HowTo : Hardening GRUB

What is GRUB? Let’s ask Wikipedia:

GNU GRUB (short for GNU GRand Unified Bootloader) is a boot loader package from the GNU Project.

GRUB is the easiest way to hack into Linux systems!

  • First option to break into a Linux system is to edit the line ro quite splash as rw init=/bin/bash during system startup (usually triggered by pressing “e” on the list).
  • Second option would be using the Recovery Mode.

So the solution is to disable the Password Recovery option and set a password for GRUB.

Disabling Recovery in GRUB

Setting a Password for GRUB

Creating a rescue copy of the file:

Creating a GRUB Password:

Copy the output starting with grub.pbkdf2. and save it in a file:

Add the following to the end of 00_header file:

cat << EOF set superusers=password pbkdf2 PASSWORD grub.pbkdf2.sha512.10000.D01A1ABD624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD1BDA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E571D1BFA6DD9107F031DEBF9BB1C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE12B EOF
root@debian:~# update-grub
Share this!

How-To: Destination NAT in JunOS

You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.

The procedure is pretty straight forward.

  1. Local host’s zone (Local IP) : show route and show interface
  2. Find out to which External (Global) IP address you should apply the D-NAT
  3. External access zone (Global IP) : show route and show interface
  4. OPTIONAL: Create “security address-book global” entries for source/destination addresses
  5. If you are Port-Forwarding: Create an “application
  6. Define a “security policy from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
  7. Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
  8. Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step

Below you will find a sample snippet of the configuration:

Share this!

Simple How-To for BIRD routing – OSPF

This is a draft version. Hopefully I’ll update it with more details on OSPF configuration and a simple OSPF adjacency scenario between different machines.

BIRD or Bird Internet Routing Daemon, is one of the simplest Linux routing daemons with just one configuration file for IPv4 and one for IPv6.

Personally, I prefer Quagga because it uses a CLI very similar to Cisco IOS, but more configuration files has to be managed to get it running.

The first step would be to install the daemon:

apt-get install bird  or  aptitude install bird

Then you have to edit the configuration per your requirements.

  • IPv4: /etc/bird.conf
  • IPv6: /etc/bird6.conf

A simple OSPF configuration follows: Continue reading “Simple How-To for BIRD routing – OSPF”

Share this!