Linux操作系统之grub加密实战案例

　　　　　　　　　　　　Linux操作系统之grub加密实战案例

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

版权声明：原创作品，谢绝转载！否则将追究法律责任。

一.为grub设置明文密码案例

1>.修改"/boot/grub/grub.conf"配置文件

[root@yinzhengjie ~]# cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=

timeout=

splashimage=(hd0,)/grub/windows.xpm.gz

password yinzhengjie　　　　　　#此处我指定密码为"yinzhengjie"

title CentOS  (2.6.-.el6.x86_64)
    root (hd0,)
    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
　　initrd /initramfs-2.6.-.el6.x86_64.img

title CentOS  (4.6.-.el6.x86_64)
    kernel (hd0,)/vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
　　initrd (hd0,)/initramfs-2.6.-.el6.x86_64.img
[root@yinzhengjie ~]# 

2>.重启操作系统（我们发现启动操作系统时没有"a","c","e"的相关选项，只有一个"p"选项）

[root@yinzhengjie ~]# reboot 

Broadcast message from root@yinzhengjie
    (/dev/pts/) at : ...

The system is going down for reboot NOW!
[root@yinzhengjie ~]# 

3>.按字母“p”输入grub.conf中设置的密码

4>.密码输入正确会进入grub管理菜单

 5>.温馨提示

　　从上面的操作可以为grub设置密码，但如果别人通过U盘启动或者光盘启动进入救援模式这就尴尬了，直接跳过了咱们设置的grub啦！

　　因此，在生产环境中配置好上述操作后，应该禁用掉指定的USB接口，只留住一个接口给键盘使用即可，可能这个时候有人又会说直接来一个拓展坞工具不就得了，一个USB接口可用扩展成多个可用了，所以有时候你还不得不禁用所有USB接口。

　　但玩过计算机的都知道，尽管你禁用了所有USB接口依旧还不安全，只要找一个IDC工作人员把服务器查查看，适当的换一些硬件，我们就会发现没有绝对的安全，只有攻防的对垒。

二.为grub设置密文密码案例

1>.生成grub口令

[root@yinzhengjie ~]# grub-md5-crypt
Password:
Retype password:
$$ejtsg0$qylYnYONrLdC56LXHIJ4M1
[root@yinzhengjie ~]# 

2>.使用md5加密不推荐(美国国家安全局和美国国家标准技术局一起设计的一个用于电子签名的非常核心的算法，但MD5和SHA-1加密算法被我国密码学家王小云破解)

[root@yinzhengjie ~]# cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=

timeout=

splashimage=(hd0,)/grub/windows.xpm.gz

password --md5 $$ejtsg0$qylYnYONrLdC56LXHIJ4M1

title CentOS  (2.6.-.el6.x86_64)
    root (hd0,)
    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
　　initrd /initramfs-2.6.-.el6.x86_64.img

title CentOS  (4.6.-.el6.x86_64)
    kernel (hd0,)/vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
　　initrd (hd0,)/initramfs-2.6.-.el6.x86_64.img
[root@yinzhengjie ~]# 

3>.推荐使用sha512算法进行加密

[root@yinzhengjie ~]# grub-crypt
Password:
Retype password:
$$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1
[root@yinzhengjie ~]# 

4>.将sha512算法写入"/boot/grub/grub.conf"配置文件

[root@yinzhengjie ~]# cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=

timeout=

splashimage=(hd0,)/grub/windows.xpm.gz

password --encrypted $$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1

title CentOS  (2.6.-.el6.x86_64)
    root (hd0,)
    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
　　initrd /initramfs-2.6.-.el6.x86_64.img

title CentOS  (4.6.-.el6.x86_64)
    kernel (hd0,)/vmlinuz-2.6.-.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF- rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
　　initrd (hd0,)/initramfs-2.6.-.el6.x86_64.img
[root@yinzhengjie ~]#