Linux Security Tip-of-the-day: Limit physical access

61

This should be standard knowledge for all, but some people are still unaware so I will cover it now. 

If you have ever had to change a password or recover a boot-loader on a Linux based system, then you know how easy it is to reset the root password and change system settings from an external operating system or recovery disk. This functionality an be useful but if you can do it, then so can those who wish to compromise your system, so we must put some steps in place to stop the intruders from getting that far.

Here are some recommendations for physically securing you system, you do not have to follow all steps and you must first asses you needs to determine which will fit your needs.

  1. Limit access to the rooms that house you systems. For home PCs it’s not quite as important but it is always recommended if you wish to truly secure the information. You can do this through locks, cameras, guards, key-cards and biometrics locking devices.
  2. Lock the cases in place. Theft of computer data is not restricted to network based attacks, if an intruder can get to your computer system then they can very easily grab the entire computer and take it with them for later use.
  3. Secure the cases that hold your components. Intruders may not have the time to log into your system and review the data so in a pinch they can take out the hard-drives and walk away with the data for later use, locking the cases adds another level of difficulty to their attempts to get your data.
  4. Modify the BIOS settings. Disable the ability to boot from any medium except for the hard drives then add a password to your BIOS. This will prevent booting from an external medium and stop intruders from easily changing passwords or other system settings. The password is to lock out other users from modifying the boot device settings and introducing a weakness to your systems.
  5. Add a password to your boot-loader. Adding a password to the boot-loader entries will ensure that unauthorized users will be unable to boot into the operating systems that you wish to protect; it is also advisable to change the rights of the boot-loader configuration file to restrict all users from seeing the contents except for the root user.

As I stated before these are best practice steps and you should asses the needs for each system to determine if all steps are truly necessary before doing a full implementation.