1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

Single User Mode Security

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

Let's talk about ways to protect your Linux system from potential attacks that can occur when someone gains unauthorized physical access to your server. One of the easiest ways to gain unauthorized access to a Linux system is to simply boot the system into single user mode. Traditionally, Linux distributions did not require a root password to boot into single user mode. If you have physical access, then you can touch the Power button and power off the machine and press it again to start the boot process. You could also remove the power source and restore it. If your Linux server is a virtual machine, then whoever has access to the virtual console can do this as well. This is a Linux system and it's running in a virtual machine. I'm going to hit the virtual Power Reset button to power cycle it. Go to the machine and click on reset. Now, this is the exact same process I would use if I was standing in front of a physical machine in a data center. I'd simply power off the machine and power it back on. Yep, I'll click reset to do the power reset. At this point, I'm going to interrupt the boot process by pressing a key. What you're looking at here is the GRUB boot loader, which is the most popular boot loader in use today for Linux systems. If you look at the bottom of your screen you'll see some instructions. I'm going to press E to edit the configuration. Next, I'm going to find the line that starts with Linux. Go down here and find it and there it is right there. So, this is the line that tells the boot loader where the kernel is and the remaining items on the line are arguments that are being passed to the Linux kernel. I'm going to supply an argument of S which will cause the system to boot into single user mode. You can also supply an uppercase S or even a one. All of these are for the same run level, which is single user mode. If the system is using systemd you can also supply a target with systemd.unit, equals and the name of the target. To get into a single user mode equivalent, you would use systemd.unit=rescue.target. There's also an emergency.target that you can use. You can also use a shortcut which is to simply supply the name of the target like rescue. But here I'm going to go ahead and use an S for single user mode. Again, notice the instructions at the bottom of the screen. I'm going to boot this modified configuration by pressing Control + X. At this point, the Linux system is booting. You can see that I have a root shell without entering a password. At this point, I can do anything I want. I can change the root password, I can create an account for myself, I can install software, I can disable the system's firewall. I now own this box simply because I have physical access to it. Fortunately, this doesn't always work. Some of the more recent releases and distributions require a root password even when booting into a single user mode. Let's look at how to require the root password for single user mode. This first example I'm going to show you is on a CentOS six system. CentOS is basically Red Hat without Red Hat's branding. So you can use this process for a Red Hat six system or a CentOS six system. By default, CentOS six doesn't require a root password for single user mode and to change this we need to edit a file. I'm going to go ahead and log into this system as root first. And the file we need to change is etc/sysconfig/init. We're looking for the line that contains SUshell. I'm going to scroll down to the bottom here until I find it. As you can see in the comments of the file, it says to set single to /sbin/sulogin to prompt for a password on single user mode. Otherwise, use SUshell to start a shell without prompting for a password. SUshell is simply a program that runs a shell. If SUshell isn't available on your system, then you would substitute a shell here like Bash, for example. I'll go ahead and make the change and reboot the system. We'll change SUshell to SUlogin, save my changes and reboot. Going to interrupt the boot process. Selecting E to edit it. I'm looking for the line that's going to boot the kernel and I'm going to append an S for single user mode. I'll go ahead and hit B to boot that configuration. Now, as you can see that even though we're booting into single user mode, it's asking us for the root password. If I enter in the incorrect root password and hit enter it's going to keep asking me for the password. I can't get into the system until I supply the correct root password. Here I'll go ahead and supply it now and then now we finally have a root shell on this Linux system. For systems that use systemd to control the system initialization process instead of the traditional init program, you need to modify the related targets. This includes the latest releases of CentOS, Red Hat, Ubuntu and many other distributions. The target configurations are stored in lib/systemd/system. The files you want to modify are emergency.service and rescue.service. Go ahead and edit both of these files. Make sure that the exec start line executes SUlogin. Here you can see that it executes SUshell, I'm going to change that to SUlogin and then I'm going to do the exact same thing on the next file. Again, changing SUshell to SUlogin. Now, when we reboot in a single user mode we'll be prompted for a password. Find that Linux line, supply an S for single user mode and boot it and here in just a second we should be prompted for the root's password and there it is.

About the Author