Greetingz!
It's called "Limit Physical Access". This is why important servers are stored behind locked doors, and console-access requires multi-factor authentication (usually something you know, like a password, and something you have, like a SecurID token).
The old saying; "If I can get to the server, you've already lost" really does mean something. However you can *try* the following;
BIOS Settings
(Implementing any of this is highly dependent on your BIOS that is on your motherboard. Read the manual for specifics)
1) Set a BIOS password
The "when entering Setup" password, not "every-time-the-computer-boots" password"
2) Set the BIOS to boot off of only the hard disk.
That means you tell the BIOS "don't look for a CD-ROM, then a floppy, then a USB stick, then the network" and so forth.
Exactly how you do this is going to depend on your MotherBoard manufacture.
3) Disable any sort of "diagnostic" menus your BIOS prompts you for.
This could be anything from "Hit F12 for boot menu" to "Hit F2 to run diagnostics"
GRUB
1) Password protect any "alternate boot" lines.
Here's a link for securing Grub 1.99. Might help.
Linux itself
1) Set the "noauto" option for /boot in your /etc/fstab.
You *did* create a separate filesystem for your /boot directory, right?
I mean, the
kernel is stored there, that's really important!
2) Limit "sudo" usage.
Only specify exact commands. Don't give someone free reign on the system.
Also, don't allow them to use commands as root that let you escape to a shell
(Example: vi, vim, less...not sure what else you could use)
3) Patch your OS!
Might want to make sure you have backups first. I've seen Apache updates blow away web server configurations before...
4) For the truely paranoid, google-up some security scanners for Linux.
CIS has a few good documents and recommendations.
Might want to try the NIST guys, too.
5) If you're really insane, start reading up on SELinux.
Warning: It will drive you mad the first few weeks (months?) you use it.
If this post (or any others) help you out, make sure you mark that post helpful!
(This way others that have your same question will know!)
P.S: Please note that none of this will protect a server against someone standing in front of it with a screwdriver.
If you want to secure your data, use whole-disk encryption! The kind where you have to have a USB key plugged in when rebooting, and take the USB key out when it's done decrypting the drives.
