Linux Security 101: 4. Physical Security: Single User Mode
For the next couple of parts, we will start examining in practice a couple of ways we can increase our machine's Physical Security. In this article we will secure the system's Single User Mode.
Previous parts:
1. Introduction
2. General Principles and Guidelines
3. Physical Security: Intro
Single user mode
One of the easiest ways, is to boot the system in "single user mode". Most Linux distros by default do not require the root user's password to start in single user mode. You can use the power button to shutdown and then restart the machine. This can also be done by temporarily cutting the power supply, or by simply having access to the host node if your server is a virtual machine (VPS)
It is very easy to do this and you'll have root access, which will allow you to do ANYTHING on the target system. Just press the "Shift" key on your keyboard at the POST screen, to interupt the GRUB boot process. (By the way, GRUB bootloader is the most commonly used bootloader.)
Press the key e when you have selected the Ubuntu grub entry, and locate the line starting with "linux". Just add a lowercase "s", or an uppercase "S" or the number 1 at the end of the line, just like I did to demonstrate for you in the video below.
This will make linux start on the "single user" runlevel. As an alternative, and if the target system uses "systemd", you can use systemd.unit=rescue.target, or simply rescue. Then press on your keyboard Control+X and you are ready to go. In a few seconds you'll have full access to the system! This is "patched" in some more modern releases.
init-based systems:
If your distro is init-based, edit /etc/sysconfig/init, locate the line starting with SINGLE= and change it to this:
SINGLE=/sbin/sulogin
Save, exit and restart your machine.
systemd-based systems:
If you have a systemd-based system (most recent CentOS, Redhat, Ubuntu etc distros), you'll have to inspect 2 files inside /lib/systemd/system: emergency.service and rescue.service
cd /lib/systemd/system
nano emergency.service
Locate the line ExecStart=... and take a note. If you see /sbin/sushell mentioned, change it to /sbin/sulogin.
Save the file and exit. Then do the same for rescue.service.
What's the difference between "/sbin/sushell" and "/sbin/sulogin"?
sushell is instructing the system to open a shell with superuser privileges (root user), while "sulogin" does the same but after the user supplies the correct password.
The ubuntu paradox
Ubuntu won't ask you to set a root account password. Even if you have done the above modifications, you will just get a free pass to the system. The fix is very quick and simple. In your terminal as root type passwd, and set the password. Boot the system in single user mode as I wrote above, and you will get asked for a password. Newer versions of Ubuntu may have "sulogin" by default, so you can just start with setting your root password!
It was very easy to edit the bootloader and boot into single user mode. We secured our system a little bit. In the next part, we will secure our bootloader! Article available here!
Craving for more? Until the next part is available, have a look at my Server 101 series:
- Intro and getting into your server - Single Article
- Basic Server Security - 3 Parts
- Setting up a Web Server - 4 Parts
- Managing Your Server - 4 Parts
- caddy - Lightweight Web Server - 1 Part
- Emailify your server! - 6 Parts
- Setting up a Password-Protected proxy server with Squid - 1 Part
- OpenVPN in less than 2 minutes
- Piwik - Your personal Google Analytics alternative
- Email notifications for SSH Logins
- Keeping your server up to date
Informative and very comprehensive stuff you share