receiving arguments through the command line
which calls for some more system strengthening to be done.
When the system boots up, in case of LILO, you could pass the argument as
init=/bin/bash or init=/bin/sh
or by choosing the 'a' option if you are running GRUB
The init boots up the system and ends up in a Bash shell. You will be now given the
root access, though the root file system is mounted in read-only mode, which means
that while you can read everything from the system, you would not be able to do
anything other than that.
The root password cannot be changed by anyone! Now the quest is to remount the root
file system in read-write mode as follows :
#mount -o rw,remount / (for a LILO Booted Kernel)
The same command does not work with a GRUB loaded kernel.
#mount -n -o remount, rw / (for a GRUB Booted Kernel)
Since we are remounting a read-only root file system, nothing could be written to the /
etc/fstab and /etc/mtab file. And the -n parameter will further ensure the same.
Since we are remounting the file system which in turn is going to update some flags,
the -o parameter is used.
The other parameters are obvious to understand.
anything other than that.
The root password cannot be changed by anyone! Now the quest is to remount the root
file system in read-write mode as follows :
#mount -o rw,remount / (for a LILO Booted Kernel)
The same command does not work with a GRUB loaded kernel.
#mount -n -o remount, rw / (for a GRUB Booted Kernel)
Since we are remounting a read-only root file system, nothing could be written to the /
etc/fstab and /etc/mtab file. And the -n parameter will further ensure the same.
Since we are remounting the file system which in turn is going to update some flags,
the -o parameter is used.
The other parameters are obvious to understand.
How to secure?
1. The only intuitive method to protect the system from this and any other kind of
attack is to protect the kernel from getting user-supplied arguments from the LILO or
GRUB prompt. This can be done by protecting the LILO or grub.conf file.
Add “password=urpassword” to the kernel definition of the lilo.conf or grub.conf.
Change the mode of the file to 600 as
#chmod 600 grub.conf or lilo.conf
This is mandatory because the file should not be allowed to be modified by non-root
users.
You can make the lilo.conf/grub.conf file immutable in another way also
#chattr +i/etc/lilo.conf
#chattr +i/boot/grub/grub.conf (if you are using GRUB)
attack is to protect the kernel from getting user-supplied arguments from the LILO or
GRUB prompt. This can be done by protecting the LILO or grub.conf file.
Add “password=urpassword” to the kernel definition of the lilo.conf or grub.conf.
Change the mode of the file to 600 as
#chmod 600 grub.conf or lilo.conf
This is mandatory because the file should not be allowed to be modified by non-root
users.
You can make the lilo.conf/grub.conf file immutable in another way also
#chattr +i/etc/lilo.conf
#chattr +i/boot/grub/grub.conf (if you are using GRUB)
No comments:
Post a Comment