How to: Prevent a fork bomb by limiting user process

Earlier, I wrote about a fork bomb. A few readers like to know about getting protection against a fork bomb:

How do I protect my system from a fork bomb under a Linux system? How to stop a fork bomb on a RHEL or CentOS Linux?

Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.

Understanding /etc/security/limits.conf file

Each line describes a limit for a user in the form:
<domain> <type> <item> <value>

  • <domain> can be:
    • an user name
    • a group name, with @group syntax
    • the wildcard *, for default entry
    • the wildcard %, can be also used with %group syntax, for maxlogin limit
  • <type> can have the two values:
    • “soft” for enforcing the soft limits
    • “hard” for enforcing hard limits
  • <item> can be one of the following:
    • core – limits the core file size (KB)
  • <value> can be one of the following:
    • core – limits the core file size (KB)
    • data – max data size (KB)
    • fsize – maximum filesize (KB)
    • memlock – max locked-in-memory address space (KB)
    • nofile – max number of open files
    • rss – max resident set size (KB)
    • stack – max stack size (KB)
    • cpu – max CPU time (MIN)
    • nproc – max number of processes
    • as – address space limit
    • maxlogins – max number of logins for this user
    • maxsyslogins – max number of logins on the system
    • priority – the priority to run user process with
    • locks – max number of file locks the user can hold
    • sigpending – max number of pending signals
    • msgqueue – max memory used by POSIX message queues (bytes)
    • nice – max nice priority allowed to raise to
    • rtprio – max realtime priority
    • chroot – change root to directory (Debian-specific)

Warning: This will have no effect on the root user or any process with the CAP_SYS_ADMIN or CAP_SYS_RESOURCE capabilities are not affected by this kind of limitation on a Linux based system.


Login as the root and open configuration file:
# vi /etc/security/limits.conf
Following will prevent a “fork bomb”:
vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.

Test it again

Save and close the file. Test your new system by dropping a fork bomb:
$ :(){ :|:& };:

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
28 comments… add one
  • Anna Jan 13, 2012 @ 21:42

    What does the forkbom then do if you set this configuration? It still can get executed right? Then it will call it self 300 times and then just stop? Or…?!

  • kazem Oct 17, 2011 @ 13:35

    the limit.conf settings affected SSH sessions only can it be used to control services processes like apache – mysql …etc to limit apache user or mysql user ‘s processes ?
    thank you

  • Nilesh Jun 27, 2011 @ 15:22

    Thanks for the tip!
    One step further, to make the server secure 🙂

  • vinterkind May 10, 2011 @ 8:26

    How did you measure those limits ?
    Are they memory-based ?

    In Debian 6 I needed to add the Module into my session-file.
    e.g. session required conf=/etc/security/limits.conf

    then the bomb depleted its resources..
    Have fun!

  • TimeWeaver Mar 2, 2011 @ 20:49

    This doesn’t work for daemon processes (redhat linux). The nproc limits are ignored if the parent of the original forking process is 1. Does anybody have a way around that?

  • MtK Nov 1, 2010 @ 17:55

    for me I never got ulimit to work on any of my Centos installation.
    my last test was today on a fresh installation of Centos 5.5 64bit:
    # ulimit -u
    # ulimit -u 30
    # ulimit -u

    and I could still run a fork bomb as a non-root user.

  • David BM Aug 16, 2010 @ 17:14

    Thanks, really useful. Good job.

  • Si Mar 30, 2010 @ 11:28

    Except that only limiting nprocs won’t prevent a fork bomb.
    si hard nproc 2000
    si hard nofile 2000
    si hard core 0
    si hard cpu 1

