Prevent linux from being replaced [closed]

Posted on

Prevent linux from being replaced [closed] – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, security, permissions, , .

This is somewhat related to physical security breach.

Consider a Linux server with all firewall and other security stuffs running in it. However, if someone gets physical access to the server, he could simply wipe out the existing Linux in the machine (formatting the system with an OS CD/DVD or install a new OS in that place).

Such a thing could be prevented by securing the server machine well. However, my question is, could Linux, as a software, prevent such things? For example, I would typically like to have some parameter (set by admin) that would prevent OS replacement. In order to actually replace the OS, admin must unset that parameter.


As per @David Schwartz’s comment, a brief description about the environment:

  • It’s not a war-like situation where someone is moving with hammers, saws and other dangerous tools 🙂
  • The machine could not be physically replaced
  • The machine’s chassis could be opened and all such stuff be done — but that’s also less likely

The environment am talking about is when someone accidentally gets into physical proximity of the machine for a short duration, and attempts to wipe out the OS. Yes, a CD/DVD ROM is there.

Further, I’m not concerned with whether there is backup, or if that guy could read my contents. The only thing I’m concerned is that he could potentially interrupt my service.

Final Remarks

Thanks for all the answers (and humours). The objective was to know if such a mechanism exists or could possibly exist. I take the answer as negative. Not sure if this could be a research issue in the future.

Solution :

You can modify the BIOS configuration, set boot order to only HDD, secure BIOS with a password (but an attacker can reset it by replacing the BIOS battery), and in Linux you can secure GRUB with a password. But you’ll have to enter the password every time you reboot your system (if you have KVM over IP this is possible).

But the truth is that if someone has physical access to your machine they can use a hammer, C4, chainsaw, etc… to destroy your data and computer. Even if you secure it with a BIOS password they can replace the HDD.

In conclusion, if someone has physical access to a machine they can do all they want with it.

If someone has physical access to your machine then they can do what they want and nothing you can do at the OS level can stop them. The main reason is that they can simply bypass your OS and boot their own from a bootable device.

First of all, can you ensure that the bad guy doesn’t gain phisical access to the computer? If no, Remove CD ROM, set up so that computer boots from primary hard drive, disable USB ports (at the level of BIOS ofcourse), and set BIOS password. But then, the bad guy could still open the case (if you don’t secure it) and remove BIOS battery to reset any BIOS password, boot from usb flash and…

After all what’s the problem if the bad guy replaces the OS? It doesn’t mean he can gain access to resources stored on computer if the disk is encrypted. And you do have backups, do you?

Anyway, here is your answer:
Big old key
Along with encryption and backups.

A word of note first:
Law #3 of Computer Security: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

To help lessen the chances of a casual would-be OS installer, there are a few things you can do with a Linux server both phyiscal security and software security:

  • Lock the server rack, secure the single key
  • Disable USB, CD, PXE, and ‘Other HDD’ boot options in BIOS
  • Set a secure BIOS access password
  • Set a Grub password to edit, disable recovery and single-user mode
  • Use strong root and user passwords
  • Use AppArmour or SELinux to protect kernel space and filesystem
  • Understand Law #3. Plan for this not being in your control.

Leave a Reply

Your email address will not be published.