As with any other security barrier you put in place to protect your server, it is pretty tough to defend against untold damage caused by someone with physical access to your environment, for example, theft of hard drives, power or service disruption and so on. Therefore, console security should be addressed merely as one component of your overall physical security strategy. A locked "screen door" may deter a casual criminal, or at the very least slow down a determined one, so it is still advisable to perform basic precautions with regard to console security.
The following instructions will help defend your server against issues that could otherwise yield very serious consequences.
First and foremost, anyone that has physical access to the keyboard can simply use the Ctrl-Alt-Delete key combination to reboot the server without having to log on. Sure, someone could simply unplug the power source, but you should still prevent the use of this key combination on a production server. This forces an attacker to take more drastic measures to reboot the server, and will prevent accidental reboots at the same time.
-
To disable the reboot action taken by pressing the Ctrl-Alt-Delete key combination, comment out the following line in the file
/etc/event.d/control-alt-delete
.#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
Ubuntu installs GNU GRUB as its default boot loader, which allows for great flexibility and recovery options. For example, when you install additional kernel images, these are automatically added as available boot options in the grub menu. Also, by default, alternate boot options are available for each kernel entry that may be used for system recovery, aptly labeled (recovery mode). Recovery mode simply boots the corresponding kernel image into single user mode (init 1), which lands the administrator at a root prompt without the need for any password.
Therefore, it is important to control who may edit the grub menu items which, would otherwise allow for someone to perform the following dangerous actions:
-
Pass kernel options at boot up.
-
Boot the server into single user mode.
You can prevent these actions by adding a password to GRUB's configuration file of /boot/grub/menu.lst
, which will be required to unlock GRUB's more advanced features prior to use.
-
To add a password for use with grub, first you must generate an md5 password hash using the grub-md5-crypt utility:
grub-md5-crypt
The command will ask you to enter a password and offer a resulting hash value as shown below:
Password:
(enter new password)
Retype password:(repeat password)
$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0 -
Add the resulting hash value to the file
/boot/grub/menu.lst
in the following format:password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0
-
To require use of the password for entering single user mode, change the value of the
lockalternative
variable in the file/boot/grub/menu.lst
totrue
, as shown in the following example.# lockalternative=true
This does not prevent someone from booting the server from alternate media. A determined attacker would simply boot into an alternate environment, overwrite your master boot record, mount or copy your physical volumes, destroy your data, or anything else they can imagine. Please explore other countermeasures that may help you with these types of attacks. |