How Do I Secure Grub Boot Loader?

November 15, 2010 by: upa_kid

You can set a password for the GRUB bootloader. This prevents users from entering single user mode or changing settings at boot time.

When your system is rebooted, grub presents the boot option menu. From this menu one can easily login into a single user mode without the password which might result into compromise system security.

For example, anyone can access the data or change the settings. However you can setup a password for grub with password option. This option forces grub to ask for a password before making any changes or entering into single user mode. You need to type p followed by password.
#1: Create A Password For Grub

Type grub-md5-crypt command to create password in MD5 format:
# grub-md5-cryptOutput:

Retype password:

Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.
#2 Add MD5 Password To Grub Configuration File

Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)
# vi /boot/grub/menu.lst
Edit file and add a password line as follows:
password –md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
Here is my sample config file:

default 0
timeout 5
password –md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
title Debian GNU/Linux, kernel
root (hd0,0)
kernel /boot/vmlinuz root=/dev/hda3 ro

Save and close the file.
Optional Settings for Dual Booting Computer

If you dual boot with Windows XP/2000/7, consider adding lock command to Windows XP right after title command:

title Windows NT/2000/XP
root (hd0,1)
chainloader +1

Note the lock option can be also added to the failsafe entry too. For more information please read

* grub and grub-md5-crypt man pages
* Read Grub seurity manual page online.

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
Have you found this script useful? Please support author by PayPal donation.
Filed under: Linux/Unix
Tags: , , ,

Leave a Reply