Monday, October 6, 2014

Controlling Shell-Fork-Bombing in linux User's

ulimit: Provides control over the resources available to the  shell  and to  processes started by it, on systems that allow such control. The -H and -S options specify that the hard or soft limit is set for  the  given resource.  A hard limit cannot be increased by a non-root user once it is set; a soft limit may be  increased  up to  the value of the hard limit.  If neither -H nor -S is speci- fied, both the soft and hard limits are set.  The value of limit can be a number in the unit specified for the resource or one of the special values hard, soft, or unlimited, which stand for the current  hard  limit,  the  current  soft  limit,  and no limit, respectively.  If limit is omitted, the  current  value  of  the soft  limit  of the resource is printed, unless the -H option is given.  When more than one resource is specified, the limit name and unit are printed before the value. 

 Other options are inter-preted as follows:
-a     All current limits are reported
-b     The maximum socket buffer size
-c     The maximum size of core files created
-d     The maximum size of a process’s data segment
-e     The maximum scheduling priority ("nice")
-f     The maximum size of files written by the  shell  and  its children
-i     The maximum number of pending signals
-l     The maximum size that may be locked into memory
-m     The  maximum resident set size (many systems do not honor this limit)
-n     The maximum number of open file descriptors (most systems do not allow this value to be set)
-p     The pipe size in 512-byte blocks (this may not be set)
-q     The maximum number of bytes in POSIX message queues
-r     The maximum real-time scheduling priority
-s     The maximum stack size
-t     The maximum amount of cpu time in seconds
-u     The maximum number of processes available to a single user
-v     The maximum amount of virtual memory available to the shell
-x     The maximum number of file locks
-T     The maximum number of threads

You can add the following to bashrc file for protecting the local shell users from fork bomb attack.

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

if [ -e "/usr/bin/whoami" ]; then
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

No comments:

Post a Comment