How to: Prevent a fork bomb by limiting user process

by on November 27, 2007 · 28 comments· LAST UPDATED November 27, 2007

in , ,

Earlier, I wrote about fork bomb, few readers like to know about getting protection against such attacks:

How do I protect my system from a fork bomb under Linux?

Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.

Understanding /etc/security/limits.conf file

Each line describes a limit for a user in the form:
<domain> <type> <item> <value>
Where:

  • <domain> can be:
    • an user name
    • a group name, with @group syntax
    • the wildcard *, for default entry
    • the wildcard %, can be also used with %group syntax, for maxlogin limit
  • <type> can have the two values:
    • "soft" for enforcing the soft limits
    • "hard" for enforcing hard limits
  • <item> can be one of the following:
    • core - limits the core file size (KB)
  • <value> can be one of the following:
    • core - limits the core file size (KB)
    • data - max data size (KB)
    • fsize - maximum filesize (KB)
    • memlock - max locked-in-memory address space (KB)
    • nofile - max number of open files
    • rss - max resident set size (KB)
    • stack - max stack size (KB)
    • cpu - max CPU time (MIN)
    • nproc - max number of processes
    • as - address space limit
    • maxlogins - max number of logins for this user
    • maxsyslogins - max number of logins on the system
    • priority - the priority to run user process with
    • locks - max number of file locks the user can hold
    • sigpending - max number of pending signals
    • msgqueue - max memory used by POSIX message queues (bytes)
    • nice - max nice priority allowed to raise to
    • rtprio - max realtime priority
    • chroot - change root to directory (Debian-specific)

Login as the root and open configuration file:
# vi /etc/security/limits.conf
Following will prevent a "fork bomb":
vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.

Save and close the file. Test your new system by dropping a form bomb:
$ :(){ :|:& };:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 28 comments… read them below or add one }

1 RuBiCK November 27, 2007 at 9:55 pm

Could you tell me what it’s the difference between hard and soft limits?

People told me soft is like warning and hard is real max limit, but I’m not sure

Reply

2 nixCraft November 28, 2007 at 4:40 am

@RuBiCK,

Yup, you are correct about soft and hard limit. For example, following will prevent anyone in the student group from having more than 50 processes, and a warning will be given at 30 processes.
@student soft nproc 30
@student hard nproc 50

HTH

Reply

3 Adam Ziaja January 14, 2012 at 1:08 am

vivek fail… soft don’t give warning, soft work same as hard, but can do something, you know what?:)

Reply

4 yoooo November 28, 2007 at 7:43 am

:) thanks for this mini howto

Reply

5 Igor November 28, 2007 at 12:50 pm

Could you explain how does that form bomb work?

Reply

6 Replic May 5, 2014 at 3:28 pm

It makes a neverending row of child prozesses.
When it starts it starts two copies of itself. They do the same, each of them.

So it becomes with n generations 2^n prozesses

Reply

7 JV November 28, 2007 at 12:52 pm

Is there a reason to limit core dump file sizes? I am usually in the process of doing so mainly because I don’t like to set anything to unlimited

Reply

8 nixCraft November 28, 2007 at 12:54 pm
9 mastrboy December 8, 2007 at 11:50 pm

is there a way to activate these settings on a running system? Currently i have not found any other solution that to reboot to make the settings active :(

(using debian etch)

Reply

10 MaoP December 9, 2007 at 8:39 am

man ulimit
google linux sysctl limit proccess

Reply

11 sandoz December 17, 2007 at 2:03 pm

Actually soft limits work like hard limits except, that the user can change them up to the hard limit.

Say:
@student soft nproc 30
@student hard nproc 50

@students can run 30 process. After that starting processes will fail. But an
ulimit -Su 50
will make it possible for them to run 50 processes, in that shell until the next logout.

To make changes work, the user has to logout and login again. All user already logged in are able to work as before.

sandoz

Reply

12 ATOzTOA January 30, 2008 at 4:19 am

Tried the Fork BOmb… Worked perfectly :)

Reply

13 Sergei Vasilyev August 14, 2008 at 1:09 pm

I wonder how to limit number of used cpu cores per user or per user process in case when process is multithreaded and server has multiply number of CPU.

