≡ Menu

Tips To Protect Linux Servers Physical Console Access

This is an user contributed article.

Linux computer console is a physical device to operate a computer / server. Here are few steps which, if taken, make it more difficult for an attacker to quickly modify a system from its console.

Set BIOS Password

The BIOS is boot firmware, designed to be the first code run by a PC when powered on. It controls many important system parameters, including which devices the system will try to boot from, and in which order. Assign a password to prevent any unauthorized changes to the BIOS configuration. Reboot the server. Press special key like F2 (this key may vary from system to system). Go to BIOS configuration menu to add a password. Save and close the bios by pressing F10 (again key may vary)

Set GRUB Boot Loader Password

By default popular Linux distro includes GRUB or Lilo as the default boot loader for x86 systems. GRUB can be used to select from different kernel images available on a particular operating system's partitions, as well as to pass boot-time parameters to kernels. It also allows to to boot from different partitions or media. GRUB can be used to by pass all security measurement (including authentication) using single-user mode. You must password protect GRUB from modifying the boot parameters and to improve server security. See how to set GRUB boot loader password using grub-md5-crypt command.

Enable Authentication for Single-User Mode

Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
Save and close the file.

Disable Interactive Hotkey Startup at Boot

A few Linux distribution like Fedora, CentOS or RHEL allows the console user to perform an interactive system startup by pressing [I] key. Using interactive boot, attacker can disable the firewall and other system services. Open /etc/sysconfig/init file:
# vi /etc/sysconfig/init
Modify the setting as follows:


Setup Time-out for Login Shells

You can configure any Linux system to automatically log users out after a period of inactivity. You can configure BASH and TCSH time-out.

Setup Screen Locking

When your user temporarily leave console screen locking screen should be deployed to prevent passersby from abusing the account. You must train all users to lock the screen when they must leave console. There are several ways to lock your Linux server or desktop.

The vlock program (one of many program to lock screen) locks one or more sessions on the console. Vlock can lock the current terminal (local or remote) or the entire virtual console system, which completely disables all console access. The vlock program unlocks when either the password of the user who started vlock or the root password is typed. To install the vlock package, enter:
# yum install vlock
vlock is a program to lock one or more sessions on the Linux console. This is especially useful for Linux machines which have multiple users with access to the console. One user may lock his or her session(s) while still allowing other users to use the system on other virtual consoles. To lock console, enter:
$ vlock
The -a option can be used lock all console sessions and disable VC switching, enter:
$ vlock -a

GUI Screen Locking

Most GUI manger can be locked in order to prevent passersby from abusing their login. The Gnome screen can be locked by visting Lock Screen from the System menu. Also, make sure you have enabled a screen saver and it is set to start within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop > Screen Saver > Start automatically > Require password to stop. You can visit KDE Control Center. Expand Appearance & Themes and then click on Screen Saver.

Disable Ctrl+Alt+Delete

Anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is commented out:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

For the change to take effect type in the following at a prompt:
# init q
To disable the reboot action under Ubuntu Linux, update /etc/event.d/control-alt-delete file.

Data center security

The tips will not prevent someone from booting the server from alternate media. A determined attacker would simply boot into an alternate environment, overwrite your master boot record, mount or copy your physical volumes, destroy your data, or anything else they can imagine. So make sure you restrict access to server room and lock down BIOS with password.

It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. Physical security also plays a large role with data centers. Physical access to the site is usually restricted to selected personnel, with controls including bollards and mantraps. Video camera surveillance and permanent security guards are almost always present if the data center is large or contains sensitive information on any of the systems within. In order to gain entry into the data center all guests must pass through two-factor authentication barriers. You should use motion-sensitive cameras throughout the facilities track all data center activity.


About the author: Rocky Jr., is an engineer with VSNL - a leading ISP / global telecom company and a good friend of nixCraft.

Share this on:

{ 21 comments… add one }

  • mhernandez March 12, 2009, 9:24 pm

    Nice tip list: as you say, there’s not much you can do if the physical security is violated but as they say it’s always better being safe than sorry.