    Dropping the recursive bomb of :(){ :|:& };: (Expect the web page to mange the code), caused a lovely:
    pm2l-app058:/etc/security # Feb 28 12:46:51 pm2l-app058 kernel: Unable to handle kernel NULL pointer dereference at 00000000000000f0 RIP:
    Feb 28 12:46:51 pm2l-app058 kernel: {disassociate_ctty+437}
    Feb 28 12:46:51 pm2l-app058 kernel: PGD 0
    Feb 28 12:46:51 pm2l-app058 kernel: Oops: 0002 [1] SMP
    Feb 28 12:46:51 pm2l-app058 kernel: last sysfs file: /devices/pci0000:00/0000:00:00.0/irq
    Feb 28 12:46:51 pm2l-app058 kernel: CPU 3
    Feb 28 12:46:51 pm2l-app058 kernel: Modules linked in: nfs lockd nfs_acl sunrpc ipv6 dock button battery ac apparmor loop usbhid uhci_hcd ehci_hcd bnx2x usbcore ext3 jbd dm_snapshot edd dm_mod fan thermal processor cciss qla2xxx firmware_class scsi_transport_fc sd_mod scsi_mod
    Feb 28 12:46:51 pm2l-app058 kernel: Pid: 14376, comm: bash Not tainted #1
    Feb 28 12:46:51 pm2l-app058 kernel: RIP: 0010:[] {disassociate_ctty+437}
    Feb 28 12:46:51 pm2l-app058 kernel: RSP: 0018:ffff81038d0b9ed8 EFLAGS: 00010246
    Feb 28 12:46:51 pm2l-app058 kernel: RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
    Feb 28 12:46:51 pm2l-app058 kernel: RDX: ffff81035ea0f080 RSI: 000000000000000c RDI: 0000000000000003
    Feb 28 12:46:51 pm2l-app058 kernel: RBP: ffffffff8037ff40 R08: 0000000000003828 R09: 0000000000000000
    Feb 28 12:46:51 pm2l-app058 kernel: R10: ffff8105fe1fa800 R11: ffff810614e8a440 R12: 0000000000003828
    Feb 28 12:46:51 pm2l-app058 kernel: R13: ffff810611884800 R14: 0000000000000000 R15: 0000000000000000
    Feb 28 12:46:51 pm2l-app058 kernel: FS: 0000000000000000(0000) GS:ffff810314857a40(0000) knlGS:0000000000000000
    Feb 28 12:46:51 pm2l-app058 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    Feb 28 12:46:51 pm2l-app058 kernel: CR2: 00000000000000f0 CR3: 0000000000101000 CR4: 00000000000006e0
    Feb 28 12:46:51 pm2l-app058 kernel: Process bash (pid: 14376, threadinfo ffff81038d0b8000, task ffff81061410d080)
    Feb 28 12:46:51 pm2l-app058 kernel: Stack: ffff81061410d71c ffff81061410d71c ffff81061410d080 ffff8103150069c0
    Feb 28 12:46:51 pm2l-app058 kernel: 0000000000000001 ffffffff80137c58 0000000000000007 0000000b0000000e
    Feb 28 12:46:51 pm2l-app058 kernel: 0000000000000000 0000000300000000
    Feb 28 12:46:51 pm2l-app058 kernel: Call Trace: {do_exit+983} {sys_exit_group+0}
    Feb 28 12:46:51 pm2l-app058 kernel: {sys_exit_group+18} {system_call+126}
    Feb 28 12:46:51 pm2l-app058 kernel:
    Feb 28 12:46:51 pm2l-app058 kernel: Code: 48 c7 80 f0 00 00 00 00 00 00 00 48 8b 92 08 02 00 00 48 81
    Feb 28 12:46:51 pm2l-app058 kernel: RIP {disassociate_ctty+437} RSP
    Feb 28 12:46:51 pm2l-app058 kernel: CR2: 00000000000000f0
    Feb 28 12:46:51 pm2l-app058 kernel: Fixing recursive fault but reboot is needed!

  • Mike Pearce Mar 2, 2010 @ 21:21

    if I set:
    @student hard nproc 50

    does this mean that each member of the “student” group will be able to run up to 50 processes, or the maximum number of processes is 50 for any member of the “student” group, i.e. if I have 2 students logged in (that share the same student group) their combined max proc is still 50.

  • Felipe Aug 22, 2009 @ 4:52

    When i use “cpulimit” program, with apropriate options, i get this error:

    Segmentation fault (core dumped)

    An core dump file is created when i run cpulimit for limit apache (httpd).

    My server is an Core2Quad 64 Bits…maybe cause i’m using 64 Bits?


