How to: Prevent a fork bomb by limiting user process

Earlier, I wrote about a fork bomb. A few readers like to know about getting protection against a fork bomb:

How do I protect my system from a fork bomb under a Linux system? How to stop a fork bomb on a RHEL or CentOS Linux?

Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.

Understanding /etc/security/limits.conf file

Each line describes a limit for a user in the form:
<domain> <type> <item> <value>
Where:

  • <domain> can be:
    • an user name
    • a group name, with @group syntax
    • the wildcard *, for default entry
    • the wildcard %, can be also used with %group syntax, for maxlogin limit
  • <type> can have the two values:
    • “soft” for enforcing the soft limits
    • “hard” for enforcing hard limits
  • <item> can be one of the following:
    • core – limits the core file size (KB)
  • <value> can be one of the following:
    • core – limits the core file size (KB)
    • data – max data size (KB)
    • fsize – maximum filesize (KB)
    • memlock – max locked-in-memory address space (KB)
    • nofile – max number of open files
    • rss – max resident set size (KB)
    • stack – max stack size (KB)
    • cpu – max CPU time (MIN)
    • nproc – max number of processes
    • as – address space limit
    • maxlogins – max number of logins for this user
    • maxsyslogins – max number of logins on the system
    • priority – the priority to run user process with
    • locks – max number of file locks the user can hold
    • sigpending – max number of pending signals
    • msgqueue – max memory used by POSIX message queues (bytes)
    • nice – max nice priority allowed to raise to
    • rtprio – max realtime priority
    • chroot – change root to directory (Debian-specific)

Warning: This will have no effect on the root user or any process with the CAP_SYS_ADMIN or CAP_SYS_RESOURCE capabilities are not affected by this kind of limitation on a Linux based system.

Configuration

Login as the root and open configuration file:
# vi /etc/security/limits.conf
Following will prevent a “fork bomb”:
vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.

Test it again

Save and close the file. Test your new system by dropping a fork bomb:
$ :(){ :|:& };:

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
28 comments… add one
  • Anna Jan 13, 2012 @ 21:42

    What does the forkbom then do if you set this configuration? It still can get executed right? Then it will call it self 300 times and then just stop? Or…?!

  • kazem Oct 17, 2011 @ 13:35

    Hello,
    the limit.conf settings affected SSH sessions only can it be used to control services processes like apache – mysql …etc to limit apache user or mysql user ‘s processes ?
    thank you

  • Nilesh Jun 27, 2011 @ 15:22

    Thanks for the tip!
    One step further, to make the server secure 🙂

  • vinterkind May 10, 2011 @ 8:26

    How did you measure those limits ?
    Are they memory-based ?

    In Debian 6 I needed to add the pam_limits.so Module into my session-file.
    e.g. session required pam_limits.so conf=/etc/security/limits.conf

    then the bomb depleted its resources..
    Have fun!

  • TimeWeaver Mar 2, 2011 @ 20:49

    This doesn’t work for daemon processes (redhat linux). The nproc limits are ignored if the parent of the original forking process is 1. Does anybody have a way around that?

  • MtK Nov 1, 2010 @ 17:55

    Hey,
    for me I never got ulimit to work on any of my Centos installation.
    my last test was today on a fresh installation of Centos 5.5 64bit:
    # ulimit -u
    32768
    # ulimit -u 30
    # ulimit -u
    30

    and I could still run a fork bomb as a non-root user.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.