Linux

Tech Tip: Password-protect LILO


Protecting computers from unwanted intruders is a daunting task. If attackers are able to physically reach your box, they can obtain root access in a matter of minutes. Their obvious attack method is to push the reboot button and boot into Linux in the single-user mode or boot off of a floppy disk.

There are a few ways to keep this from happening. Use a BIOS password to prevent changes to the BIOS and password-protect the LILO boot loader. This allows you to boot without any human intervention, but it requires a password to boot from CD or floppy or to modify any of the options passed to the Linux kernel.

To password-protect LILO, modify your configuration file--usually /etc/lilo.conf--and add this string to your global section:

password=""

Next, modify each of the kernel image stanzas so they look something similar to the following:

image=/boot/vmlinuz
  label="linux"
  root=/dev/hda3
  initrd=/boot/initrd.img
  read-only
  restricted

The key command is to add "restricted" to each stanza.

With most recent versions of LILO, you no longer need to keep the password in your lilo.conf file. The string added to your global section tells LILO to create a secure hash of the password, which means you'll have to specify a new password each time you rebuild the boot sector.

To set the password and commit the changes, run lilo -v -p at the command line.

0 comments

Editor's Picks