Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Howto prevent fork bombing

Posted on 2005-03-18
6
Medium Priority
?
522 Views
Last Modified: 2008-03-10
Hi all

I just read this article [1] about linux boxes that  (with exception of a few)  they are  vulnerable by default to fork bombing.

Can anybody help me to configure my machines to prevent faulty programs and malicous users to bring down the box with something as simple as fork bombs.


With kind regards


Ramses (x_terminat_or_3)
0
Comment
Question by:x_terminat_or_3
  • 4
  • 2
6 Comments
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 13580930
0
 
LVL 38

Accepted Solution

by:
wesly_chen earned 2000 total points
ID: 13581013
Hi,

    It's good to know about the security issue about Linux.

    It seems that you need to check "ulimit" and make sure there is no "unlimit" for process. And then put it in /etc/profile
or /etc/cshrc (or /etc/.login) to prevent this problem.

   However, it depends on the application or how powerful your Linux server is. Some Web server or database
software need the higher process limit to run without problem. Just be careful when you set ulimit.

Regards,

Wesly
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 13581040
I see here that an unpriviledged account has the ulimit's max processes set to 8192

What kind of user needs 8192 concurent processes running?

It isn't mentioned in the man pages, but does the restriction set by ulimit to ALL users, or does it have to be set on a per-user base?


Kind regards


Ramses


--
Registered Linux User Number 379093
Now listening to Milk Inc. - Cream
--
Feel free to check out these few
php utilities that I released under the GPL2 and
that are meant for use with a php cli binary:
http://www.vlaamse-kern.com/sas/
--
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 38

Expert Comment

by:wesly_chen
ID: 13581050
Hi,

   Set in /etc/profile, /etc/cshrc and (/etc/.login ? not with Linux at this moment) so every user login will
be set. Option (-h) will be "hard" limit so user can not use "ulimit" to reset it.

Wesly
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 13581527
This is the current setting I found in /etc/profile

ulimit -S -c 0 > /dev/null 2>&1


This produces the following max:


core file size            (blocks, -c) 0
data seg size            (kbytes, -d) unlimited
file size            (blocks, -f) unlimited
pending signals                  (-i) 1024
max locked memory      (kbytes, -l) 32
max memory size            (kbytes, -m) unlimited
open files                  (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues      (bytes, -q) 819200
stack size            (kbytes, -s) 8192
cpu time            (seconds, -t) unlimited
max user processes            (-u) 8180
virtual memory            (kbytes, -v) unlimited
file locks                  (-x) unlimited

I want to set some reasonable defaults.  Has anybody run into users that require to have more then a few hundered concurent processes running? (as oposed to 8192)

0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 13582267
Ok that latst question was more retorical...



Works for me  Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question