Linux操作系统之grub加密实战案例
Linux操作系统之grub加密实战案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.为grub设置明文密码案例
1>.修改"/boot/grub/grub.conf"配置文件
[root@yinzhengjie ~]# cat /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root # initrd /initrd-[generic-]version.img #boot=/dev/sda default=1 timeout=5 splashimage=(hd0,0)/grub/windows.xpm.gz password yinzhengjie #此处我指定密码为"yinzhengjie" title CentOS 6 (2.6.32-754.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/ lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-754.el6.x86_64.img title CentOS 8 (4.6.32-754.el6.x86_64) kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img [root@yinzhengjie ~]#
2>.重启操作系统(我们发现启动操作系统时没有"a","c","e"的相关选项,只有一个"p"选项)
[root@yinzhengjie ~]# reboot Broadcast message from root@yinzhengjie (/dev/pts/0) at 22:07 ... The system is going down for reboot NOW! [root@yinzhengjie ~]#
3>.按字母“p”输入grub.conf中设置的密码
4>.密码输入正确会进入grub管理菜单
5>.温馨提示
从上面的操作可以为grub设置密码,但如果别人通过U盘启动或者光盘启动进入救援模式这就尴尬了,直接跳过了咱们设置的grub啦!
因此,在生产环境中配置好上述操作后,应该禁用掉指定的USB接口,只留住一个接口给键盘使用即可,可能这个时候有人又会说直接来一个拓展坞工具不就得了,一个USB接口可用扩展成多个可用了,所以有时候你还不得不禁用所有USB接口。
但玩过计算机的都知道,尽管你禁用了所有USB接口依旧还不安全,只要找一个IDC工作人员把服务器查查看,适当的换一些硬件,我们就会发现没有绝对的安全,只有攻防的对垒。
二.为grub设置密文密码案例
1>.生成grub口令
[root@yinzhengjie ~]# grub-md5-crypt Password: Retype password: $1$ejtsg0$qylYnYONrLdC56LXHIJ4M1 [root@yinzhengjie ~]#
2>.使用md5加密不推荐(美国国家安全局和美国国家标准技术局一起设计的一个用于电子签名的非常核心的算法,但MD5和SHA-1加密算法被我国密码学家王小云破解)
[root@yinzhengjie ~]# cat /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root # initrd /initrd-[generic-]version.img #boot=/dev/sda default=1 timeout=5 splashimage=(hd0,0)/grub/windows.xpm.gz password --md5 $1$ejtsg0$qylYnYONrLdC56LXHIJ4M1 title CentOS 6 (2.6.32-754.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/ lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-754.el6.x86_64.img title CentOS 8 (4.6.32-754.el6.x86_64) kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img [root@yinzhengjie ~]#
3>.推荐使用sha512算法进行加密
[root@yinzhengjie ~]# grub-crypt Password: Retype password: $6$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1 [root@yinzhengjie ~]#
4>.将sha512算法写入"/boot/grub/grub.conf"配置文件
[root@yinzhengjie ~]# cat /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root # initrd /initrd-[generic-]version.img #boot=/dev/sda default=1 timeout=5 splashimage=(hd0,0)/grub/windows.xpm.gz password --encrypted $6$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1 title CentOS 6 (2.6.32-754.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/ lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-754.el6.x86_64.img title CentOS 8 (4.6.32-754.el6.x86_64) kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img [root@yinzhengjie ~]#
本文来自博客园,作者:尹正杰,转载请注明原文链接:https://www.cnblogs.com/yinzhengjie/p/11915217.html,个人微信: "JasonYin2020"(添加时请备注来源及意图备注,有偿付费)
当你的才华还撑不起你的野心的时候,你就应该静下心来学习。当你的能力还驾驭不了你的目标的时候,你就应该沉下心来历练。问问自己,想要怎样的人生。
