How Do I secure Grub boot loader?

Five minutes to a secure Linux system tip that explains the important of security for new Linux boxes. I'm going to add one more tip to his work i.e. securing grub boot loader.

When system is rebooted, grub presents the boot option menu. From this menu one can easily login to single user mode without password which might result into compromise system security.

For example anyone can access the data or change the settings. However you can setup a password for grub with password option. This option forces grub to ask for a password before making any changes or entering into single user mode. You need to type p followed by password.
#1: Create a password for grub

Type grub-md5-crypt command to create password in MD5 format:
# grub-md5-cryptOutput:

Password:
Retype password:
$1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.
#2 Add MD5 password to grub configuration file

Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)
# vi /boot/grub/menu.lstNext edit file and add a password line as follows:password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0At end end it should look like as follows:

default 0
timeout 5
password --md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0
title Debian GNU/Linux, kernel 2.6.13.4-cust-en-smp
root (hd0,0)
kernel /boot/vmlinuz root=/dev/hda3 ro
savedefault
boot

Save and close the file.

Optional>:
If you dual boot (e.g. home computer/workstation) with Windows XP/NT-2000, consider adding lock command to Windows XP right after title command

title Windows NT/2000/XP
lock
root (hd0,1)
savedefault
makeactive
chainloader +1

Please note that lock option can be also added to the failsafe entry too.

For more information please read

* grub and grub-md5-crypt man pages
* Read Grub seurity manual page online.