Howto prevent fork bombing

Posted on 2005-03-18
Medium Priority
Last Modified: 2008-03-10
Hi all

I just read this article [1] about linux boxes that  (with exception of a few)  they are  vulnerable by default to fork bombing.

Can anybody help me to configure my machines to prevent faulty programs and malicous users to bring down the box with something as simple as fork bombs.

With kind regards

Ramses (x_terminat_or_3)
Question by:x_terminat_or_3
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Author Comment

ID: 13580930
LVL 38

Accepted Solution

wesly_chen earned 2000 total points
ID: 13581013

    It's good to know about the security issue about Linux.

    It seems that you need to check "ulimit" and make sure there is no "unlimit" for process. And then put it in /etc/profile
or /etc/cshrc (or /etc/.login) to prevent this problem.

   However, it depends on the application or how powerful your Linux server is. Some Web server or database
software need the higher process limit to run without problem. Just be careful when you set ulimit.



Author Comment

ID: 13581040
I see here that an unpriviledged account has the ulimit's max processes set to 8192

What kind of user needs 8192 concurent processes running?

It isn't mentioned in the man pages, but does the restriction set by ulimit to ALL users, or does it have to be set on a per-user base?

Kind regards


Registered Linux User Number 379093
Now listening to Milk Inc. - Cream
Feel free to check out these few
php utilities that I released under the GPL2 and
that are meant for use with a php cli binary:
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

LVL 38

Expert Comment

ID: 13581050

   Set in /etc/profile, /etc/cshrc and (/etc/.login ? not with Linux at this moment) so every user login will
be set. Option (-h) will be "hard" limit so user can not use "ulimit" to reset it.


Author Comment

ID: 13581527
This is the current setting I found in /etc/profile

ulimit -S -c 0 > /dev/null 2>&1

This produces the following max:

core file size            (blocks, -c) 0
data seg size            (kbytes, -d) unlimited
file size            (blocks, -f) unlimited
pending signals                  (-i) 1024
max locked memory      (kbytes, -l) 32
max memory size            (kbytes, -m) unlimited
open files                  (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues      (bytes, -q) 819200
stack size            (kbytes, -s) 8192
cpu time            (seconds, -t) unlimited
max user processes            (-u) 8180
virtual memory            (kbytes, -v) unlimited
file locks                  (-x) unlimited

I want to set some reasonable defaults.  Has anybody run into users that require to have more then a few hundered concurent processes running? (as oposed to 8192)


Author Comment

ID: 13582267
Ok that latst question was more retorical...

Works for me  Thanks!

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question