Howto prevent fork bombing

Hi all

I just read this article [1] about linux boxes that  (with exception of a few)  they are  vulnerable by default to fork bombing.

Can anybody help me to configure my machines to prevent faulty programs and malicous users to bring down the box with something as simple as fork bombs.


With kind regards


Ramses (x_terminat_or_3)
LVL 2
x_terminat_or_3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

x_terminat_or_3Author Commented:
0
wesly_chenCommented:
Hi,

    It's good to know about the security issue about Linux.

    It seems that you need to check "ulimit" and make sure there is no "unlimit" for process. And then put it in /etc/profile
or /etc/cshrc (or /etc/.login) to prevent this problem.

   However, it depends on the application or how powerful your Linux server is. Some Web server or database
software need the higher process limit to run without problem. Just be careful when you set ulimit.

Regards,

Wesly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
x_terminat_or_3Author Commented:
I see here that an unpriviledged account has the ulimit's max processes set to 8192

What kind of user needs 8192 concurent processes running?

It isn't mentioned in the man pages, but does the restriction set by ulimit to ALL users, or does it have to be set on a per-user base?


Kind regards


Ramses


--
Registered Linux User Number 379093
Now listening to Milk Inc. - Cream
--
Feel free to check out these few
php utilities that I released under the GPL2 and
that are meant for use with a php cli binary:
http://www.vlaamse-kern.com/sas/
--
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

wesly_chenCommented:
Hi,

   Set in /etc/profile, /etc/cshrc and (/etc/.login ? not with Linux at this moment) so every user login will
be set. Option (-h) will be "hard" limit so user can not use "ulimit" to reset it.

Wesly
0
x_terminat_or_3Author Commented:
This is the current setting I found in /etc/profile

ulimit -S -c 0 > /dev/null 2>&1


This produces the following max:


core file size            (blocks, -c) 0
data seg size            (kbytes, -d) unlimited
file size            (blocks, -f) unlimited
pending signals                  (-i) 1024
max locked memory      (kbytes, -l) 32
max memory size            (kbytes, -m) unlimited
open files                  (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues      (bytes, -q) 819200
stack size            (kbytes, -s) 8192
cpu time            (seconds, -t) unlimited
max user processes            (-u) 8180
virtual memory            (kbytes, -v) unlimited
file locks                  (-x) unlimited

I want to set some reasonable defaults.  Has anybody run into users that require to have more then a few hundered concurent processes running? (as oposed to 8192)

0
x_terminat_or_3Author Commented:
Ok that latst question was more retorical...



Works for me  Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.