Limit the number of processes of Linux Users

Article Title: restrict the number of processes of Linux users. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

We have detected that a customer's VPS has maintained 100% CPU usage for a long time over the past two days. Then yesterday, the customer reported to us that his VPS could not be logged on, from our perspective, his VPS is running, and the network also responds, but the CPU usage is only full. The first response of VPSee to receiving the customer message is that the customer's VPS is CC (Challenge Collapsar) after the attack, the customer told us that he had not made a website, but opened some shell accounts for use by others through ssh. This may be because of one of the accounts (after being hacked) with the fork bomb, this is a very simple and commonly used type of malicious program. The principle is very simple. It is to consume all the resources of the Linux system through the constant fork process, this makes it impossible for the system (without resources) to run other programs. For example, after fork is blown up, it will appear:

-Bash: fork: retry: Resource temporarily unavailable

The following is the simplest bash fork bomb:

: () {:| :&};:

The above symbols seem very complicated. In fact, if you write them as follows, you can understand them: it is a function name. Execute a recursion that calls itself and pipe it to yourself. & it indicates that the program is executed in the background, the last one is called and executed outside the function: () The meaning of this function:

:(){

: | :&

};:

How can we avoid fork bombs? The method is very simple. You only need to limit the number of processes that can be called by each user. You can set this by modifying the vi/etc/security/limits. conf file:

# Vi/etc/security/limits. conf

Vpsee hard nproc 32

@ Student hard nproc 32

@ Faculty hard nproc 64

The preceding configuration file indicates that the user vpsee can only fork 32 processes, and each member of student user group can fork up to 32 processes; limit that each member of the faculty user group can fork up to 64 processes. Check whether the pam_limits.so module is available in the system and whether it has been loaded:

# Ls/lib64/security/pam_limits.so

/Lib64/security/pam_limits.so

# Vi/etc/pam. d/login

Session required pam_loginuid.so

Limits cannot be modified if you are a Linux User and not a root user. if conf and restart the system, you can use ulimit to temporarily limit the number of processes allowed to be created. ulimit has two restrictions: Hard and Soft. Hard can reduce the maximum number of processes available, however, you cannot increase or decrease the limit again. If you use Soft, you can freely increase or decrease the limit (for more information about ulimit,-H, and-S, see man ulimit ). Different Linux versions have different default values for this ulimit-u. In CentOS, the maximum number of running processes is 8256 by default and 1024 on Fedora. Therefore, different release versions are required, but it doesn't matter. It can be changed anyway. But after it is changed to 32, it cannot be changed to a bigger one than 32 (for example, 64). It can only be changed to a smaller one than 32, set Hard and Soft when ulimit does not contain the-H and-S parameters:

$ Ulimit-u

8256

$ Ulimit-u 32

$ Ulimit-u 64

-Bash: ulimit: max user processes: cannot modify limit: Operation not permitted

$ Ulimit-

Core file size (blocks,-c) 0

Data seg size (kbytes,-d) unlimited

Scheduling priority (-e) 0

File size (blocks,-f) unlimited

Pending signals (-I) 8256

Max locked memory (kbytes,-l) 32

Max memory size (kbytes,-m) unlimited

Open File (-n) 1024

Pipe size (512 bytes,-p) 8

POSIX message queues (bytes,-q) 819200

Real-time priority (-r) 0

Stack size (kbytes,-s) 10240

Cpu time (seconds,-t) unlimited

Max user processes (-u) 32

Virtual memory (kbytes,-v) unlimited

File locks (-x) unlimited