How to Prevent someone else from reseting your root password ?

If you are an even slightly security-consious sysadmin, the previous sections must have set off alarms while you were reading them. Is it really that easy to hack Linux? Yes and No. It all it comes down to the following: Physical Access is Root Access. Meaning, if you give someone physical access to a system, then you are giving them a very good chance of getting root access on your box. This is true for Windows, Linux, or any other OS out there.

But... you say that you need to give some people physical access to the server? There are some precautions you can take to slow down attackers and stop the noob's. In this section I will talk about various ways you can make your computer more secure against these types of attacks. So lets get started.

Protecting GRUB and LILO

First, edit the /etc/inittab file and insert the following line, right after the "initdefault" line: ~~:S:wait:/sbin/sulogin. This will require a password to boot into single-user mode by making init run 'sulogin' before dropping the machine to a root shell. 'sulogin' requires the user to input the root password before continuing.

Unfortunately, the above step won't protect us against people who know what they are doing and pass init=/bin/bash to the kernel at the LILO prompt. To prevent unauthorized access I would suggest that you password protect LILO/GRUB by following these steps:

How to Protect LILO:

• Open a shell prompt and log in as root
• Open /etc/lilo.conf in your favorite text editor
• Add the following line before the first image stanza: password= , where is your password.
• Run /sbin/lilo -v to let the changes take effect
• Type chmod 600 /etc/lilo.conf to give only root access to read and edit the file since all passwords are in plain text
• Relax a bit, as your system is a little bit more secure

How to password-protect GRUB

• Open a shell prompt and log in as root
• Type /sbin/grub-md5-crypt and press enter
• Enter the password you chose for GRUB when prompted. This will return an MD5 hash of your password
• Open /boot/grub/grub.conf in your favorite text editor
• Add password --md5 below the timeout in the main section (Replace with the hash you got in the previous step)
• Save and exit
• The next time you reboot, the GRUB menu will not let you access the editor or command interface without first pressing [p] followed by the GRUB password.

protecting the BIOS

There are two primary reasons for password-protecting the BIOS of a computer:

• Prevent Changes To BIOS Settings: if an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM.
• Prevent Booting the System: Some BIOSes allow you to password protect the boot process itself. When activated, an attacker would be forced to enter a password for the BIOS to launch the boot loader.

Because the methods for setting a BIOS password vary between computer manufacturers, you should consult the manual for your computer. If you forget the BIOS password, it can often be reset either with jumpers on the motherboard or by disconnecting the CMOS battery. However, you should check the manual for your computer or motherboard before attempting this procedure.