Minimal RHEL/CentOS 7 Initial Server Setup

1. Overview

 

After finished installing a new RHEL/CentOS 7 server, there are some primary configurations that we need to do to ensure that the new server is ready for any further services/applications installation and configuration.

The following tutorial will covers some initial tasks that is needed to be done on a new installed RHEL/CentOS 7 Linux server.

2. Prerequisites

 

In this article, it is presumed that:

a. You have already install RHEL/CentOS 7 Linux server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM)
b. You have the internet connection in place.

3. Configure Static IP Address

 

To configure a static IP address for CentOS 7 server, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eno16777728 as the following.

# vi /etc/sysconfig/network-scripts/ifcfg-eno16777728

BOOTPROTO="static"
ONBOOT="yes"
IPADDR="192.168.1.10"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
DNS1="192.168.1.1"
DNS2="8.8.8.8"
DOMAIN="techspacekh.com"

Then we need to restart the network service as the following.

#systemctl restart network

Check if the server is now configured with the new IP address with the following command.

#ip route
default via 192.168.1.10 dev eno16777728  proto static  metric 100
192.168.1.0/24 dev eno16777728  proto kernel  scope link  src 192.168.1.1 metric 100

Check if file is updated after restarting the network service as the following.

# cat /etc/resolv.conf

# Generated by NetworkManager
search techspacekh.com
nameserver 192.168.1.1
nameserver 8.8.8.8

Normally, when we install a minimal CentOS 7 server, the Network Manager program is enable by default to manage the network interface. We can use command nmtui (Network Manager Text User Interface) to launch the Network Manager program in a terminal environment.

# nmtui

However, most of the time we work with file /etc/sysconfig/network-scripts/ifcfg-eno16777728 when configuring an IP address for the server, so we can disable the Network Manager service as the following and then we need to restart the network service.

#systemctl stop NetworkManager
#systemctl disable NetworkManager
#systemctl restart network

4. Enable EPEL Repository

 

The Extra Packages for Enterprise Linux (EPEL) is an additional repository with high quality add-on software packages for Linux distribution such as RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux . It is developed by Fedora team which is the open source and free community based repository.

Execute the following command to install EPEL repository.

#yum -y install epel-release

5. Update OS

 

After finished the CentOS 7 server installation, it is extremely important to update and keep up the operating system and various packages installed to have a stable and secure operating system.

To update the operating system and all packages installed, execute the following command.

#yum -y update

6. Install Basic Commands

 

The minimal CentOS 7 installation is not include some basic Linux commands that they are necessary to work with Linux system. So, before going any further with this new installed servder, we need to install those necessary command as the following.

  • net-tools for ifconfig, netstat command
  • bind-utils for nslookup, dig command
  • wget   for wget command
  • telnet for telnet command
  • mailx for mail command
  • vim for vim command
  • nmap to list open port with nmap command
  • traceroute to install traceroute command
  • w3m to install w3m command
  • htop to instal htop command
  • iftop to install iftop command
  • policycoreutils-python to install semanage command
#yum -y install net-tools 
#yum -y install bind-utils 
#yum -y install wget 
#yum -y install telnet
#yum -y install mailx
#yum -y install vim
#yum -y install nmap
#yum -y install traceroute
#yum -y install w3m 
#yum -y install htop
#yum -y install iftop
#yum -y install policycoreutils-python

7. NTP, Date and Time Setting

7.1 Time Zone Setting

 

Since we don’t know what is our time zone to set in CentOS 7, we can list all available time zones with the following command.

#timedatectl list-timezones

[...]
Asia/Novokuznetsk
Asia/Novosibirsk
Asia/Omsk
Asia/Oral
Asia/Phnom_Penh
Asia/Pontianak
Asia/Pyongyang
Asia/Qatar
Asia/Qyzylorda
Asia/Riyadh
Asia/Sakhalin
[...]

To change the currently used time zone to our own time use the following command. The following will change the time zone to  “Asia/Phnom_Penh”.

#timedatectl set-timezone Asia/Phnom_Penh

7.2 Date and Time Setting

 

We can use command timedatectl to display the current date and time along with detailed information about the configuration of the system and hardware clock.

#timedatectl
      Local time: Thu 2017-04-27 19:52:08 +07
  Universal time: Thu 2017-04-27 12:52:08 UTC
        RTC time: Thu 2017-04-27 12:52:08
       Time zone: Asia/Phnom_Penh (+07, +0700)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a

To change the current time, we can execute command timedatectl set-time HH:MM:SS as the following. HH is for hour, MM is for minute, and SS is for second.

#timedatectl set-time 13:30:00

To change the current date, we can execute command timedatectl set-time YYYY-MM-DD as the following. YYYY is for year, MM is for month, and DD is for day.

#timedatectl set-time 2017-04-27

We can also use command date to display the current date and time.

#date
Thu Apr 27 20:02:50 +07 2017

7.3 NTP Client Setting

 

By default in CentOS 7 Chrony is the default NTP client/server, so it should already be installed if NTP server is turned on during the operating system installation, otherwise you can install it as in below command.

