This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature

How to harden GNU/Linux against local intrusions

By Joe Bolin on July 20, 2004 (8:00:00 AM)

Share    Print    Comments   

So, you've set up parental filtering, only to discover that an overachieving teenager has Googled a way around it. You've just been the victim of a local intrusion. Preventing such an occurrence on GNU/Linux requires a little knowledge and even less work. Here's how.

A local intrusion occurs when a computer is "cracked" by someone with physical access to a computer. This can be done with actual hacking techniques, or by exploiting built-in boot (failsafe) modes that your computer's operating system, bootloaders, and BIOS contain.

Since actual hacking methods are very uncommon due to the level of expertise they require, we'll limit our discussion to hardening the built-in boot modes. These modes are in place mainly to recover or repair a computer after a system failure or forgotten password. Because these necessary failsafes exist, physical security is the weakest layer of computer security, no matter what operating system is being used. You need to be logged in as root to perform these steps, with the exception of the BIOS changes.

Single-user mode

Single-user mode, or init 1, is a non-graphical boot mode for *nix systems used mainly for system maintenance and recovery. Since root password recovery is a common use for single-user mode, most distributions don't require a password when initializing it. By not requiring a password, you enable root privileges for all local users! This is, of course, a bad idea when considering local security, since anyone with root privileges can modify your system. To password protect single-user mode add the following line to the /etc/inittab file:

~~:S:wait:/sbin/sulogin

Now the system will execute the program sulogin, which requires you to enter the root password, before dropping into the root shell for single-user mode. Single-user mode is now secured! (Just don't forget your root password.)

Boot loaders

A boot loader provides a means of controlling how the operating system boots, and usually provides a graphical menu at boot time. The two common boot loaders for GNU/Linux are LILO (LInux LOader) and GRUB (GRand Unified Bootloader). You should consult the documentation for your distribution to determine which bootloader your system uses.

Both GRUB and LILO also provide access to a bootloader command prompt. This special command prompt is used to issue commands to override the kernel's boot process for a variety of reasons. From this command prompt a user could issue commands to change the GNU/Linux boot process and gain root access. To prevent this you need to password-protect the boot loader's command prompt.

To do this for LILO, simply add the following two lines to the top of the configuration file, /etc/lilo.conf, replacing SOME_PASSWORD with a password of your choice:

restricted
password=SOME_PASSWORD

To make the changes take effect run the command lilo from the console.

If your distribution uses GRUB instead of LILO, edit /boot/grub/menu.lst and add the following line at the top (again replacing SOME_PASSWORD with a password of your choice).

password SOME_PASSWORD

Since the passwords are in a human-readable format, you need to change the permissions of the configuration files to prevent non-root users from discovering the password. Do this by executing one of the following commands, depending on the boot loader in use, from the command line:

chmod 0600 /etc/lilo.conf
or
chmod 0600 /boot/grub/menu.lst

GRUB also adds an extra level of security by supporting MD5 encryption for the password in the configuration file. To generate an encrypted password, run the command grub-md5-crypt. You will be prompted for a password and then asked to confirm the password. (The password will not be visible as you type it.) grub-md5-crypt will then print out the MD5-encrypted password. Here is an example of the output from grub-md5-crypt.

grub-md5-crypt
Password:
Retype password:
$1$ZRo.R0$1Lk8iA0AaqVFlojm.BTmr/

You will need to replace, or add, the password line in /boot/grub/menu.lst by copying the output from grub-md5-crypt into the file so that it now reads something like this:

password -md5 $1$ZRo.R0$1Lk8iA0AaqVFlojm.BTmr/

The dangers of LiveCDs

LiveCDs provide an excellent way to introduce GNU/Linux to newbies, as well as a quick-and-dirty way to repair a damaged system. However, they also give a user the ability to access a computer without invoking the installed operating system, thus bypassing any security measures you may have in place. In fact, if your computer has a diskette or CD-ROM drive, any bootable media can be used to bypass your systems security. To guard against this you need to configure your system's BIOS (Basic Input-Output System) settings.

The BIOS provides a basic set of instructions used to boot your computer and is the first thing executed when you turn your computer on. The BIOS performs tasks that need to be done at boot time, including performing self-diagnostics and initializing the hardware in the computer. The BIOS provides a setup program, often referred to as the CMOS setup, which allows the user to adjust a variety of settings.

To access the setup utility, power on your computer. The key to press to enter the setup utility should be displayed on the screen when you boot. If it is not displayed, you can consult your the PC manufacturer's documentation or Web site to find which key to press.

Standardization for BIOS utilities is the same as that of computer cases -- nonexistent. Each setup utility is different, so the following are strictly generic instructions.

