Earlier, I wrote about fork bomb, few readers like to know about getting protection against such attacks:
How do I protect my system from a fork bomb under Linux?
Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.
Understanding /etc/security/limits.conf file
Each line describes a limit for a user in the form:
<domain> <type> <item> <value>
Where:
- <domain> can be:
- an user name
- a group name, with @group syntax
- the wildcard *, for default entry
- the wildcard %, can be also used with %group syntax, for maxlogin limit
- <type> can have the two values:
- "soft" for enforcing the soft limits
- "hard" for enforcing hard limits
- <item> can be one of the following:
- core - limits the core file size (KB)
- <value> can be one of the following:
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit
- maxlogins - max number of logins for this user
- maxsyslogins - max number of logins on the system
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
- sigpending - max number of pending signals
- msgqueue - max memory used by POSIX message queues (bytes)
- nice - max nice priority allowed to raise to
- rtprio - max realtime priority
- chroot - change root to directory (Debian-specific)
Login as the root and open configuration file:
# vi /etc/security/limits.conf
Following will prevent a "fork bomb":
vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200
Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.
Save and close the file. Test your new system by dropping a form bomb:
$ :(){ :|:& };:
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 26 comments… read them below or add one }
Could you tell me what it’s the difference between hard and soft limits?
People told me soft is like warning and hard is real max limit, but I’m not sure
@RuBiCK,
Yup, you are correct about soft and hard limit. For example, following will prevent anyone in the student group from having more than 50 processes, and a warning will be given at 30 processes.
@student soft nproc 30@student hard nproc 50
HTH
vivek fail… soft don’t give warning, soft work same as hard, but can do something, you know what?:)
:) thanks for this mini howto
Could you explain how does that form bomb work?
Is there a reason to limit core dump file sizes? I am usually in the process of doing so mainly because I don’t like to set anything to unlimited
@Igor, see
http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/
@JV,
Limit disk space.
is there a way to activate these settings on a running system? Currently i have not found any other solution that to reboot to make the settings active :(
(using debian etch)
man ulimit
google linux sysctl limit proccess
Actually soft limits work like hard limits except, that the user can change them up to the hard limit.
Say:
@student soft nproc 30@student hard nproc 50
@students can run 30 process. After that starting processes will fail. But an
ulimit -Su 50will make it possible for them to run 50 processes, in that shell until the next logout.
To make changes work, the user has to logout and login again. All user already logged in are able to work as before.
sandoz
Tried the Fork BOmb… Worked perfectly :)
I wonder how to limit number of used cpu cores per user or per user process in case when process is multithreaded and server has multiply number of CPU.
hi Sergei,
i think this can be done via:
apt-get install cpulimit
cheers
joshi
I don’t see any info for doing it without PAM, so here’s some info (for us Slackware people, etc, and others not using PAM):
Put this in /etc/profile.conf:
ulimit -u 100
where this is the limit of processes anyone can run. Be warned that it could cause problems if you don’t know how many typical processes you run, so play with ps aux | wc -l and other stuff to check how many you would need. Cheers!
@Robert Delahunt: While I am on Ubuntu 9.04, your suggestion was the only one that worked. For me setting hard and soft limits for users in /etc/security/limits/conf had no effect. I had to place ulimit -u NUM in /etc/profile for it to stick. Thanks!
@Samuel Huckins: Hmmm?
Kubuntu-9.04-alternate-amd64 (encr. ~dir.):
sudo vi /etc/security/limits.conf[i]
...
#@student - maxlogins 4
lider hard nproc 300
# End of file
[ESC] [:][w][q][!]
Reboot!
Konsole (KDE):
lider@xbox:~$ :(){ :|:& };:[1] 3606
lider@xbox:~$ bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
...
bash: fork: Resource temporarily unavailable #after a while - nothing bad happend - there were enough resources for [^][c]
[1]+ Terminated : | :
lider@xbox:~$
After that I became too saucy and tried:
lider hard nproc 50That was a bad idea! Cause in KDE really nothing worked (motto: “Come in and don’t go out any more!”). And I’m not sure if I typed in the Magic SysRq too quickly or if I gave in the wrong types. But: my XServer was *hardly* broken and my *whole* audio-system was totally crashed. I have not had such a heavy break-down in more than 10 years Linux-experience! No chance to fix the problems totally in 2-3 hours! But: I tested it on a pure testing-disc and it didn’t matter for me. If it had been my working-station, my last hair would have faded to grey.
Can i do it for root user
root hard nproc 50
When i use “cpulimit” program, with apropriate options, i get this error:
Segmentation fault (core dumped)An core dump file is created when i run cpulimit for limit apache (httpd).
My server is an Core2Quad 64 Bits…maybe cause i’m using 64 Bits?
Thanks!
if I set:
@student hard nproc 50
does this mean that each member of the “student” group will be able to run up to 50 processes, or the maximum number of processes is 50 for any member of the “student” group, i.e. if I have 2 students logged in (that share the same student group) their combined max proc is still 50.
Thanks, really useful. Good job.
Hey,
for me I never got ulimit to work on any of my Centos installation.
my last test was today on a fresh installation of Centos 5.5 64bit:
# ulimit -u
32768
# ulimit -u 30
# ulimit -u
30
and I could still run a fork bomb as a non-root user.
This doesn’t work for daemon processes (redhat linux). The nproc limits are ignored if the parent of the original forking process is 1. Does anybody have a way around that?
How did you measure those limits ?
Are they memory-based ?
In Debian 6 I needed to add the pam_limits.so Module into my session-file.
e.g. session required pam_limits.so conf=/etc/security/limits.conf
then the bomb depleted its resources..
Have fun!
Thanks for the tip!
One step further, to make the server secure :)
Hello,
the limit.conf settings affected SSH sessions only can it be used to control services processes like apache – mysql …etc to limit apache user or mysql user ‘s processes ?
thank you
What does the forkbom then do if you set this configuration? It still can get executed right? Then it will call it self 300 times and then just stop? Or…?!