create account

Security 101 - Physical Security - Securing your Bootloader by dimitrisp

View this thread on: hive.blogpeakd.comecency.com
· @dimitrisp · (edited)
$16.07
Security 101 - Physical Security - Securing your Bootloader
In the previous part, we secured our system against the "Single User Mode exploit" to disallow unwanted intruders from gaining full root access. We now feel that our system is a little bit more secure, right? Well... You can tell where this is going... :)
<center>
![](https://steemitimages.com/DQmbwYmZbP4ozxomRs4MWgdxtReTpVoUVRoEeyTiyTy2k8R/image.png)
</center>
---


### Previous parts:

[1. Introduction](https://steemit.com/security/@dimitrisp/linux-security-101-introduction)
[2. General Principles and Guidelines](https://steemit.com/security/@dimitrisp/security-101-general-principles-and-guidelines)
[3. Physical Security: Intro](https://steemit.com/security/@dimitrisp/linux-security-101-physical-security)
[4. Physical Security: Single User Mode](https://steemit.com/security/@dimitrisp/security-101-4-physical-security-single-user-mode)
---

## Single User Mode again!

But this time, in a different sense. Using the bootloader, we can skip the init/systemd initialisation system and drop directly to a shell with root access. 

Check the video below:

https://www.youtube.com/watch?v=p3Qf2IaENgc

Basically, we tell our grub entry to initialise the system to a bash session with `init=/bin/bash`, in the same way we accessed "Single User Mode". To combat this, we can add a password to our bootloader's editor functionality. How?

---

## Patching the security hole

We have to add a couple of lines to a file under `/etc/grub.d/`. Inside this folder, you'll notice a handful or two of files. We are going to use the `40_custom` as it is going to be kept intact when a GRUB update is installed.

So go ahead and open the `40_custom` file:

```
sudo nano /etc/grub.d/40_custom
```
<br>In the end of the file add these 2 lines:

```
set superusers="root"
password root mysuperlongsecurepasswordforbootloader
```
<br>You can use any username you want. This is not related to the system at all. This will be the superuser of our bootloader, and it doesn't need to exist in the system as a user.

Save and exit. You can encrypt the password using `grub-mkpasswd-pbkdf2` on Ubuntu/Debian, or `grub2-mkpasswd-pbkdf2` on CentOS/Redhat. You'll have to copy/paste the outcome of this to `40_custom`.

Then we have to rebuild the bootloader config.

Ubuntu/Debian: `grub-mkconfig -o /boot/grub/grub.cfg` or `update-grub`

CentOS/RedHat: `grub2-mkconfig -o /boot/grub2/grub.cfg`

The next time you reboot and try to edit the bootloader to enter Single User Mode, you'll get a nice little prompt saying "Enter username:".

You'll have to type the username and then the password that you set earlier in the 40_custom file. If you type a wrong username/password combo, you'll get thrown again to the bootloader options. When you type the correct combo, you'll have access to the bootloader editor!

---

## Well.. Bypass this too!

If you insert a boot CD, by selecting the troubleshooting option, you can bypass all the security measures you've implemented so far. 

How? The troubleshooting option will help you mount the filesystem with root access and can comment out or reverse all the measures we've implemented. It is helpful when your system has crashed and you need to extract your files, but not when a malicious user has access to your system.

How to disable this? You can't. Unless, for example, you are willing to remove the cd/dvd drive! There must be something else though, right?

There is. It's called "Disk Encryption", and we will take a peek on this on the next part of Security 101. [Click here to read it](https://steemit.com/security/@dimitrisp/security-101-physical-security-disk-encryption-i)

---

Craving for more? Until the next part is available, have a look at my Server 101 series: 
* [Intro and getting into your server](https://steemit.com/tutorial/@dimitrisp/servers-101-intro-and-getting-into-your-server) - Single Article
* [Basic Server Security](https://steemit.com/tutorial/@dimitrisp/servers-101-basic-server-security-part-1) - 3 Parts
* [Setting up a Web Server](https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-1) - 4 Parts
* [Managing Your Server](https://steemit.com/tutorial/@dimitrisp/servers-101-managing-your-server) - 4 Parts
* [caddy - Lightweight Web Server](https://steemit.com/tutorial/@dimitrisp/servers-101-caddy-lightweight-web-server) - 1 Part
* [Emailify your server!](hhttps://steemit.com/tutorial/@dimitrisp/servers-101-emailify-your-server-part-1) - 6 Parts
* [Setting up a Password-Protected proxy server with Squid](https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-password-protected-proxy-server-with-squid) - 1 Part
* [OpenVPN in less than 2 minutes](https://steemit.com/tutorial/@dimitrisp/servers-101-openvpn-in-less-than-2-minutes)
* [Piwik - Your personal Google Analytics alternative](https://steemit.com/tutorial/@dimitrisp/servers-101-piwik-your-personal-google-analytics-alternative)
* [Email notifications for SSH Logins](https://steemit.com/tutorial/@dimitrisp/servers-101-email-notifications-for-ssh-logins)
* [Keeping your server up to date](https://steemit.com/tutorial/@dimitrisp/servers-101-keeping-your-server-up-to-date)

---

## Also, I am running a witness server.

## Please consider <a href="https://steemit.com/~witnesses" target="_blank">voting me, dimitrisp, for a witness</a> if you find what I post & do helpful and add value to the network

## [You can read my witness declaration here](https://steemit.com/witness-category/@dimitrisp/witness-declaration-of-dimitrisp)
👍  , , , , , , , , , , , , , , , , , , , , , ,
properties (23)
authordimitrisp
permlinksecurity-101-physical-security-securing-your-bootloader
categorysecurity
json_metadata{"tags":["security","security101-dimitrisp","linux","tutorial","technology"],"image":["https://steemitimages.com/DQmbwYmZbP4ozxomRs4MWgdxtReTpVoUVRoEeyTiyTy2k8R/image.png","https://img.youtube.com/vi/p3Qf2IaENgc/0.jpg"],"links":["https://steemit.com/security/@dimitrisp/linux-security-101-introduction","https://steemit.com/security/@dimitrisp/security-101-general-principles-and-guidelines","https://steemit.com/security/@dimitrisp/linux-security-101-physical-security","https://steemit.com/security/@dimitrisp/security-101-4-physical-security-single-user-mode","https://www.youtube.com/watch?v=p3Qf2IaENgc","https://steemit.com/security/@dimitrisp/security-101-physical-security-disk-encryption-i","https://steemit.com/tutorial/@dimitrisp/servers-101-intro-and-getting-into-your-server","https://steemit.com/tutorial/@dimitrisp/servers-101-basic-server-security-part-1","https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-1","https://steemit.com/tutorial/@dimitrisp/servers-101-managing-your-server","https://steemit.com/tutorial/@dimitrisp/servers-101-caddy-lightweight-web-server","hhttps://steemit.com/tutorial/@dimitrisp/servers-101-emailify-your-server-part-1","https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-password-protected-proxy-server-with-squid","https://steemit.com/tutorial/@dimitrisp/servers-101-openvpn-in-less-than-2-minutes","https://steemit.com/tutorial/@dimitrisp/servers-101-piwik-your-personal-google-analytics-alternative","https://steemit.com/tutorial/@dimitrisp/servers-101-email-notifications-for-ssh-logins","https://steemit.com/tutorial/@dimitrisp/servers-101-keeping-your-server-up-to-date","https://steemit.com/~witnesses","https://steemit.com/witness-category/@dimitrisp/witness-declaration-of-dimitrisp"],"app":"steemit/0.1","format":"markdown"}
created2017-08-12 06:07:09
last_update2017-08-13 06:33:36
depth0
children1
last_payout2017-08-19 06:07:09
cashout_time1969-12-31 23:59:59
total_payout_value12.161 HBD
curator_payout_value3.911 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length5,507
author_reputation75,800,974,934,104
root_title"Security 101 - Physical Security - Securing your Bootloader"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,571,600
net_rshares4,763,910,694,981
author_curate_reward""
vote details (23)
@vanessa11val ·
I follow you.Thank you for Upvote me ! I really appreciate it. ❤️ Have a nice day.
👎  
properties (23)
authorvanessa11val
permlinkre-dimitrisp-security-101-physical-security-securing-your-bootloader-20170812t203534980z
categorysecurity
json_metadata{"tags":["security"],"app":"steemit/0.1"}
created2017-08-12 20:35:27
last_update2017-08-12 20:35:27
depth1
children0
last_payout2017-08-19 20:35:27
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length82
author_reputation-60,366,472,638
root_title"Security 101 - Physical Security - Securing your Bootloader"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,631,471
net_rshares-40,490,107,724
author_curate_reward""
vote details (1)