Skip to content

5. Protect Grub Boot Loader by Password.md

Latest commit

ย 

History

History
152 lines (119 loc) ยท 4.32 KB

5. Protect Grub Boot Loader by Password.md

File metadata and controls

152 lines (119 loc) ยท 4.32 KB

๐Ÿ” Protect GRUB Boot Loader with a Password in Linux

By default, GRUB allows users to edit boot parameters during startup. This can be a security risk since anyone with access to the system can modify boot settings (e.g., boot into single-user mode and change the root password).

To prevent unauthorized access, we can secure GRUB with a password.

โœ… Works for: Ubuntu, Debian, CentOS, RHEL, Fedora, Rocky Linux, AlmaLinux

๐Ÿ“Œ 1. Generate a GRUB Password Hash

Instead of storing a plain-text password, we use an encrypted password.

โœ… Generate an Encrypted GRUB Password

Run the following command:

grub-mkpasswd-pbkdf2

๐Ÿ“Œ Example Output:

Enter password: ********
Reenter password: ********
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

๐Ÿ”น Copy the generated hash (everything after PBKDF2 hash of your password is).

๐Ÿ“Œ 2. Edit the GRUB Configuration File

Now, we need to store the password in the GRUB configuration.

โœ… Open the GRUB Configuration File

sudo nano /etc/grub.d/40_custom

โœ… Add the Following Lines

set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

๐Ÿ”น Replace admin with your desired username.
๐Ÿ”น Replace grub.pbkdf2.sha512... with the hash generated earlier.

โœ… Save and exit: CTRL + X โ†’ Y โ†’ ENTER

๐Ÿ“Œ 3. Restrict Access to GRUB Menu Entries

Now, prevent normal users from modifying boot settings.

โœ… Modify /etc/grub.d/10_linux to Require a Password

sudo nano /etc/grub.d/10_linux

Find the echo "menuentry ..." section and modify it like this:

echo "menuentry 'Ubuntu' --users admin {"

๐Ÿ“Œ This ensures only admin can edit GRUB entries.

โœ… Save and exit: CTRL + X โ†’ Y โ†’ ENTER

๐Ÿ“Œ 4. Apply the Changes

After making modifications, update the GRUB configuration:

sudo grub-mkconfig -o /boot/grub/grub.cfg

๐Ÿ“Œ On UEFI Systems:

sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg  # RHEL/CentOS

โœ… Now, GRUB is protected!

๐Ÿ“Œ 5. Test GRUB Password Protection

1๏ธโƒฃ Reboot the system:

sudo reboot

2๏ธโƒฃ Press e to edit a boot entry โ†’ You should now be prompted for a username and password.
3๏ธโƒฃ Enter the admin username and password.

โœ… Success! Unauthorized users can no longer modify boot parameters.

๐Ÿ“Œ 6. Secure Single-User Mode (Extra Security)

Even with a GRUB password, users can boot into single-user mode and change the root password.
To prevent this:

โœ… Edit /etc/sysconfig/init (CentOS/RHEL)

sudo nano /etc/sysconfig/init

Change:

SINGLE=/sbin/sulogin

โœ… Edit /etc/inittab (Older Systems)

sudo nano /etc/inittab

Add:

~:S:wait:/sbin/sulogin

โœ… Now, single-user mode requires the root password!

๐Ÿ“Œ 7. Recover Lost GRUB Password (If Forgotten)

If you forget the GRUB password, follow these steps:

1๏ธโƒฃ Boot from a Live USB
2๏ธโƒฃ Mount the root partition

sudo mount /dev/sda2 /mnt
sudo chroot /mnt

3๏ธโƒฃ Remove the GRUB Password

nano /etc/grub.d/40_custom

๐Ÿš€ Delete the password_pbkdf2 line, save, and exit.
4๏ธโƒฃ Regenerate GRUB Configuration

sudo grub-mkconfig -o /boot/grub/grub.cfg

5๏ธโƒฃ Reboot the System

โœ… Now GRUB password protection is removed!

๐Ÿ“Š Summary of GRUB Protection

Step Command Purpose
Generate Password Hash grub-mkpasswd-pbkdf2 Creates a secure GRUB password
Edit GRUB Config sudo nano /etc/grub.d/40_custom Adds password to GRUB
Restrict Menu Access sudo nano /etc/grub.d/10_linux Requires authentication for boot options
Update GRUB sudo grub-mkconfig -o /boot/grub/grub.cfg Applies the password protection
Secure Single-User Mode sudo nano /etc/sysconfig/init Prevents unauthorized root password resets
Recover Forgotten Password Boot Live USB โ†’ Edit /etc/grub.d/40_custom Remove password if lost
โšก