You can define for the root password to be asked in order to boot to single user mode, by editing /etc/inittab and putting "~~:S:wait:/sbin/sulogin" (preferably somewhere at the begining). This will by default run the sulogin program which asks for the root password, however one can change that by passing a different init argument through the bootloader (like init=/bin/sh), so it just makes access a little less obvious.
An other thing you can do, is password protect the grub through it's config. Here's how to do that:
1) execute /sbin/grub-md5-crypt as root and provide the password you want to be used. An encrypted hash for your password will be returned.
2) edit /boot/grub/grub.conf and add somewhere near the beggining:[code:1]password --md5 HASH [/code:1]replacing the word HASH with the hash that /sbin/grub-md5-crypt returned to you.
Next time grub will require you to press p and provide your password.
