title: Securing the physical host link: https://onemoretech.wordpress.com/2008/07/29/securing-the-physical-host/ author: lembobro description: post_id: 483 created: 2008/07/29 03:03:11 created_gmt: 2008/07/29 03:03:11 comment_status: open post_name: securing-the-physical-host status: publish post_type: post

Securing the physical host

For the most part, once someone has physical control of a machine it’s game over as far as a security compromise is concerned. A modern Live CD with a decent O/S like Knoppix or Fedora 9 is going to have all kinds of capability built in. Once booted up, the tools on one of these disks will open your filesystem to them.

As a result, things like securing the boot loader are only a mildly effective defense against the lazy and the stupid. But they will slow an intruder down.

My own practice, particularly on laptops, is to password protect the machine BIOS and set it to boot first from the hard drive. That way an attacker will need to actually remove the drive, or physically connect up another to the internal controller, before they can go further.

I also secure the boot loader, on Linux systems like Red Hat Enterprise Linux (RHEL) or its clone, CentOS, called grub (for “Grand Unified Boot Loader”).

Password protecting the BIOS varies from system to system. Following are instructions on how to secure grub. These instructions are from the Deployment Guide for RHEL 5:

1. Run /sbin/grub-md5-crypt. When prompted enter in your preferred password. The tool will print the md5 encrypted hash for that password to screen.

2. Edit /boot/grub/grub.conf to add the following line just below the line beginning with the word “timeout”:

password –md5 [password hash]

3. Reboot.

From this point on if you need to get control of the boot loader, you need to first drop a “p” and enter the password established above. Otherwise grub will not let you edit or otherwise manipulate the boot process.

Of course the next big step is to encrypt the whole filesystem, which is a topic for another article. Once I figure out the best way to do it…

Copyright 2004-2019 Phil Lembo