Please enable JavaScript.
Coggle requires JavaScript to display documents.
Linux Boot Security Against Password Reset Attacks (Enterprise Level) -…
Linux Boot Security Against Password Reset Attacks (Enterprise Level)
Overview
Goal
Prevent unauthorized users from resetting Linux passwords during boot
Protect root access
Secure physical and virtual servers
Common Attack Methods
Edit GRUB menu
Boot into Single User Mode
Boot with init=/bin/bash
Boot from Live USB/CD
Access Recovery Mode
Remove Disk and Mount on Another System
GRUB Security
Purpose
Prevent modification of boot parameters
Stop init=/bin/bash attacks
Stop Single User Mode attacks
Configure GRUB Password
Generate Password Hash
grub2-mkpasswd-pbkdf2
Example Output
PBKDF2 Hash
Add to GRUB Configuration
/etc/grub.d/40_custom
Example
set superusers="admin"
password_pbkdf2 admin <hash>
Update GRUB
Ubuntu
sudo update-grub
RHEL
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Verification
Reboot System
Press e on GRUB Entry
Password Required
Enterprise Benefits
Prevent unauthorized kernel modification
Protect recovery mode abuse
Meet CIS Benchmark Controls
BIOS / UEFI Security
Purpose
Prevent boot sequence manipulation
Configure BIOS Password
Administrator Password
Setup Password
Disable Unauthorized Boot Devices
USB Boot Disabled
CD/DVD Boot Disabled
PXE Boot Disabled
Enable Secure Boot
Allow only trusted bootloaders
Prevent unsigned bootkits
Enterprise Benefits
Protect against physical attacks
Reduce insider threats
Full Disk Encryption
Technology
LUKS
Purpose
Protect data if disk is stolen
Prevent offline password resets
Implementation
Encrypt During Installation
Encrypt Existing Disk Using LUKS
Commands
cryptsetup luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb secure_disk
Enterprise Benefits
Data unreadable without passphrase
Compliance requirement
Interview Point
GRUB password protects bootloader
LUKS protects data at rest
TPM Integration
Trusted Platform Module
Hardware Security Chip
Functions
Store encryption keys securely
Verify boot integrity
Implementation
TPM 2.0
LUKS + TPM
Commands
systemd-cryptenroll --tpm2-device=auto /dev/sdb
Enterprise Benefits
Automatic secure unlocking
Protection against disk theft
Secure Boot
Purpose
Verify trusted boot chain
Protection
Bootkits
Rootkits
Unauthorized Kernels
Verification
mokutil --sb-state
Enterprise Benefits
Trusted operating system startup
Recovery Mode Restrictions
Purpose
Prevent root shell access
Disable Unnecessary Recovery Entries
Secure GRUB Menu
Require Authentication
Root Password Required
Verification
Attempt Recovery Boot
Authentication Prompt Appears
Root Account Security
Lock Direct Root Login
passwd -l root
Verify Status
passwd -S root
Benefits
Reduce attack surface
Force accountability
SSH Hardening
Disable Root SSH Login
Edit
/etc/ssh/sshd_config
Configure
PermitRootLogin no
Restart SSH
systemctl restart sshd
Benefits
Prevent direct root access
Multi-Factor Authentication
Purpose
Add second authentication factor
Methods
OTP
Hardware Token
Authenticator Application
Enterprise Benefits
Password alone is insufficient
Physical Security Controls
Data Center Controls
Restricted Access
Security Guards
CCTV Monitoring
Rack Locking
Benefits
Prevent direct console attacks
Audit and Monitoring
Auditd
Monitor critical files
Commands
auditctl -w /etc/passwd -p wa
auditctl -w /etc/shadow -p wa
Review Logs
ausearch -f /etc/passwd
SIEM Integration
ELK
Wazuh
Splunk
Benefits
Detect unauthorized changes
Enterprise Implementation Flow
Step 1
Enable BIOS Password
Step 2
Disable USB and External Boot
Step 3
Enable Secure Boot
Step 4
Configure GRUB Password
Step 5
Encrypt System with LUKS
Step 6
Integrate TPM
Step 7
Lock Root Account
Step 8
Harden SSH
Step 9
Enable Auditd Monitoring
Step 10
Forward Logs to SIEM
CIS Benchmark Mapping
BIOS Security
Secure Boot
GRUB Password
LUKS Encryption
Root Account Protection
Audit Logging
Physical Security Controls
Interview Questions
How can an attacker reset a Linux password?
Single User Mode
init=/bin/bash
Live USB Boot
How do you prevent password reset through GRUB?
Configure GRUB Password
How do you prevent offline password reset attacks?
LUKS Full Disk Encryption
Difference Between GRUB Password and LUKS
GRUB
Protects bootloader settings
LUKS
Protects disk data
Why is Secure Boot important?
Prevents unauthorized bootloaders and kernels
Why use TPM with LUKS?
Hardware-protected key storage
Enterprise Recommended Stack
BIOS Password
Secure Boot
GRUB Password
LUKS Full Disk Encryption
TPM 2.0 Integration
Root Login Disabled
SSH Hardening
MFA
Auditd Monitoring
SIEM Monitoring
Physical Data Center Security