Going Paranoid on Fedora 13

FedoraA Paranoid, or 5-star, security rating is the highest physical security rating that you can achieve on your computer. It entails enabling a set of OS-dependent and OS-independent features.

But why would anyone want to achieve such a high physical security rating on Fedora or any other distribution? Strict control of who can access your data if your computer falls into the wrong hands, that’s why. The point is, if your computer is stolen, or seized by agents of the state, you do not want to make it easy for them to access your data. In fact, you want to make it impossible for them to access your data.

Even when you think that you have nothing to hide, you never know when some guys will show up at your residence or business with a warrant to seize all computer and computer-related devices they can find. Just ask Jason Chen.

Now to the physical security features and how to enable them on Fedora 13. There are five of them:

  1. Set the BIOS password – This is the only OS-independent feature. It can be enabled on any computer, and requires getting into the BIOS Setup Utility and enabling the password. On most computers, you set the password in the “Security” tab of the BIOS Setup Utility. The following are the reasons why you would want to set a BIOS password:
    • Prevent Changes To BIOS Settings — If an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to seed nefarious programs on the system or copy sensitive data.
    • Prevent Booting the System — Some BIOSes allow you to password protect the boot process itself. When activated, an attacker would be forced to enter a password for the BIOS to launch the boot loader.

    source

  2. Encrypt the disk – This is perhaps the most important OS-dependent feature that you can use to achieve a Paranoid security rating on Fedora 13 (or any other Linux or BSD distribution). Typically, it is turned on during the installation process. The image below is from the installation step where you’ll have to turn on disk encryption. Just make sure that “Encrypt system” is checked before moving on to the next step. Read disk encryption on Fedora 13 for a description of how it works.
    Partition options
    Disk partitioning options
  3. Password-protect GRUB – The GRand Unified Boot Loader (GRUB) is now the default boot loader on virtually all Linux distributions (LILO, the LInux LOader, used to occupy that position). On some distributions like Fedora 13, it is the only boot loader supported. You would want to password-protect GRUB for the following reasons
    • Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user.
    • Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command’s interface to change its configuration or to gather information using the cat command.

    source

    You can password-protect GRUB during or after installation. During the installation phase, password-protecting GRUB may be enabled at the step shown in the image below. Just check “Use a boot loader password” and the installer will prompt for a password.

    GRUB password
    Specifying boot loader password

    If you have Fedora 13 already installed and running, you can still set a boot loader password. Just follow these steps:

    1. Launch a shell terminal and type in grub-md5-crypt as shown in the image. You do not have to be root. The password that’s requested will be the one that’ll be used to protect GRUB. It should not be the same as that of any user account on the system, certainly not the same as the root password. Note the md5 hash generated. You will need it in the next step.
      GRUB hash
      Generate the md5 hash for password-protecting GRUB
    2. Edit /etc/grub.conf (symlink to /boot/grub/grub.conf) as shown in the image. Just add another line below the “timeout” line and type in password –md5 < md5 hash from step i > as shown in the image. Save the file. Reboot and try to access other features of GRUB by pressing the “p” key. Did it work?
      GRUB.conf
      Edit grub.conf
    3. Check the file permissions of grub.conf and if it is readable by any other than root, change its permissions to 600 by typing, as root, chmod 600 /etc/grub.conf at a shell prompt.
  4. Choose a strong user account password – It’s always a good practice to choose strong passwords. But how strong is srong enough? Well, the installer and the user management utility will issue an alert when you specify a weak password. You have the option to choose another, stronger password, or use the weak one. Choose wisely.
  5. Never allow automatic login – On Fedora 13, this is one “feature” you do not have to worry about. Why? Fedora’s user management tool does not have this option. Ubuntu and other distro developers should take note.
  6. Implement password aging – Password aging just means that your current password will be set to expire after a defined date. Before that date, the system will prompt you to change it (usually starting 7 days before the password is set to expire). You enable password aging only after installation. Access the Users and Groups tool from System > Administration > Users and Group, and click on the “Password Info” tab. Check to “Enable password expiration” and click OK.
    Age password

That should be all. Think this is going too far? Probably, but in today’s computing environment, you can never be too careful, or too paranoid. Afterall, it’s your data we are talking about.

Related Posts

How to delete GRUB files from a Boot EFI partition in Windows 10 After several failed attempts to dual-boot Ubuntu 15.04 and Windows 10 on a single hard drive and on a computer with UEFI firmware, and not knowing wh...
Tahoe Least-Authority File System for secure, distributed data storage Looking for a solution to give you an edge in the ongoing struggle between you and the authorities over the privacy of your data? Then you should take...
Disk encryption: This is why you should always use it Disk encryption is one of those physical security features that determine whether I install a Linux distribution on any computer I use for serious com...
How to change the default route in Linux This is just a short article that shows how to change the default network route in Linux. Before I show how to do it, hoping that it helps somebody, l...
How to dual-boot Linux Mint 13 Cinnamon/MATE and Windows 7 Linux Mint 13 Cinnamon and Linux Mint 13 MATE are the latest editions of the popular Linux desktop distribution based on Ubuntu Desktop. This tutorial...
2 cool reasons to use the K Desktop Environment You can always find a reason or two to like or not like something, and frequently, the reason you like one thing is exactly why the next guy does not....

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


3 Comments

  1. Password protecting the BIOS is hardly bullet proof. All an adversary would have to do is pull the CMOS battery or set the reset jumper on the motherboard.

    • True, but no single security measure is tamper-proof. Remember that just because a professional thief can pick your lock does not mean that you should not bother about locking your door.

  2. Pingback: Links 5/6/2010: Pardus 2009.2, OpenOffice.org 3.2.1 Are Out | Techrights

Leave a Comment

Your email address will not be published. Required fields are marked *

*