LILO Boot Security

Two LILO configuration commands enhance the security of a network server. If the server is in an unsecured area, it is possible for an intruder to reboot the system and gain unauthorized access. For example, an intruder could reboot the server into single-user mode and essentially have password-free root access to part of the system. (More about single-user mode later. For now, just take my word that this can be done.)

To prevent this, add the password and the restricted options to the lilo.conf file. The password option defines a password that must be entered to reboot the system. The password is stored in the configuration file in an unencrypted format, so make sure the lilo.conf file can be read only by the root user. The restricted option softens the security a little. It says that the password is required only when passing parameters to the system during a boot. For example, if you attempt to pass the parameter single to the system to get it to boot into single-user mode, you must provide the password.

Always add the restrict option when using the password option in a server's lilo.conf file. Using password without restrict can cause the server to hang during the boot until the password is entered. If the server console is unattended, the boot can hang for an extended period of time. Using restrict with the password option ensures that the system reboots quickly after a crash, while providing adequate protection from unauthorized access through the console.

The following example includes restricted password protection for booting the Linux kernel. The example is based on the lilo.conf file you saw earlier, with a few lines removed that contain default values to show that you can remove those lines and still boot without a problem. Listing 1.3 uses cat to list the new configuration file and lilo to process it.

Listing 1.3: Adding Password Protection to LILO

[root]# cat lilo.conf

# global section boot=/dev/hda3 prompt timeout=50

message=/boot/message default=linux

# the Linux boot image image=/boot/vmlinuz-2.4.2-2

label=linux read-only root=/dev/hda3

password=Wats?Watt?

restricted

# additional boot images other=/dev/hda1

optional label=dos [root]# lilo Added linux * Added dos

After running /sbin/lilo, reboot. Note that you don't have to enter the password at the boot prompt because the configuration includes the restrict option. However, if you attempt to boot the system and provide optional input at the boot prompt, you will be asked for the password.

Was this article helpful?

0 0

Post a comment