TMOUT – Auto Logout Linux Shell When There Isn’t Any Activity

Read Time: 1 minCategories Security 11 Comments

How often do you leave a Linux system idle after login; a situation which can be referred to as an ‘idle session’, where you are not attending to the system by running commands or any administration tasks.

However, this normally presents a great security risk, especially when your logged on as the superuser or with an account that can gain root privileges and in the event that someone with malicious intend gains physical access to your system, he or she can executes some destructive commands or do what ever they want to achieve on it, in the shortest time possibles.

Read Also: How to Monitor Linux Commands Executed by System Users in Real-time

Therefore, it is practically a good idea to always configure your system to automatically logout users in case of an idle session.

To enable automatic user logout, we will be using the TMOUT shell variable, which terminates a user’s login shell in case there is no activity for a given number of seconds that you can specify.

To enable this globally (system-wide for all users), set the above variable in the /etc/profile shell initialization file.

# vi /etc/profile

Add the following line.

TMOUT=120

Save and close the file. From now on, a user will be logged out after 120 seconds (2 minutes), if he or she is not attending to the system.

Note that users can configure this in their own shell initialization file ~/.profile. This means that once that particular user has no activity on the system for the specified second, the shell automatically terminates, thus logging out that user.

Following are some useful security articles, go through it.

  1. How to Monitor User Activity with psacct or acct Tools
  2. How to Configure PAM to Audit Logging Shell User Activity
  3. How to Block or Disable Normal User Logins in Linux
  4. The Mega Guide To Harden and Secure CentOS 7 – Part 1
  5. The Mega Guide To Harden and Secure CentOS 7 – Part 2

That’s it! To share any thoughts or ask questions regarding this topic, use the feedback section below.

If this article helped, with someone on your team.

TecMint Weekly Newsletter
Get the Learn Linux 7 Days Crash Course free when you join 34,000+ Linux professionals reading every Thursday.
Check your email for a magic link to get started.
Something went wrong. Please try again.
TecMint has been free for 14 years. Help keep it that way.
Google AI Overviews and tools like ChatGPT have cut into search traffic for independent tech sites like TecMint. Running this site costs over $2,000 every month for hosting, infrastructure, and paying authors to keep the content accurate and tested.

If this article helped you solve a problem, consider buying a coffee. It helps keep TecMint free, supports the authors, and keeps the project going.
☕ Buy Me a Coffee

Previous article:

10 Practical Examples Using Wildcards to Match Filenames in Linux

Next article:

Initial Server Setup and Configurations on CentOS 7
Photo of author
Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Related Posts

11 Comments

Leave a Reply

  2. It’s definitely a bad practice. On most distros, you SHOULDN’T edit /etc/profile.

    Put your custom config files as drop-in scripts here: /etc/profile.d/.

    @Denny Snyder recommended a much better and complete solution which probably came from CIS Benchmark.

    Regards,
    Andris

    Reply

  4. Hi

    Thank you for the great instructions, however we’re running Centos 6.9 and need to get this working on our servers for PCIDSS reasons. Unfortunately, it didn’t work for us. I’ve also tried adding it to the .bashrc file, but no joy. Any ideas?

    Reply

  5. “A user will be logged out after 160 seconds (2 minutes), if he or she is not attending to the system.”

    160 secs is not 2 mins.. it should be 120 secs

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.

Free Course
Get a free Linux course before you go.
Subscribe to TecMint Weekly and get the Learn Linux 7 Days Crash Course free. Read by 34,000+ Linux professionals every Thursday.
Something went wrong. Please try again.
Check your email for a magic link to get started.