#yum -y install chrony

Once installed, execute the following command to start and automatically starts up chronyd service on boot so that it can maintain an accurate time.

#systemctl start chronyd
#systemctl enable chronyd

To enable automatic synchronization of the system clock with a remote NTP server, execute the following command.

#timedatectl set-ntp yes

To disable automatic synchronization of the system clock with a remote NTP server, execute the following command.

#timedatectl set-ntp no

To synchronizing the time with an local NTP server, edit file /etc/chrony.conf and add line server 192.168.1.2 prefer as the following. The prefer parameter specifies that server is preferred over other servers.

#vim /etc/chrony.conf

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
server 192.168.1.2 prefer

Then, we need to restart chronyd service as below.

#systemctl restart chronyd
#systemctl restart systemd-timedate

We can use chronyc command to view detailed NTP specific information as the following.

#chronyc tracking
Reference ID    : 192.168.1.2 (ntp.techspacekh.com)
Stratum         : 4
Ref time (UTC)  : Thu Apr 27 10:20:09 2017
System time     : 7.206224442 seconds fast of NTP time
Last offset     : +10.208244324 seconds
RMS offset      : 3.228130341 seconds
Frequency       : 13.497 ppm fast
Residual freq   : +52.354 ppm
Skew            : 0.385 ppm
Root delay      : 0.015626 seconds
Root dispersion : 10.924638 seconds
Update interval : 60.4 seconds
Leap status     : Normal

8. Set Host Name

 

To change a server host name edit file /etc/hostname and the following will change the server host name to “vkcent-web01”.

#vim /etc/hostname
vkcent-web01

After that we need to restart server.

#reboot

9. Enable IPTables Instead of Firewalld

 

By default CentOS 7 use firewalld to manage iptables and the iptables service is not installed. The firewall-cmd commands is used to disable firewalld and enable iptables. If we prefer to use the classic iptables, then we need to disable firewalld as the following.

#systemctl disable firewalld
#systemctl stop firewalld
#systemctl mask firewalld

Then, we need to install “iptables-services” package as the following.

#yum install iptables-services

Now, we need to start and enable iptables services so that they will start automatically at system boot time.  

#systemctl enable iptables
#systemctl start iptables

We can use the following command to list the current iptables rules.

#iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   36  2592 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    1   159 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 19 packets, 2072 bytes)
 pkts bytes target     prot opt in     out     source               destination

Now we can either add iptables rules from the CLI with iptables command or edit file /etc/sysconfig/iptables and it looks something like the following  to open ports 22 on the server for SSH remote management. Editing file /etc/sysconfig/iptables will not loss iptables rules after system restart.

#vim /etc/sysconfig/iptables

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Now let try to open port 80 on the server with iptables command on the terminal. Using iptables command to create rules is not permanently save in the system and the rule will be disable after reboot.

#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

List the current iptables rules again to see if new iptables rule is there.

# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  118  8624 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   20  3250 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 5 packets, 776 bytes)
 pkts bytes target     prot opt in     out     source               destination

To save the iptables rules after system reboot run the following command.

# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

10. Change NIC Name

 

In CentOS 7 the naming convention for network interfaces is automatically determined based on firmware, topology, and location information can result in a long interface names. Having a network interface in a long name doesn’t satisfy the people.

# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno16777728: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:7f:fd:78 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.114/24 brd 192.168.1.255 scope global eno16777728
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe7f:fd78/64 scope link
       valid_lft forever preferred_lft forever

10.1 Method 1

 

To permanently change the network interface name to its traditional name in Linux which are enumerated as eth[0123…], we need to edit file /etc/udev/rules.d/90-eno-fix.rules and comment out the line starting with SUBSYSTEM as below.  After that, copy that line and past just below the commented line and change the network interface value from NAME=”eno16777728″ to NAME=”eth0″ as the following.

#vim /etc/udev/rules.d/90-eno-fix.rules
#SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:b2:bc:95", NAME="eno16777728"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:b2:bc:95", NAME="eth0"

Then, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.

#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0

Then, edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.

# vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"

Finally, reboot the server and verify the new interface name as below.

# reboot
# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb2:bc95/64 scope link
       valid_lft forever preferred_lft forever

In case that we want to rename a network interface in an interactive manner without Udev and/or rebooting the server, we can do the following, but it will revert back to the old setting after system restart.

#ifdown eno16777728 
#ip link set eno16777728 name eth0

Then again, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.

#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0

Then, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.

# vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"

Finally, execute the following command to bring up the interface.

#ifup eth0

Verify the new interface name as below.

# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb2:bc95/64 scope link
       valid_lft forever preferred_lft forever

10.2 Method 2

 

If the above method do not work, try the following method instead. Edit file /etc/default/grub in line starting with GRUB_CMDLINE_LINUX and and append “net.ifnames=0 biosdevname=0” at the end of the line as the following.

#vim /etc/default/grub
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg-systems/lv-root rd.lvm.lv=vg-systems/lv-swap rd.lvm.lv=vg-systems/lv-usr rhgb quiet net.ifnames=0 biosdevname=0"

Execute command grub2-mkconfig as the following to create a new configuration based on the currently running system.

