Password protected GRUB in Linux/UNIX
As a System Administrator, you should protect GRUB bootloader menu so that nobody can change anything in this file. GRUB (Grand Unified Bootloader) is a default bootloader in in all Linux/UNIX system. It is the third stage in Linux boot process. By default it is unprotected and anyone can login into single mode and may change your system setting. GRUB security features allows us to set a password on grub entries. After setting password, nobody can edit grub entries. I suggest you to protect your GRUB with password on any critical production server.
In this article I will explain, how you can set password on GRUB in Linux/UNIX system.
How to Protect Grub with Password
Follow the below steps to protect GRUB entries.
Step #1: Login to the server as root user and open terminal, Now create a password for GRUB. Follow the below command. When prompted type your GRUB password twice and hit enter. This will provide you MD5 Hash password. Copy the password and note it down.
[[email protected] ~]# grub-md5-crypt
You will get some output like below.
[[email protected] ~]# grub-md5-crypt Password: Retype password: $1$pgjiX1$PVxHe8rI0a1S.Cgh4AKzB
Step #2: Now open /boot/grub/grub.conf file and add the MD5 password or you can also edit /boot/grub/menu.lst because both file are same and symbolic link to each other.
[[email protected] ~]# vim /boot/grub/menu.lst OR [[email protected] ~]# vim /boot/grub/grub.conf
Note: Please keep backup of file before editing it, so that you can revert it if in case of wrong entries.
Step #3: Now add the MD5 password in GRUB configuration file like below.
# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda3 # initrd /initrd-[generic-]version.img #boot=/dev/sda default=0 timeout=5 password --md5 $1$pgjiX1$PVxHe8rI0a1S.Cgh4AKzB. hiddenmenu title CentOS (2.6.32-279.5.2.el6.i686) lock root (hd0,0) kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=UUID=224b3aa3-6cd2-4634-a409-1a834c46fa9c rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM initrd /initramfs-2.6.32-220.el6.x86_64.img
Step #4: Now reboot system and press ‘p‘ to enter in GRUB file, you will prompt to type password.
I hope this article will help you to protect GRUB entries with password. If having any issues or questions, please feel free to mention them in the comment box below.