30 Things to Do After Minimal RHEL/CentOS 7 Installation

30. Password Protect GRUB

Password protect your boot loader so that you get an additional level of security right at the booting time. Also you get a protection layer of protection at physical level. Protect your Server by locking GRUB at boot to avoid any unauthorized access.

First make backup of two files, so that if anything goes bad, you have the option to revert back. Create a backup of ‘/etc/grub2/grub.cfg‘ as ‘/etc/grub2/grub.cfg.old‘.

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.old

Also, Create a backup of ‘/etc/grub.d/10_linux‘ as ‘/etc/grub.d/10_linux.old‘.

# cp /etc/grub.d/10_linux /etc/grub.d/10_linux.old

Now open ‘/etc/grub.d/10_linux‘ and add the below line at the end of the file.

cat <<EOF
set superusers=”tecmint”
Password tecmint [email protected]
Password Protect Grub

Password Protect Grub

Notice in the above file, replace “tecmint” as username and “[email protected]” as password with your username and password.

Now generate the new grub.cfg file by issuing following command.

# grub2-mkconfig --output=/boot/grub2/grub.cfg
Generate Grub File

Generate Grub File

After creating new grub.cfg file, reboot the machine and press ‘e‘ to edit. You will find that it requires you to enter ‘valid credentials‘ in order to edit boot menu.

Password Protected Boot Menu

Password Protected Boot Menu

After entering login credentials, you will able to edit grub boot menu.

Grub Menu File

Grub Menu File

Also you can generate encrypted password in place of plain password as shown in the above step. First generate an encrypted password as suggested below.

# grub2-mkpasswd-pbkdf2

[Enter Normal password twice]
Generate Encrypted Grub Password

Generate Encrypted Grub Password

Now open ‘/etc/grub.d/10_linux‘ file and add the below line at the end of the file.

cat <<EOF
set superusers=”tecmint”
Password_pbkdf2 tecmint
Encrypted Grub Password

Encrypted Grub Password

Replace the password with the one generated on your system. Don’t forget to cross check the password.

Also note you need to generate grub.cfg in this case as well, as described above. Reboot and next time you press ‘e‘ to edit, you will be prompted for username and password.

We’ve tried to cover most of the necessary post-installation points of industry standard distributions RHEL 7 and CentOS 7. If you find that we’ve missed certain points or you need to extend this post with a new post-install things, you may share with us, we will include your point in this article by extending it.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

76 Responses

  1. Paul says:

    I followed this guide. Its really helpful. As you said quite extensively about installing apache, databases and others.

    Can you also provide a guide regarding how to upload a site in CentOS after doing all this?

  2. Ambady Bala says:

    I am wondering why httpd,php is installed after installing virtualbox. Initially it is installed, will it conflict

  3. Samuel Wamala says:

    Resourceful tutorial for Linux enthusiast.

  4. Gary J. Morin says:

    There is a mistake in the SSH section. The config file is NOT ‘ssh-config’. That is meant for the SSH client not the server. The SSH server settings are in ‘sshd-config’. As a noob, it took me a while to figure out why my changes had no effect on the server.

    Otherwise, this has been a great resource for someone like me learning Linux for the first time. Thanks!

    • Ravi Saive says:


      Thanks for notifying, yes it should sshd_config for configuring SSH Server. We’ve corrected in the article.

  5. Graham Leach says:

    One of the commands didn’t work for me, the one related to opening up the httpd port through firewalld. I got a syntax error

    I got a successful execution with the following command, because I did not choose to assign http a funky port, just the standard one (80)

    # firewall-cmd --permanent --zone=public --add-service=http 

    If you want to use a custom port for httpd, use this command, which specifies the port/protocol:

    # firewall-cmd --permanent --zone=public --add-port=2888/tcp 


  6. Panos says:

    Thank you for getting this information together, it is very helpful for people not familiar to minimal dekstop-less installations.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.