July 20, 2004

How to harden GNU/Linux against local intrusions

Author: Joe Bolin

So, you've set up parental filtering, only to discover that an overachieving teenager has Googled a way around it. You've just been the victim of a local intrusion. Preventing such an occurrence on GNU/Linux requires a little knowledge and even less work. Here's how.

A local intrusion occurs when a computer is "cracked" by someone
with physical access to a computer. This can be done with actual hacking techniques, or by exploiting built-in boot (failsafe) modes that your computer's operating system, bootloaders, and BIOS contain.

Since actual hacking methods are very uncommon due to the level of expertise they require, we'll limit our discussion to hardening the built-in boot modes. These modes are in place mainly to recover or repair a computer after a system failure or forgotten password. Because these necessary failsafes exist, physical security is the weakest layer of computer security, no matter what operating system is being used. You need
to be logged in as root to perform these steps, with the exception of the BIOS changes.

Single-user mode

Single-user mode, or init 1, is a non-graphical boot mode for *nix systems used
mainly for system maintenance and recovery. Since root password recovery is a common use for single-user mode, most distributions don't require a password when initializing it. By not requiring a password, you enable root privileges for all local users! This is, of course, a bad idea when considering local security, since anyone with root privileges can modify your system. To password protect single-user mode add the following line to the /etc/inittab file:

~~:S:wait:/sbin/sulogin

Now the system will execute the program sulogin, which requires you to enter the root password, before dropping into the root shell for single-user mode. Single-user mode is now secured! (Just don't forget your root password.)

Boot loaders

A boot loader provides a means of controlling how the operating system boots, and usually provides a graphical menu at boot time. The two common boot loaders for GNU/Linux are LILO (LInux LOader) and GRUB (GRand Unified Bootloader). You should consult the documentation for your distribution to determine which bootloader your system uses.

Both GRUB and LILO also provide access to a bootloader command prompt. This special command prompt is used to issue commands to override the kernel's boot process for a variety of reasons. From this command prompt a user could issue commands to change the GNU/Linux boot process and gain root access. To prevent this you need to password-protect the boot loader's command prompt.

To do this for LILO, simply add the following two lines to the top of the configuration file, /etc/lilo.conf, replacing SOME_PASSWORD with a password of your choice:

restricted
password=SOME_PASSWORD

To make the changes take effect run the command lilo from the console.

If your distribution uses GRUB instead of LILO, edit /boot/grub/menu.lst and add the following line at the top (again replacing SOME_PASSWORD with a password of your choice).

password SOME_PASSWORD

Since the passwords are in a human-readable format, you need to change the permissions of the configuration files to prevent non-root users from discovering the password. Do this by executing one of the following commands, depending on the boot loader in use, from the command line:

chmod 0600 /etc/lilo.conf
or
chmod 0600 /boot/grub/menu.lst

GRUB also adds an extra level of security by supporting MD5 encryption for the password in the configuration file. To generate an encrypted password, run the command grub-md5-crypt. You will be prompted for a password and then asked to confirm the password. (The password will not be visible as you type it.) grub-md5-crypt will then print out the MD5-encrypted password. Here is an example of the output from grub-md5-crypt.

grub-md5-crypt
Password:
Retype password:
$1$ZRo.R0$1Lk8iA0AaqVFlojm.BTmr/

You will need to replace, or add, the password line in /boot/grub/menu.lst by copying the output from grub-md5-crypt into the file so that it now reads something like this:

password -md5 $1$ZRo.R0$1Lk8iA0AaqVFlojm.BTmr/

The dangers of LiveCDs

LiveCDs provide an excellent way to introduce GNU/Linux to newbies, as well as a quick-and-dirty way to repair a damaged system. However, they also give a user the ability to access a computer without invoking the installed operating system, thus bypassing any security measures you may have in place. In fact, if your computer has a diskette or CD-ROM drive, any bootable media can be used to bypass your systems security. To guard against this you need to configure your system's BIOS (Basic Input-Output System) settings.

The BIOS provides a basic set of instructions used to boot your computer and is the first thing executed when you turn your computer on. The BIOS performs tasks that need to be done at boot time, including performing self-diagnostics and initializing the hardware in the computer. The BIOS provides a setup program, often referred to as the
CMOS setup, which allows the user to adjust a variety of settings.

To access the setup utility, power on your computer. The key to press to enter the setup utility should be displayed on the screen when you boot. If it is not displayed, you can consult your the PC manufacturer's documentation or Web site to find which key to press.

Standardization for BIOS utilities is the same as that of computer cases -- nonexistent. Each setup utility is different, so the following are strictly generic instructions.

Once you have accessed the setup utility you can navigate through it using the arrow and function keys on your keyboard. The first section you'll be looking for is the boot section of the setup utility. Look for an area labeled "Boot order" or something similar. You will see a list of devices in the order that your computer will try to boot from. Change the first boot device to your hard drive instead of a CD-ROM, diskette, or any other removable media device. Save the settings, and voilà; your computer will now boot from the hard drive, preventing someone from using a boot disk to get around your system's security.

Editing the BIOS was easy, right? In fact, it is so easy that someone could do the same thing that you just did and change the boot order again. To prevent this you'll need to set up a, you guessed it, password for the BIOS setup utility. Locate the password section of the BIOS utility, usually marked "Security," then set up
and enable the administration password. Save the settings, and you have a computer hardened against local attackers.

Final thoughts

Notice that I didn't use the statement "secure your system against local attacks." I hate to be the bearer of bad news, but it is impossible to completely secure a system against local attacks. Anyone with local access to your computer, a high enough level of technical expertise, and enough time can infiltrate even the most secure system. Everything from a PlayStation to a Cisco router is vulnerable to local intrusions. The only thing that you can do is educate yourself on computer security and harden your system enough to discourage an attacker.

If you've hardened your computer and you're still having problems from local intrusions, then you may have bigger problems than just computer security. Check out Jay Beale's security site to learn more about security for your GNU/Linux system.