You are not logged in.

Pages: 1

#1 2014-02-19 08:02:33

Pat
Member
Registered: 2014-02-17
Posts: 10

Fork-bomb detection

I run a server that I use when I give a "intro to bash" workshop at my school

I allow a guest user to login; but a "smart" user, or one aware of fork-bombing could easily detonate one on my server. I have the limits for the guest user pretty tight, so they really cant any damage.

I was just wondering if there was a way to actually detect a fork-bomb detonation?

Offline

#2 2014-02-19 10:38:49

Rexilion
Member
Registered: 2013-12-23
Posts: 784

Re: Fork-bomb detection

The problem with fork bombs is that they look a like a genuine program creating a lot of subprocesses.

Maybe install the auditd daemon?

fs/super.c : "Self-destruct in 5 seconds.  Have a nice day...\n",

Offline

#3 2014-02-19 10:57:28

ivoarch
Member
Registered: 2011-03-31
Posts: 436

Re: Fork-bomb detection

Try limit the number of processes.

http://linuxmafia.com/faq/VALinux-kb/pr … -user.html
https://wiki.archlinux.org/index.php/Re … management

$> cat /etc/security/limits.conf
*                hard    nproc           1000

Last edited by ivoarch (2014-02-19 10:59:39)

I love GnuEmacs, GnuScreen, ratpoison, and conkeror.
Github )||( Weblog

Offline

#4 2014-02-19 11:07:40

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Fork-bomb detection

Malware wiki links to a (very old) kernel patch.

Add any useful info to Arch wiki wink

Offline

#5 2014-02-19 16:29:55

Pat
Member
Registered: 2014-02-17
Posts: 10

Re: Fork-bomb detection

ivoarch wrote:

Try limit the number of processes.

http://linuxmafia.com/faq/VALinux-kb/pr … -user.html
https://wiki.archlinux.org/index.php/Re … management

$> cat /etc/security/limits.conf
*                hard    nproc           1000

Yeah I know how to protect against it, but it would be nice if i could somehow detect when its going on.

If there was some kind of tool that could moniter the rate of new proc's by a user, and if its above a certain threshold, then we know its some kind of bad program or a bomb

Google is no help tho hmm

Offline

#6 2014-02-19 20:07:06

t0m5k1
Member
From: overthere
Registered: 2012-02-10
Posts: 324

Re: Fork-bomb detection

from malware wiki:

Another solution, not widely practised, involves the detection of fork bombs by the operating system. The Linux kernel module called rexFBD[5] implements this strategy.

[5] = http://rexgrep.tripod.com/rexfbdmain.htm

ROG Strix (GD30CI) - Intel Core i5-7400 CPU - 32Gb 2400Mhz - GTX1070 8GB - AwesomeWM (occasionally XFCE, i3)

If everything in life was easy, we would learn nothing!
Linux User: 401820  Steam-HearThis.at-Last FM-Reddit

Offline

Pages: 1

Board footer

Powered by FluxBB