Quoted from /boot/grub/menu.lst
Quote:
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
|
so to set a Grub password, write in the first section of the menu file
Code:
password your_chosen_password
or with md5 as in the above example, and after that Grub asks for a password if you want to do change anything (like try to enter single user mode by adding "single" to the kernel line).
I'd still have a BIOS password like aus9 said, to prevent people from booting off a live-cd, mounting your harddisk partitions and resetting the password that way. And disable root account (add a ! to the shadow file's encrypted password field, which effectively disables the account), so that it's no use of making a brute-force attack to guess the password. After that tcpwrappers, iptables, ...
Well, Grub password is the least you can do if you want to make things more difficult, but without BIOS password set also it's not of much use. Also remember that people could just open your box, detach your harddisk, plug it into their own machine, boot that and access the disk that way, circumventing your BIOS password that prevented them from booting off something else than the harddisk. To prevent that you would have to seal the machine into a bullet-proof locker room inaccessible to anyone but you, which is quite difficult.