Tips To Protect Linux Servers Physical Console Access

Linux computer console is a physical device to operate a computer / server. Here are few steps which, if taken, make it more difficult for an attacker to quickly modify a system from its console.

Set BIOS Password

The BIOS is boot firmware, designed to be the first code run by a PC when powered on. It controls many important system parameters, including which devices the system will try to boot from, and in which order. Assign a password to prevent any unauthorized changes to the BIOS configuration. Reboot the server. Press special key like F2 (this key may vary from system to system). Go to BIOS configuration menu to add a password. Save and close the bios by pressing F10 (again key may vary)

Set GRUB Boot Loader Password

By default popular Linux distro includes GRUB or Lilo as the default boot loader for x86 systems. GRUB can be used to select from different kernel images available on a particular operating system’s partitions, as well as to pass boot-time parameters to kernels. It also allows to to boot from different partitions or media. GRUB can be used to by pass all security measurement (including authentication) using single-user mode. You must password protect GRUB from modifying the boot parameters and to improve server security. See how to set GRUB boot loader password using grub-md5-crypt command.

Enable Authentication for Single-User Mode

Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
~~:S:wait:/sbin/sulogin
Save and close the file.

Disable Interactive Hotkey Startup at Boot

A few Linux distribution like Fedora, CentOS or RHEL allows the console user to perform an interactive system startup by pressing [I] key. Using interactive boot, attacker can disable the firewall and other system services. Open /etc/sysconfig/init file:
# vi /etc/sysconfig/init
Modify the setting as follows:

PROMPT=no

Setup Time-out for Login Shells

You can configure any Linux system to automatically log users out after a period of inactivity. You can configure BASH and TCSH time-out.

Setup Screen Locking

When your user temporarily leave console screen locking screen should be deployed to prevent passersby from abusing the account. You must train all users to lock the screen when they must leave console. There are several ways to lock your Linux server or desktop.

The vlock program (one of many program to lock screen) locks one or more sessions on the console. Vlock can lock the current terminal (local or remote) or the entire virtual console system, which completely disables all console access. The vlock program unlocks when either the password of the user who started vlock or the root password is typed. To install the vlock package, enter:
# yum install vlock
vlock is a program to lock one or more sessions on the Linux console. This is especially useful for Linux machines which have multiple users with access to the console. One user may lock his or her session(s) while still allowing other users to use the system on other virtual consoles. To lock console, enter:
$ vlock
The -a option can be used lock all console sessions and disable VC switching, enter:
$ vlock -a

GUI Screen Locking

Most GUI manger can be locked in order to prevent passersby from abusing their login. The Gnome screen can be locked by visting Lock Screen from the System menu. Also, make sure you have enabled a screen saver and it is set to start within 10 minutes of inactivity. For KDE, Clock on Desktop > Configure desktop > Screen Saver > Start automatically > Require password to stop. You can visit KDE Control Center. Expand Appearance & Themes and then click on Screen Saver.

Disable Ctrl+Alt+Delete

Anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. To disable Ctrl+Alt+Delete update /etc/inittab and make sure following line is commented out:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

For the change to take effect type in the following at a prompt:
# init q
To disable the reboot action under Ubuntu Linux, update /etc/event.d/control-alt-delete file.

Data center security

The tips will not prevent someone from booting the server from alternate media. A determined attacker would simply boot into an alternate environment, overwrite your master boot record, mount or copy your physical volumes, destroy your data, or anything else they can imagine. So make sure you restrict access to server room and lock down BIOS with password.

It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. Physical security also plays a large role with data centers. Physical access to the site is usually restricted to selected personnel, with controls including bollards and mantraps. Video camera surveillance and permanent security guards are almost always present if the data center is large or contains sensitive information on any of the systems within. In order to gain entry into the data center all guests must pass through two-factor authentication barriers. You should use motion-sensitive cameras throughout the facilities track all data center activity.

References:

• Examining data centers
• Information security audit
• Vlock project.
• Ubuntu Linux Security Wiki
• A Practical Guide to Basic Linux Security in Production Enterprise Environments

About the author: Rocky Jr., is an engineer with VSNL – a leading ISP / global telecom company and a good friend of nixCraft.