  • divine Aug 14, 2009 @ 12:15

    Can i do it for root user

    root hard nproc 50

  • Stefan Apke Aug 11, 2009 @ 17:25

    @Samuel Huckins: Hmmm?
    Kubuntu-9.04-alternate-amd64 (encr. ~dir.):
    sudo vi /etc/security/limits.conf
    #@student - maxlogins 4
    lider hard nproc 300

    # End of file
    [ESC] [:][w][q][!]
    Konsole (KDE):
    lider@xbox:~$ :(){ :|:& };:
    [1] 3606
    lider@xbox:~$ bash: fork: Resource temporarily unavailable
    bash: fork: Resource temporarily unavailable
    bash: fork: Resource temporarily unavailable #after a while - nothing bad happend - there were enough resources for [^][c]

    [1]+ Terminated : | :

    After that I became too saucy and tried:
    lider hard nproc 50
    That was a bad idea! Cause in KDE really nothing worked (motto: “Come in and don’t go out any more!”). And I’m not sure if I typed in the Magic SysRq too quickly or if I gave in the wrong types. But: my XServer was *hardly* broken and my *whole* audio-system was totally crashed. I have not had such a heavy break-down in more than 10 years Linux-experience! No chance to fix the problems totally in 2-3 hours! But: I tested it on a pure testing-disc and it didn’t matter for me. If it had been my working-station, my last hair would have faded to grey.

  • Samuel Huckins Jun 11, 2009 @ 2:20

    @Robert Delahunt: While I am on Ubuntu 9.04, your suggestion was the only one that worked. For me setting hard and soft limits for users in /etc/security/limits/conf had no effect. I had to place ulimit -u NUM in /etc/profile for it to stick. Thanks!

  • Robert Delahunt Jan 4, 2009 @ 14:56

    I don’t see any info for doing it without PAM, so here’s some info (for us Slackware people, etc, and others not using PAM):

    Put this in /etc/profile.conf:

    ulimit -u 100

    where this is the limit of processes anyone can run. Be warned that it could cause problems if you don’t know how many typical processes you run, so play with ps aux | wc -l and other stuff to check how many you would need. Cheers!

  • Joshi Dec 3, 2008 @ 18:41

    hi Sergei,

    i think this can be done via:
    apt-get install cpulimit


  • Sergei Vasilyev Aug 14, 2008 @ 13:09

    I wonder how to limit number of used cpu cores per user or per user process in case when process is multithreaded and server has multiply number of CPU.

  • ATOzTOA Jan 30, 2008 @ 4:19

    Tried the Fork BOmb… Worked perfectly 🙂

  • sandoz Dec 17, 2007 @ 14:03

    Actually soft limits work like hard limits except, that the user can change them up to the hard limit.

    @student soft nproc 30
    @student hard nproc 50

    @students can run 30 process. After that starting processes will fail. But an
    ulimit -Su 50
    will make it possible for them to run 50 processes, in that shell until the next logout.

    To make changes work, the user has to logout and login again. All user already logged in are able to work as before.


  • MaoP Dec 9, 2007 @ 8:39

    man ulimit
    google linux sysctl limit proccess

  • mastrboy Dec 8, 2007 @ 23:50

    is there a way to activate these settings on a running system? Currently i have not found any other solution that to reboot to make the settings active 🙁

    (using debian etch)

  • 🐧 nixCraft Nov 28, 2007 @ 12:54
  • JV Nov 28, 2007 @ 12:52

    Is there a reason to limit core dump file sizes? I am usually in the process of doing so mainly because I don’t like to set anything to unlimited

  • Igor Nov 28, 2007 @ 12:50

    Could you explain how does that form bomb work?

    • Replic May 5, 2014 @ 15:28

      It makes a neverending row of child prozesses.
      When it starts it starts two copies of itself. They do the same, each of them.

      So it becomes with n generations 2^n prozesses

  • yoooo Nov 28, 2007 @ 7:43

    🙂 thanks for this mini howto

  • 🐧 nixCraft Nov 28, 2007 @ 4:40


    Yup, you are correct about soft and hard limit. For example, following will prevent anyone in the student group from having more than 50 processes, and a warning will be given at 30 processes.
    @student soft nproc 30
    @student hard nproc 50


    • Adam Ziaja Jan 14, 2012 @ 1:08

      vivek fail… soft don’t give warning, soft work same as hard, but can do something, you know what?:)

  • RuBiCK Nov 27, 2007 @ 21:55

    Could you tell me what it’s the difference between hard and soft limits?

    People told me soft is like warning and hard is real max limit, but I’m not sure

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @