Promoting Free Software

How to enhance the physical security posture of your Linux/BSD-powered PC

February 4th, 2010 • Category: Tutorials/Tips,privacy and licensing •

Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you could take to enhance the physical security of your Linux- or BSD-powered computer

1. Set a BIOS Password – PC vendors generally configure their computers to boot from the hard disk, and failing that, to boot from the CD drive or other removable media. You can change this boot order by going into the BIOS setup. To prevent unauthorized persons from accessing the BIOS setup, you should enable the BIOS password. Enabling the BIOS pawword may also be used to prevent the system from booting.
   
   Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer, and that computer was configured to boot from the hard disk and the BIOS password was not enabled. To dispense with the head ache of having to guess your username and/or password, Mr. Bad Guy could access the BIOS and change the boot order so that the computer boots from the CD drive or other removable media like a USB drive. Now he can pop in a live CD distro into the drive, boot the computer, mount the drive and … imagine how the story ends.

   Note that some live CD distros will automatically mount the hard dirve partitions in read-only mode. When it was first released, Knoppix was like that.

2. Password-Protect the Bootloader – The bootloaders you will most likely be using on a Linux or BSD system are LILO (LInux LOader), GRUB (GRand Unified Bootloader) legacy, GRUB 2, GAG (Spanish acronym for Graphical Boot Manager), and BTX loader.

   You can set a bootloader password if your distro is using LILO, GAG, GRUB, but not GRUB 2. You typically set the bootloader password during installation, but you may also do it on a running system. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console.

3. Encrypt the disk – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer.
4. Use Strong Passwords – When setting a user account password, most distros will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
   • Always choose strong passwords, minimum of eight characters.
   • Do not base the password on the username. If you are using a distro that uses the traditional root account system, do not set the root password to be the same as the regular account password.
   • Never enable the automatic login feature. Many distros have this feature. Do not use it. If you are just introducing your kid or spouse to a Linux or BSD system, do not enable this feature for them. It is a bad security practice.
   Do not write down your password(s) on a sticky note and stick it on your monitor. Also, do not store passwords unencrypted on your computer.
5. Implement Password Aging – The graphical user management program on some distros will allow you to set passwords to age or to expire at a certain date. An expiration time of six months is the norm. You can enable password aging on Mandriva Linux and Fedora, but not on Ubuntu, Mint, Pardus.

If you implement all five steps on all of your computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.