How Do I Secure Grub Boot Loader?
You can set a password for the GRUB bootloader. This prevents users from entering single user mode or changing settings at boot time.
When your system is rebooted, grub presents the boot option menu. From this menu one can easily login into a single user mode without the password which might result into compromise system security.
For example, anyone can access the data or change the settings. However you can setup a password for grub with password option. This option forces grub to ask for a password before making any changes or entering into single user mode. You need to type p followed by password.
#1: Create A Password For Grub
Type grub-md5-crypt command to create password in MD5 format:
Password:<ENTER-YOUR-PASSWORD> Retype password:<ENTER-YOUR-PASSWORD> $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.
#2 Add MD5 Password To Grub Configuration File
Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)
# vi /boot/grub/menu.lst
Edit file and add a password line as follows:
password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
Here is my sample config file:
default 0 timeout 5 password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0 title Debian GNU/Linux, kernel 18.104.22.168-cust-en-smp root (hd0,0) kernel /boot/vmlinuz root=/dev/hda3 ro savedefault boot
Save and close the file.
Optional Settings for Dual Booting Computer
If you dual boot with Windows XP/2000/7, consider adding lock command to Windows XP right after title command:
title Windows NT/2000/XP lock root (hd0,1) savedefault makeactive chainloader +1
Note the lock option can be also added to the failsafe entry too. For more information please read
- grub and grub-md5-crypt man pages
- Read Grub seurity manual page online.