  • Ulver March 13, 2009, 1:01 pm

    interesting tips, specially advices related to interactive boot on rhel o similiar and single user booting autentication

    Thanks for share those tips !

  • Akshay March 14, 2009, 9:44 am

    Thanks for that tip..i only want to know how to stop booting into another medium..isnt there anything that can be done..

    • The Gripmaster December 8, 2010, 5:20 am

      Disable CDROM/DVDROM boot completely in the BIOS and protect your BIOS with a password.

  • SPM March 19, 2009, 5:57 pm

    You forgot providing a case padlock. If the case isn’t physically secure, everything else is for nought.

    All an attacker needs is a screwdriver to open the case and reset the BIOS, boot a disaster recovery Linux distro off a CD or USB, mount the filesystem and voila – you can bypass all the other measures.

    I an not too sure about the usefulness of the grub password. If you can bypass the BIOS, you can bypass grub, and if you have a bios password to protect against altering bios to allow booting off CD or USB, do you need a grub password?

  • JFM March 20, 2009, 11:39 am

    To SPM

    In a passwordless Grub open the kernel line and add init=/bin/sh and boot.; That is all. Now you are root.

  • blackice March 22, 2009, 8:55 am

    Really nice tips and highly professional how to , Enable Authentication for Single-User Mode was a good tip :) ..

  • manju March 23, 2009, 12:25 pm

    can any body explains the arguments in the line “~~:S:wait:/sbin/sulogin”, that means why we put ~~ and what is “S” stands for etc…

    • nixCraft March 23, 2009, 12:53 pm

      Syntax is as follows:

      • id – a unique sequence of 1-4 characters which identifies an entry in inittab
      • S – the runlevels for which the specified action should be taken. Here S indicates single user mode.
      • wait – The process will be started once when the specified runlevel is entered and init will wait for its termination.
      • process – run /sbin/sulogin program when entered in S runlevel.
  • manju March 23, 2009, 2:20 pm

    Thanks vivek

  • geoff_f March 30, 2009, 10:49 am

    You can disable Ctrl-Alt-Del, but what about Alt-SysRq rseiub?

    • nixCraft March 30, 2009, 11:46 am

      Type the following to disable it:
      echo 'kernel.sysrq=0' >> /etc/sysctl.conf
      sysctl -p

      See this link for more info.

  • cracker April 7, 2009, 2:44 pm

    why u post this anyway …..
    then the world of gnu/ linux will be secure

  • entplex April 21, 2009, 10:28 pm

    @Akshay: as far as preventing people from being able to boot to other media, the only thing you can do is use the bios settings to give the hard drive priority and in the case of some bios’, you can disable booting to other media all together. Obviously in order for this to have any effect, you need to implement a bios password (as was mentioned in this article).

  • Ashwani April 23, 2009, 10:23 am

    Thanks for very nice info

    but can u pls explain me what is ~~ this? as u said its id but i really dont about this id dear vivek pls tell us about this


  • Harsha August 9, 2010, 2:39 pm

    Thank u Vivek. This info is really cool.

  • Chalu February 15, 2011, 10:05 pm

    Hi Guys..! can anyone guide me how to disable editing by using “e” while booting. means while booting we can able to enter into single user mode by pressing ESC key at spalsh image and selecting ” kernel /vmlinuz-2.6……” and by pressing “e” key we can able edit. so can any one guide me how to disable this editing..

    Thanks in advance

  • Chris April 16, 2011, 3:14 am

    Nice post. It’s good with the fullblown descriptions.

  • The lul December 25, 2011, 8:58 pm

    Encrypting the hard drive is quite necessary and also keeping backup on a remove server. Deja Dup does a great job for that !

  • Jose Tapia March 14, 2013, 9:23 pm

    Good info, im learning a lot! THanks

  • Ashutosh Vashistha July 25, 2014, 8:38 am

    How i can configure session timeout for a user??

    and how i can make user account lock after consecutive 3 incorrect password??

    Please help

Leave a Comment

   Tagged with: , , , , , , , , , , , , ,