Forkbomb?

phrakture · 2005-03-21 16:28:34

mico wrote:

Does anybody know what are default/sugested/common limits on *BSD systems? They would probably be a good reference.

good idea

mico · 2005-03-21 17:36:39

I did some checking on my other boxes:

On debian sarge there are no limits set, /etc/security/* are all commented out. I wonder why that article said debian was fork-bomb proof. Maybe they tested woody.

On FreeBSD 5.3 there is no /etc/security/ at all. There must be limits set even without pam, because I can fork "only" about 3628 processes and then I get "resource temporarily unavailable". Funny, even with more than 3700 processes (of all users) running, the system is still very stable and responsive.

i3839 · 2005-03-21 18:01:51

Ok, zero questions of me answered. Also I already said that the max depends on your hardware. I give up...

thegnu · 2005-03-23 16:51:43

i3839 wrote:

Ok, zero questions of me answered. Also I already said that the max depends on your hardware. I give up...

As for "sane limits" being default for Arch, I think the first step is to choose a "standard" system. Like say, 1Ghz w. 256MB ram. People who have a slower computer can always set it lower, and people with a faster computer will be well protected by the default.

What would you guys consider a reasonable default system? Again, my bid is 1Ghz 256MB

i3839 · 2005-03-23 17:16:00

To summarize:

My p3 600 Mhz + 256 Mb ram can recover when the limit is 2048 processes per user. To be on the safe side taking the halve of that, 1024, seems reasonable.

mico mysteriously has problems with the 1024 limit, while his "default" limit is somehow lower. That are two riddles in one.

Now the remaining question is if 1024 isn't already insanely high, and if using a higher default limit actually adds anything. I think not, but if anyone disagrees then say so.

LB06 · 2005-04-11 15:41:32

My laptop crashes even with these rules when I use the bash varaint:

@users          hard    nproc           256
@users          soft    nproc           128

What does this mean? Should I lower them?

edit: It looks like /etc/security/limits.conf is completely being ignored here.
ulimit -u returns 3831, while I have set it to 256.

edit2: I think it has to do with kdm. limit.conf is only being processed on an ordinary console login.

cactus · 2005-04-11 17:46:23

is 'users' the only group the user you are testing with is a member of?
ie. is the user being tested a member of other groups, like wheel?

LB06 · 2005-04-11 20:11:20

I replaced @users (which I was part of) with *. Still the same: max 3818 procs in X and 128 in console, according to ulimit -u.

cactus · 2005-04-11 21:30:32

interesting. Now that I run ulimit -a, I realize that ulimit is not reporting correct values for me either...
*scratches chin*

man limits says the file should be /etc/limits. It makes a reference to LIMITS_FILE variable, being defined somewhere else. Also, limits is, I believe, part of the pam stack. Maybe it is not being called..

LB06 · 2005-04-12 14:21:37

/etc/limits is only used when PAM is disabled afaik.

I think I've found the cause. When I don't start kdm at boot (or stop it) and run startx, the values are correct. So it has something to do with my login manager.

i3839 · 2005-04-12 14:50:35

Apparently kdm and/or gdm don't have pam support, or it's broken ("ldd `which kdm` | grep pam" should give answer).

lucke · 2005-04-12 15:24:14

kdm has pam support. I did some research and found out, that 'session required pam_limits.so' line is missing in /etc/pam.d/kde-np. It works just well with that.

*/me toddles to Mr. Bugtracker*

lucke · 2005-04-12 20:55:41

Hym, I wonder. openssh (sshd) doesn't use pam in default, therefore it doesn't respect limits.conf settings. As, I presume, the biggest danger of forkbomb attack comes from remote users, don't you think sshd config should default to the use of pam (at least account and session, not necessarily auth) and its limit settings? Even if someone sets reasonable limits, overlooking this sshd setting may cause him some troubles. What's your opinion, guys?

cactus · 2005-04-12 21:09:56

lucke, I think that is indeed why my limits appear to not be observed. If limits don't work via ssh, then what good are they..
Probably just a flag missing in the sshd conf file..
*rustles around in man pages*

i3839 · 2005-04-12 21:19:33

There's a UsePam sshd config option...

An alternative may be to set the limits before starting sshd, but that's not a nice solution.

lucke · 2005-04-12 21:26:19

Yep, there's UsePam, but by default it's set to No. And, what I was talking about in my previous post, imho it should be set to Yes by default ('sed' it during the build process, that is).

cactus · 2005-04-12 21:47:54

thanks guys.
I set

ChallengeResponseAuthentication=no
UsePAM yes

and it is working fine now.

phrakture · 2005-04-12 21:51:15

lucke wrote:

Yep, there's UsePam, but by default it's set to No. And, what I was talking about in my previous post, imho it should be set to Yes by default ('sed' it during the build process, that is).

I'll second that - post a feature request to the bug tracker 8)

LB06 · 2005-04-21 19:07:50

It's still not working with kdm here.

my /etc/pam.d/kde-ng:

#%PAM-1.0
auth            required        pam_nologin.so
auth            required        pam_permit.so
account         required        pam_unix.so     service=system-auth
password        required        pam_unix.so     service=system-auth
session         required        pam_unix.so     service=system-auth
session         optional        pam_console.so
session         required        pam_limits.so

lucke · 2005-04-21 19:16:17

It works properly here O_o

Are you sure you have proper limits set in limits.conf and does it actually show different values in virtual console and in Konsole?

Btw, filename is kde-np, not ng ;-)

shadowhand · 2005-04-21 19:41:07

Wow. I thought my system would be immune to a forkbomb for some reason. Using the -cko kernel, I killed my system in about 1 second using the bash forkbomb.

Needless to say, /etc/security/limits.conf is now set up properly.

LB06 · 2005-04-21 20:36:37

lucke wrote:

It works properly here O_o
Are you sure you have proper limits set in limits.conf and does it actually show different values in virtual console and in Konsole?
Btw, filename is kde-np, not ng ;-)

*               hard    nproc           200
*               soft    nproc           200
@users          hard    nproc           80
@users          soft    nproc           50
@users          -       maxlogins       4

about kde-np: typo

I am sure that in a virtual console the values differ from within kde.

detto · 2006-08-26 17:46:20

Sry for reactivating this topic, but after reading the whole thread im still not sure if arch is per default protected against such fork bombs?! :?
I checked /etc/security/limits.conf but only these one were present

*               -       rtprio          0
*               -       nice            0
@audio          -       rtprio          65
@audio          -       nice           -10
@audio          -       memlock         40000

cheers,
detto

Gullible Jones · 2006-08-26 18:22:36

It's not. It's easy enough to put in the relevant setting though.

detto · 2006-08-26 19:22:57

Gullible Jones wrote:

It's not. It's easy enough to put in the relevant setting though.

Mh ok. Easy enough thats true. But why this isnt realized yet to default, i mean it would make not that much work i guess, but pretend those from fork bombs who dont know before how to protect themselves.

cheers,
detto

Arch Linux

#26 2005-03-21 16:28:34

Re: Forkbomb?

#27 2005-03-21 17:36:39

Re: Forkbomb?

#28 2005-03-21 18:01:51

Re: Forkbomb?

#29 2005-03-23 16:51:43

Re: Forkbomb?

#30 2005-03-23 17:16:00

Re: Forkbomb?

#31 2005-04-11 15:41:32

Re: Forkbomb?

#32 2005-04-11 17:46:23

Re: Forkbomb?

#33 2005-04-11 20:11:20

Re: Forkbomb?

#34 2005-04-11 21:30:32

Re: Forkbomb?

#35 2005-04-12 14:21:37

Re: Forkbomb?

#36 2005-04-12 14:50:35

Re: Forkbomb?

#37 2005-04-12 15:24:14

Re: Forkbomb?

#38 2005-04-12 20:55:41

Re: Forkbomb?

#39 2005-04-12 21:09:56

Re: Forkbomb?

#40 2005-04-12 21:19:33

Re: Forkbomb?

#41 2005-04-12 21:26:19

Re: Forkbomb?

#42 2005-04-12 21:47:54

Re: Forkbomb?

#43 2005-04-12 21:51:15

Re: Forkbomb?

#44 2005-04-21 19:07:50

Re: Forkbomb?

#45 2005-04-21 19:16:17

Re: Forkbomb?

#46 2005-04-21 19:41:07

Re: Forkbomb?

#47 2005-04-21 20:36:37

Re: Forkbomb?

#48 2006-08-26 17:46:20

Re: Forkbomb?

#49 2006-08-26 18:22:36

Re: Forkbomb?

#50 2006-08-26 19:22:57

Re: Forkbomb?

Board footer