Password protecting the GRUB boot loader protects against unwanted rebooting and logging into your system, and stops unwanted users from gaining access to single user mode.
There are so many ways to make Linux more secure. Some steps bring very large improvements, while others only bring about incremental changes. Even though a change is small, doesn't mean it can't be mighty. One such security change is to password protect the GRUB boot loader. This not only protects against unwanted rebooting and logging into your system, but it also prevents unwanted users from gaining access to single user mode.
Single user mode allows you to boot Ubuntu into a special mode that includes root privileges. That means, without knowing the root password of a server someone could (with the understanding of how single user mode works) modify or gain access to your system. Granted, the malicious user would need physical access to the computer to do so, but nothing should be left to chance. This is why you should always password protect your GRUB boot loader in Ubuntu (and other Linux distributions).
I'm going to demonstrate this process on Ubuntu Server 18.04, but the process should work on nearly any Ubuntu version (and its derivatives).
SEE: Information security policy template download (Tech Pro Research)
Although this process isn't terribly difficult, I do recommend practicing the steps on a virtual machine first. You don't want to just dive into this on a production machine, only to find you've locked yourself out, and the system won't boot.,
Setting the GRUB password
The first thing you must do is set the GRUB password. Log into your machine and issue the following command:
You will be prompted to create and verify a password for GRUB (Figure A).
Once that completes, the command will generate a hashed password. The hash will begin with grub and end with a long string of characters. You'll need to copy that down.
Next, we need to add the new hash to 00_header file. Issue the command:
sudo nano /etc/grub.d/00_header
At the bottom of that file, paste the following:
cat << EOF set superusers="admin" password_pbkdf2 admin HASH EOF
where HASH is the hash generated earlier.
Save and close that file. Update GRUB with the command:
Booting up and logging in
Reboot your system. Soon after the Ubuntu splash screen appears, you should be prompted to type a username. In the configuration above we created the admin user, which will require the password we added with the grub-mkpasswd-pbkdf2 command. Once you type the username, hit Enter, and you'll be prompted for the password (Figure B).
Once you've successfully typed the password, you'll either find yourself in Single User mode (if you opted for that boot method) or at the login prompt.
Use with caution
As I mentioned, you will want to practice this with a virtual machine, before you apply it to any system in production. Locking down the GRUB boot loader can go a long way to protecting your Linux systems. It's not a massive change, but it's one that offers significant dividends in the end.
- How to authenticate a Linux client with LDAP server (TechRepublic)
- How to scan for IP addresses on your network with Linux (TechRepublic)
- How to modify a Linux username (TechRepublic)
- How to lock a user account on Cent OS 7 (TechRepublic)
- Recently patched Ubuntu needs another quick patch (ZDNet)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)