Reply

14 Joshi December 3, 2008 at 6:41 pm

hi Sergei,

i think this can be done via:
apt-get install cpulimit

cheers
joshi

Reply

15 Robert Delahunt January 4, 2009 at 2:56 pm

I don’t see any info for doing it without PAM, so here’s some info (for us Slackware people, etc, and others not using PAM):

Put this in /etc/profile.conf:

ulimit -u 100

where this is the limit of processes anyone can run. Be warned that it could cause problems if you don’t know how many typical processes you run, so play with ps aux | wc -l and other stuff to check how many you would need. Cheers!

Reply

16 Samuel Huckins June 11, 2009 at 2:20 am

@Robert Delahunt: While I am on Ubuntu 9.04, your suggestion was the only one that worked. For me setting hard and soft limits for users in /etc/security/limits/conf had no effect. I had to place ulimit -u NUM in /etc/profile for it to stick. Thanks!

Reply

17 Stefan Apke August 11, 2009 at 5:25 pm

@Samuel Huckins: Hmmm?
Kubuntu-9.04-alternate-amd64 (encr. ~dir.):
sudo vi /etc/security/limits.conf
[i]
...
#@student - maxlogins 4
lider hard nproc 300

# End of file
[ESC] [:][w][q][!]
Reboot!
Konsole (KDE):
lider@xbox:~$ :(){ :|:& };:
[1] 3606
lider@xbox:~$ bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
...
bash: fork: Resource temporarily unavailable #after a while - nothing bad happend - there were enough resources for [^][c]

[1]+ Terminated : | :
lider@xbox:~$

After that I became too saucy and tried:
lider hard nproc 50
That was a bad idea! Cause in KDE really nothing worked (motto: “Come in and don’t go out any more!”). And I’m not sure if I typed in the Magic SysRq too quickly or if I gave in the wrong types. But: my XServer was *hardly* broken and my *whole* audio-system was totally crashed. I have not had such a heavy break-down in more than 10 years Linux-experience! No chance to fix the problems totally in 2-3 hours! But: I tested it on a pure testing-disc and it didn’t matter for me. If it had been my working-station, my last hair would have faded to grey.

Reply

18 divine August 14, 2009 at 12:15 pm

Can i do it for root user

root hard nproc 50

Reply

19 Felipe August 22, 2009 at 4:52 am

When i use “cpulimit” program, with apropriate options, i get this error:

Segmentation fault (core dumped)

An core dump file is created when i run cpulimit for limit apache (httpd).

My server is an Core2Quad 64 Bits…maybe cause i’m using 64 Bits?

Thanks!

Reply

20 Mike Pearce March 2, 2010 at 9:21 pm

if I set:
@student hard nproc 50

does this mean that each member of the “student” group will be able to run up to 50 processes, or the maximum number of processes is 50 for any member of the “student” group, i.e. if I have 2 students logged in (that share the same student group) their combined max proc is still 50.

Reply

21 Si March 30, 2010 at 11:28 am

Except that only limiting nprocs won’t prevent a fork bomb.
limits.conf
si hard nproc 2000
si hard nofile 2000
si hard core 0
si hard cpu 1