#grub2-mkconfig -o /boot/grub2/grub.cfg

Then again, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.

#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0

Then, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.

# vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"

Finally, reboot the server and verify the new interface name as below.


# reboot
# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb2:bc95/64 scope link
       valid_lft forever preferred_lft forever

11. Disable IPv6

 

IPv6 is enabled by default if we didn’t disable it during the installation of CentOS 7. IPv6 is really terrible for privacy and we should definitely disable it to protect our privacy. Since the system doesn’t need to have IPv6 active, It’s best to disable IPv6 in all possible ways, until we understand how to manage it to protect our privacy.

#ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff
    inet 10.111.102.56/24 brd 10.111.102.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb2:bc95/64 scope link
       valid_lft forever preferred_lft forever

To disable IPv6, append the following lines in file /etc/sysctl.conf.

#vim /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

After editing, execute the following command to make the settings effective.

#sysctl -p

Verify if IPv6 is really inactive as below.

# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff
    inet 10.111.102.56/24 brd 10.111.102.255 scope global eth0
       valid_lft forever preferred_lft forever

12. Disable Postfix

 

Normally, when we install a minimal CentOS 7 server, the Postfix program is enable by default. If the system will not be used as a SMTP service, we should stop Postfix master daemon which runs on localhost using the following commands.

#systemctl stop postfix
#systemctl disable postfix

13. Enable SELinux

 

Security Enhanced Linux (SELinux) is extremely valuable as part of an overall RHEL/CentOS Linux server security baseline. It is strongly recommend to leave it enabled in enforcing mode where possible in any production environments system. If SELinux is disable because of a particular services or applications does not work properly, the key security part of the server is removed too.

After installing RHEL/CentOS, SELinux is enabled and running in enforcing mode  by default. we can use command sestatus to view the current status of SELinux and it looks something as below.

#sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

In case that SELinux is disable, we can enable it back by editing file /etc/selinux/config as the following and system restart is require for the change to take effect.

#vim /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
#reboot

14. Login Banner

 

Following the publication of the “Computer Misuse Act 1990“, it is strongly recommended that computers should display a banner message before allowing users to log in. The Act stipulates that an offense of unauthorized access can only be committed if the offender knew at the time that the access he intended to obtain was unauthorized. Base on the “Regulation of Investigatory Powers Act 2000” also requires information to be given to users who access the computer. Login banners are the best way to achieve this.

14.1 Banner Before Users Login

 

To display a message banner for SSH users before login, we can create a file in directory /etc/ssh, let name it as loginbanner.txt, and add the content as something as in the example below.

#cd /etc/ssh
#vim loginbanner.txt

UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED!
You must have explicit permission to access or configure this system. 
All activities performed on this system may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. 
There is no right to privacy on this system. 
Use of this system shall constitute consent to monitoring.

Edit /etc/ssh/sshd_config as the following.

#vim /etc/ssh/sshd_config
Banner /etc/ssh/loginbanner.txt

Then we need to restart sshd service and test remote SSH to server for login.

#systemctl restart sshd

14.2 Banner After Users Login

 

To display a message banner after login, we need to edit file /etc/motd and add the content as something as in the following example.

#vim /etc/motd

Authorized Access Only!
If you are not an authorized user, disconnect IMMEDIATELY!
All connections are monitored and recorded.

Now, try to remote SSH again, it will show the message banner as the following after a successful login.

The above message banner also appears when we are successfully login via a console session.

15. Delegation Root Privilege  with Sudoers

 

It is the security best practice that the root user is not recommended to login to the system whether from console or remotely. It is recommended to use normal user to login to the system and use command sudo to perform the task that required root privilege. For more detail about Sudo, please check Linux Privilege Delegation With Sudoers.

[vannath@vkcent-web01 ~]$ sudo yum update

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for vannath:
vannath is not in the sudoers file.  This incident will be reported.

Now let delegate an authority to an alias group name “SYSADMIN” the ability to run commands as root by editing file /etc/sudoers with command visudo as the following. In the alias group name “SYSADMIN” there two users as member, “vannath” and “solida”.

#visudo
User_Alias  SYSADMIN = vannath, solida
SYSADMIN ALL=(ALL:ALL) NOPASSWD: ALL

Now we should get a successful result when executing the following command  again.

[vannath@vkcent-web01 ~]$ sudo yum update

16. Set Console Session Idle Timeout Interval

 

If a timeout period for console session on a server is not setting up, it is a security risk. In many cases, people stay away from their computers without locking the screens and console session is still connected to the server. Thus, it could be compromise. We need to create a file name /etc/profile.d/autologout.sh as the following. The timeout interval is in seconds. So let set it to 300 seconds to have 5 minutes idle timeout.

$sudo vim /etc/profile.d/autologout.sh
TMOUT=300
readonly TMOUT
export TMOUT

Next, we need to make it an executable file.

$sudo chmod +x /etc/profile.d/autologout.sh

17. Conclusion

 

Now you have just done some of the initial setups for the newly installed RHEL/CentOS 7 server and it should be enough for it to be ready for any services or applications installation and configuration such as web server or other services. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments