john80988
asked on
prevent reset password on centos
how am i disable anyone from reset my centos root password if he was able to reboot and lan access to my pc.
I assume that you have GRUB (boot loader) installed.
This boot loader can be password secured in a way that users which do not know this password are prevented from access to Single User Mode and also from booting into an insecure OS (dual boot).
Chapter 47.1.2.2 of the RedHat Deployment Guide:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#ch-wstation
has detailed info on this. In chapter 47.1.2.1 there are instructions how to secure the BIOS so that booting from external media is prevented.
wmp
This boot loader can be password secured in a way that users which do not know this password are prevented from access to Single User Mode and also from booting into an insecure OS (dual boot).
Chapter 47.1.2.2 of the RedHat Deployment Guide:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#ch-wstation
has detailed info on this. In chapter 47.1.2.1 there are instructions how to secure the BIOS so that booting from external media is prevented.
wmp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Make sure there is no physical access to the machine: if there is, you'll have to go with some fairly extreme measures to keep someone from tampering with the system. Assuming that you're the only one with physical access to the machine (or at least this other person has no access to it):
Remove all capability of remotely logging into the system by stopping some services. Use
Remove all capability of remotely logging into the system by stopping some services. Use
netstat -at
to determine what ports are open (look for things like "*:ssh" for services that are listening for connections). Hopefully you don't have anything like telnet or simple (insecure) FTP running. Be sure to check the SSH configuration (usually in /etc/ssh/sshd_config) to make sure nobody can login directly as root... if you do this currently, stop, instead look at "sudo".
It's from wiki.centos.org
For directions on protecting grub, see BIOS and Boot Loader Security. To require root's password for single user mode, you can use:
echo "# Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/
You must secure booting from other devices like dvd/usb in BIOS, and secure BIOS editing by password. That's all I can think of.