How to boost the physical security posture of your Linux-powered computer

Security

Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you should take to enhance the physical security profile of your desktop/laptop computer running a Linux distribution.

Security

  1. Set a UEFI/BIOS Password – By default PC vendors generally configure their computers to boot from the hard disk and, failing that, to boot from removable media. You can change this boot order from the UEFI/BIOS setup utility. Which means anybody with physical access to the computer can do it too, not just you. To prevent unauthorized persons from accessing the UEFI/BIOS setup utility, you should enable the UEFI/BIOS password. Enabling the UEFI/BIOS password may also be used to prevent the system from booting.

    Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer and that computer was configured to boot from the hard disk and the UEFI/BIOS password was not enabled. To dispense with the headache of having to guess your username and/or password, Mr. Bad Guy could access the UEFI/BIOS and change the boot order so that the computer boots from removable media. Now he can pop in a live distro, boot the computer, mount the drive and … imagine how the story ends.

  2. Password-protect the boot loader – Password-protecting GRUB (GRand Unified Bootloader) 2, the boot loader/boot manager you will most likely be using on a Linux distribution is not commonly done, but it’s possible. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console. The command to accomplish that on a running system is grub-mkpasswd-pbkdf2. See this link for an example of how to password-protect GRUB on a running system.
  3. Encrypt the hard drive – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer. If you’ve not heard the news yet, Red Hat, the company that supports the development of Fedora, was recently acquired by IBM.
  4. Never use auto-login – When setting a user account password, most Linux distributions will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
    • Always choose strong passwords, minimum of eight characters.
    • Do not base the password on the username. If you are using a distribution that uses the traditional root account system, do not set the root password to be the same as the regular account password.
    • Never enable the automatic login feature. Many Linux distributions have this feature. Do not use it. If you are just introducing your kid or spouse to Linux, do not enable this feature for them. It is a bad security practice. Teach them the value of setting a password from the beginning.
  5. Implement Password Aging – Setting a password for expire, password-aging, is rarely enabled on the desktop, but it’s a feature that’s available in Linux. The graphical user management program on most Linux distributions will allow you to set your passwords to expire at a certain date. An expiration time of six months is the recommended.

If you implement all of the aforementioned tips on your Linux computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.

Related Post:  Just a few tricks to make you more efficient at the command line

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Upcoming events

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.