Once you have accessed the setup utility you can navigate through it using the arrow and function keys on your keyboard. The first section you'll be looking for is the boot section of the setup utility. Look for an area labeled "Boot order" or something similar. You will see a list of devices in the order that your computer will try to boot from. Change the first boot device to your hard drive instead of a CD-ROM, diskette, or any other removable media device. Save the settings, and voilą; your computer will now boot from the hard drive, preventing someone from using a boot disk to get around your system's security.

Editing the BIOS was easy, right? In fact, it is so easy that someone could do the same thing that you just did and change the boot order again. To prevent this you'll need to set up a, you guessed it, password for the BIOS setup utility. Locate the password section of the BIOS utility, usually marked "Security," then set up and enable the administration password. Save the settings, and you have a computer hardened against local attackers.

Final thoughts

Notice that I didn't use the statement "secure your system against local attacks." I hate to be the bearer of bad news, but it is impossible to completely secure a system against local attacks. Anyone with local access to your computer, a high enough level of technical expertise, and enough time can infiltrate even the most secure system. Everything from a PlayStation to a Cisco router is vulnerable to local intrusions. The only thing that you can do is educate yourself on computer security and harden your system enough to discourage an attacker.

If you've hardened your computer and you're still having problems from local intrusions, then you may have bigger problems than just computer security. Check out Jay Beale's security site to learn more about security for your GNU/Linux system.

Share    Print    Comments   

Comments

on How to harden GNU/Linux against local intrusions

Note: Comments are owned by the poster. We are not responsible for their content.

Lock the box, too!

Posted by: Administrator on July 20, 2004 11:53 PM
Good tips, but you forgot to let them know that, even with password-protecting the BIOS, you really need to have the system's case locked as well.

If not, a user could simply open it up and reset the BIOS via the jumper. If they had a clue, they would then be able to reconfigure the BIOS as it was, only without the password. Once that's done, they could modify the boot order at will, enabling them to load a live CD configured with they're own security settings (and more), resetting the device boot-order back to the way it was when they're done. Until you need to actually go into the BIOS yourself and discover that a password is no longer needed (or even sneakier, they set a different password so you will think that you must have changed it, but have now forgotten it), you probably wouldn't even know.

If you can't securely lock the system away, there will always be local-access vulnerabilities exposed, but you could at least lock down the case with a physical lock (some systems allow for this, and don't use a cheap dime-store lock that can be picked with a paper clip!). For those cases that don't provision for a case lock, there are after-market ones available.

Anyway, just my<nobr> <wbr></nobr>.02. Good basics, though!

#

Re:Lock the box, too!

Posted by: Administrator on July 21, 2004 01:56 AM
This is all cool security stuff and it may have some applications, perhaps in a library or other public terminal.

If you find that all of this stuff is necessary to keep your children out of your home computer, then something is very wrong in your home. Fine, put content filtering on for smaller children, it will work fine until they are old enough to figure out how to bypass it. By the time they find ways around your filtering, NOTHING you do is going to keep them from accessing stuff that you don't want them to. All this stuff is simply giving them challenges, which is fine if your intention is to teach them how to bypass computer security.

If you really feel that this stuff is necessary to keep your kids away from certain web sites, then you have failed as a parent; don't forget to securely lock the liquor, make sure that the knives are locked safely away, and make absolutely sure that your keys are secured at all times. Remember that it only takes a few seconds for your child to take a wax impression of a key.

Yes, I have children and they have never been subjected to this sort of abuse.

#

Re:Lock the box, too!

Posted by: Administrator on July 21, 2004 04:12 AM
Well actually I had added the parent comment only to broaden the steps that could be taken with regards to "How to harden GNU/Linux against local intrusions" (the article's title).

I do agree, if one has to go to these lengths to keep their kids from cracking the home box, then something IS wrong. However, there's plenty of instances (such as you cited) that may warrant such lock-downs... I've heard plenty of stories of kids in dorms cracking another student's box "for the fun of it", and heaven knows that's something most of them wouldn't THINK of doing to their parent's box.

Anyway, I don't have children, but if I did, I would never subject them to these kinds of security measures anyway, either.

#

Re:man 5 inittab

Posted by: Administrator on July 22, 2004 05:59 AM
True, the man page does say one ~. This wasn't a typo, both conventions work. Although I should of relied on the documented way rather than my old habits. Thanks for pointing it out.



Joe Bolin

#

Hardware removal

Posted by: Administrator on July 21, 2004 11:15 PM
I used to work on a site where they prevents a "boot from floppy" by disconnecting the floppy cable. You could also to the same with the CD-ROM, either disconnect tha cable or remove it altogther. Or keep it in a locked cabinet.

#

man 5 inittab

Posted by: Administrator on July 22, 2004 05:28 AM

According to the above man page:

<TT># What to do in single-user mode.
~:S:wait:/sbin/sulogin</TT>

Just the one ~

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya