When people say that the Linux environment is 'more' secure than the well-known Microsoft Windows operating system, I have only one thing to say. . . your operating system is only as secure as you allow it to be. The first thing we are going to cover is one that normally goes unnoticed.
Why Protect the BIOS and GRUB?
All Linux user's should known, these two come right at the start-up of your computer. Let me tell you why you should protect these with a password that ONLY you know. If you leave your BIOS unprotected with a password, your allowing whoever has access to your computer to boot from a CD, a USB memory device, floppy, etc. This is bad because someone could load a LiveCD and completely override your login credentials and even remove your operating system(s) completely. They could also set their own password and that would prevent YOU from getting on your own computer. So, it is in your best interest to protect your BIOS with a password. As for GRUB, it is equally as important to protect this as well. For example, say someone wants in your linux account really bad because you have admin privileges. All they would have to do is reboot the computer, and select the recovery option from the GRUB boot menu and they would instantly have access to a root terminal. In turn, if they navigate to the /etc directory and type passwd [your username], they can reset your password without even knowing your current password. So, as you can see, this is just as important as the BIOS to protect.
Adding Password-Protection To Grub
There are two ways to do this, one is the super easy way which involves installing an application that has a GUI or you can do it manually (still pretty easy). Lets go over the manual way which will involve using the terminal. So go ahead, open your terminal. Type 'grub-md5-crypt' and press [Enter]. The grub-md5-crypt application will then ask you for a password. This is NOT your sudo password that it is asking for, it is the password you want to use to protect GRUB. So think of something complex but not forgettable, since you may need to reset your login credentials in the future. You will have to type your password in twice for confirmation. Afterwards, the application will output an MD5 hash. You need to copy this hash to a text file for the time being for reference later. Now we need to edit your GRUB menu list. In the terminal, type 'sudo gedit /boot/grub/menu.lst' and press [Enter]. You will need to input your sudo password. Lets go ahead and place the password hash at the top. To do this, type 'password –md5 [the password hash you copied from the last step]'. Make sure this is on a line by itself. Now scroll down toward the bottom and you should see something like this:
title Ubuntu, kernel 2.6.20-16-generic (recovery mode)
lock
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-16-generic root=UUID=459a88e8-6641-40ae-832e-00d7645414d0 ro single
initrd /boot/initrd.img-2.6.20-16-generic
You may notice that the 'lock' line is not included with yours. That's because you have to add it. Go ahead, add the word 'lock' to its own line under title. Sometimes there may be more than one option for recovery mode, so go ahead and put a lock line on those as well. If you want, you can lock everything but then you will need to input your password every time you boot-up. After you add the lock line to your recovery section(s), go ahead and click on Save and close this out. You are now finished protecting your GRUB. Pretty darn easy, right?
Final Word
You may notice that I did not provide a tutorial on how to protect your BIOS. I did not include this because BIOS systems differ from motherboard to motherboard and have their own methods of doing so. Usually, as soon as you turn your computer on, you will need to press F1, F2, F12, or DEL key to access the BIOS menu. If either of those work, try navigating around and finding the area where you will assign a password. Again, if I were you, make it the same as the GRUB so you don't forget this. Be careful while you are in the BIOS, if you edit something critical your computer could fail to load properly or even boot. Another note for computer security, disable the root login so no one can login as root. It is much safer to use sudo, that way you don't edit or delete anything critical while using the computer.