Dropping the recursive bomb of :(){ :|:& };: (Expect the web page to mange the code), caused a lovely:
[code]
pm2l-app058:/etc/security # Feb 28 12:46:51 pm2l-app058 kernel: Unable to handle kernel NULL pointer dereference at 00000000000000f0 RIP:
Feb 28 12:46:51 pm2l-app058 kernel: {disassociate_ctty+437}
Feb 28 12:46:51 pm2l-app058 kernel: PGD 0
Feb 28 12:46:51 pm2l-app058 kernel: Oops: 0002 [1] SMP
Feb 28 12:46:51 pm2l-app058 kernel: last sysfs file: /devices/pci0000:00/0000:00:00.0/irq
Feb 28 12:46:51 pm2l-app058 kernel: CPU 3
Feb 28 12:46:51 pm2l-app058 kernel: Modules linked in: nfs lockd nfs_acl sunrpc ipv6 dock button battery ac apparmor loop usbhid uhci_hcd ehci_hcd bnx2x usbcore ext3 jbd dm_snapshot edd dm_mod fan thermal processor cciss qla2xxx firmware_class scsi_transport_fc sd_mod scsi_mod
Feb 28 12:46:51 pm2l-app058 kernel: Pid: 14376, comm: bash Not tainted 2.6.16.60-0.59.1-smp #1
Feb 28 12:46:51 pm2l-app058 kernel: RIP: 0010:[] {disassociate_ctty+437}
Feb 28 12:46:51 pm2l-app058 kernel: RSP: 0018:ffff81038d0b9ed8 EFLAGS: 00010246
Feb 28 12:46:51 pm2l-app058 kernel: RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
Feb 28 12:46:51 pm2l-app058 kernel: RDX: ffff81035ea0f080 RSI: 000000000000000c RDI: 0000000000000003
Feb 28 12:46:51 pm2l-app058 kernel: RBP: ffffffff8037ff40 R08: 0000000000003828 R09: 0000000000000000
Feb 28 12:46:51 pm2l-app058 kernel: R10: ffff8105fe1fa800 R11: ffff810614e8a440 R12: 0000000000003828
Feb 28 12:46:51 pm2l-app058 kernel: R13: ffff810611884800 R14: 0000000000000000 R15: 0000000000000000
Feb 28 12:46:51 pm2l-app058 kernel: FS: 0000000000000000(0000) GS:ffff810314857a40(0000) knlGS:0000000000000000
Feb 28 12:46:51 pm2l-app058 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Feb 28 12:46:51 pm2l-app058 kernel: CR2: 00000000000000f0 CR3: 0000000000101000 CR4: 00000000000006e0
Feb 28 12:46:51 pm2l-app058 kernel: Process bash (pid: 14376, threadinfo ffff81038d0b8000, task ffff81061410d080)
Feb 28 12:46:51 pm2l-app058 kernel: Stack: ffff81061410d71c ffff81061410d71c ffff81061410d080 ffff8103150069c0
Feb 28 12:46:51 pm2l-app058 kernel: 0000000000000001 ffffffff80137c58 0000000000000007 0000000b0000000e
Feb 28 12:46:51 pm2l-app058 kernel: 0000000000000000 0000000300000000
Feb 28 12:46:51 pm2l-app058 kernel: Call Trace: {do_exit+983} {sys_exit_group+0}
Feb 28 12:46:51 pm2l-app058 kernel: {sys_exit_group+18} {system_call+126}
Feb 28 12:46:51 pm2l-app058 kernel:
Feb 28 12:46:51 pm2l-app058 kernel: Code: 48 c7 80 f0 00 00 00 00 00 00 00 48 8b 92 08 02 00 00 48 81
Feb 28 12:46:51 pm2l-app058 kernel: RIP {disassociate_ctty+437} RSP
Feb 28 12:46:51 pm2l-app058 kernel: CR2: 00000000000000f0
Feb 28 12:46:51 pm2l-app058 kernel: Fixing recursive fault but reboot is needed!
[/code]

Reply

22 David BM August 16, 2010 at 5:14 pm

Thanks, really useful. Good job.

Reply

23 MtK November 1, 2010 at 5:55 pm

Hey,
for me I never got ulimit to work on any of my Centos installation.
my last test was today on a fresh installation of Centos 5.5 64bit:
# ulimit -u
32768
# ulimit -u 30
# ulimit -u
30

and I could still run a fork bomb as a non-root user.

Reply

24 TimeWeaver March 2, 2011 at 8:49 pm

This doesn’t work for daemon processes (redhat linux). The nproc limits are ignored if the parent of the original forking process is 1. Does anybody have a way around that?

Reply

25 vinterkind May 10, 2011 at 8:26 am

How did you measure those limits ?
Are they memory-based ?

In Debian 6 I needed to add the pam_limits.so Module into my session-file.
e.g. session required pam_limits.so conf=/etc/security/limits.conf

then the bomb depleted its resources..
Have fun!

Reply

26 Nilesh June 27, 2011 at 3:22 pm

Thanks for the tip!
One step further, to make the server secure :)

Reply

27 kazem October 17, 2011 at 1:35 pm

Hello,
the limit.conf settings affected SSH sessions only can it be used to control services processes like apache – mysql …etc to limit apache user or mysql user ‘s processes ?
thank you

Reply

28 Anna January 13, 2012 at 9:42 pm

What does the forkbom then do if you set this configuration? It still can get executed right? Then it will call it self 300 times and then just stop? Or…?!

Reply

Leave a Comment

Tagged as: , , , ,

Previous post:

Next post: