Tips To Protect Linux Servers Physical Console Access

by on March 12, 2009 · 20 comments· LAST UPDATED April 22, 2009

in , ,

This is an user contributed article.

Linux computer console is a physical device to operate a computer / server. Here are few steps which, if taken, make it more difficult for an attacker to quickly modify a system from its console.

Set BIOS Password

The BIOS is boot firmware, designed to be the first code run by a PC when powered on. It controls many important system parameters, including which devices the system will try to boot from, and in which order. Assign a password to prevent any unauthorized changes to the BIOS configuration. Reboot the server. Press special key like F2 (this key may vary from system to system). Go to BIOS configuration menu to add a password. Save and close the bios by pressing F10 (again key may vary)

Set GRUB Boot Loader Password

By default popular Linux distro includes GRUB or Lilo as the default boot loader for x86 systems. GRUB can be used to select from different kernel images available on a particular operating system's partitions, as well as to pass boot-time parameters to kernels. It also allows to to boot from different partitions or media. GRUB can be used to by pass all security measurement (including authentication) using single-user mode. You must password protect GRUB from modifying the boot parameters and to improve server security. See how to set GRUB boot loader password using grub-md5-crypt command.

Enable Authentication for Single-User Mode

Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
~~:S:wait:/sbin/sulogin
Save and close the file.

Disable Interactive Hotkey Startup at Boot

A few Linux distribution like Fedora, CentOS or RHEL allows the console user to perform an interactive system startup by pressing [I] key. Using interactive boot, attacker can disable the firewall and other system services. Open /etc/sysconfig/init file:
# vi /etc/sysconfig/init
Modify the setting as follows:

PROMPT=no

Setup Time-out for Login Shells

You can configure any Linux system to automatically log users out after a period of inactivity. You can configure BASH and TCSH time-out.

Setup Screen Locking

When your user temporarily leave console screen locking screen should be deployed to prevent passersby from abusing the account. You must train all users to lock the screen when they must leave console. There are several ways to lock your Linux server or desktop.

The vlock program (one of many program to lock screen) locks one or more sessions on the console. Vlock can lock the current terminal (local or remote) or the entire virtual console system, which completely disables all console access. The vlock program unlocks when either the password of the user who started vlock or the root password is typed. To install the vlock package, enter:
# yum install vlock
vlock is a program to lock one or more sessions on the Linux console. This is especially useful for Linux machines which have multiple users with access to the console. One user may lock his or her session(s) while still allowing other users to use the system on other virtual consoles. To lock console, enter:
$ vlock
The -a option can be used lock all console sessions and disable VC switching, enter:
$ vlock -a

GUI Screen Locking

Most GUI manger can be locked in order to prevent passersby from abusing their login. The Gnome screen can be locked by visting Lock Screen from the System menu. Also, make sure you have enabled a screen saver and it is set to start within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop > Screen Saver > Start automatically > Require password to stop. You can visit KDE Control Center. Expand Appearance & Themes and then click on Screen Saver.

Disable Ctrl+Alt+Delete

Anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is commented out:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

For the change to take effect type in the following at a prompt:
# init q
To disable the reboot action under Ubuntu Linux, update /etc/event.d/control-alt-delete file.

Data center security

The tips will not prevent someone from booting the server from alternate media. A determined attacker would simply boot into an alternate environment, overwrite your master boot record, mount or copy your physical volumes, destroy your data, or anything else they can imagine. So make sure you restrict access to server room and lock down BIOS with password.

It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. Physical security also plays a large role with data centers. Physical access to the site is usually restricted to selected personnel, with controls including bollards and mantraps. Video camera surveillance and permanent security guards are almost always present if the data center is large or contains sensitive information on any of the systems within. In order to gain entry into the data center all guests must pass through two-factor authentication barriers. You should use motion-sensitive cameras throughout the facilities track all data center activity.

References:

About the author: Rocky Jr., is an engineer with VSNL - a leading ISP / global telecom company and a good friend of nixCraft.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 20 comments… read them below or add one }

1 mhernandez March 12, 2009 at 9:24 pm

Nice tip list: as you say, there’s not much you can do if the physical security is violated but as they say it’s always better being safe than sorry.

Thanks!

Reply

2 Ulver March 13, 2009 at 1:01 pm

interesting tips, specially advices related to interactive boot on rhel o similiar and single user booting autentication

Thanks for share those tips !

Reply

3 Akshay March 14, 2009 at 9:44 am

Thanks for that tip..i only want to know how to stop booting into another medium..isnt there anything that can be done..

Reply

4 The Gripmaster December 8, 2010 at 5:20 am

Disable CDROM/DVDROM boot completely in the BIOS and protect your BIOS with a password.

Reply

5 SPM March 19, 2009 at 5:57 pm

You forgot providing a case padlock. If the case isn’t physically secure, everything else is for nought.

All an attacker needs is a screwdriver to open the case and reset the BIOS, boot a disaster recovery Linux distro off a CD or USB, mount the filesystem and voila – you can bypass all the other measures.

I an not too sure about the usefulness of the grub password. If you can bypass the BIOS, you can bypass grub, and if you have a bios password to protect against altering bios to allow booting off CD or USB, do you need a grub password?

Reply

6 JFM March 20, 2009 at 11:39 am

To SPM

In a passwordless Grub open the kernel line and add init=/bin/sh and boot.; That is all. Now you are root.

Reply

7 blackice March 22, 2009 at 8:55 am

Really nice tips and highly professional how to , Enable Authentication for Single-User Mode was a good tip :) ..

Reply

8 manju March 23, 2009 at 12:25 pm

can any body explains the arguments in the line “~~:S:wait:/sbin/sulogin”, that means why we put ~~ and what is “S” stands for etc…

Reply

9 nixCraft March 23, 2009 at 12:53 pm

Syntax is as follows:

id:runlevels:action:process
  • id – a unique sequence of 1-4 characters which identifies an entry in inittab
  • S – the runlevels for which the specified action should be taken. Here S indicates single user mode.
  • wait – The process will be started once when the specified runlevel is entered and init will wait for its termination.
  • process – run /sbin/sulogin program when entered in S runlevel.

Reply

10 manju March 23, 2009 at 2:20 pm

Thanks vivek

Reply

11 geoff_f March 30, 2009 at 10:49 am

You can disable Ctrl-Alt-Del, but what about Alt-SysRq rseiub?

Reply

12 nixCraft March 30, 2009 at 11:46 am

Type the following to disable it:
echo 'kernel.sysrq=0' >> /etc/sysctl.conf
sysctl -p

See this link for more info.

Reply

13 cracker April 7, 2009 at 2:44 pm

why u post this anyway …..
then the world of gnu/ linux will be secure
:(

Reply

14 entplex April 21, 2009 at 10:28 pm

@Akshay: as far as preventing people from being able to boot to other media, the only thing you can do is use the bios settings to give the hard drive priority and in the case of some bios’, you can disable booting to other media all together. Obviously in order for this to have any effect, you need to implement a bios password (as was mentioned in this article).

Reply

15 Ashwani April 23, 2009 at 10:23 am

Thanks for very nice info

but can u pls explain me what is ~~ this? as u said its id but i really dont about this id dear vivek pls tell us about this

Thanks

Reply

16 Harsha August 9, 2010 at 2:39 pm

Thank u Vivek. This info is really cool.

Reply

17 Chalu February 15, 2011 at 10:05 pm

Hi Guys..! can anyone guide me how to disable editing by using “e” while booting. means while booting we can able to enter into single user mode by pressing ESC key at spalsh image and selecting ” kernel /vmlinuz-2.6……” and by pressing “e” key we can able edit. so can any one guide me how to disable this editing..

Thanks in advance
Chalu

Reply

18 Chris April 16, 2011 at 3:14 am

Nice post. It’s good with the fullblown descriptions.

Reply

19 The lul December 25, 2011 at 8:58 pm

Encrypting the hard drive is quite necessary and also keeping backup on a remove server. Deja Dup does a great job for that !

Reply

20 Jose Tapia March 14, 2013 at 9:23 pm

Good info, im learning a lot! THanks

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous post:

Next post: