Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: limit maximum nr. of processes.
From: costan () COMM2000 IT (Andrea Costantino)
Date: Tue, 7 Sep 1999 13:49:38 +0200

On Fri, 3 Sep 1999, Alfonso Lazaro wrote:


Date: Fri, 3 Sep 1999 13:18:02 +0200
From: Alfonso Lazaro <altellez () IP6SEGURIDAD COM>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: limit maximum nr. of processes.

El dia Wed, Sep 01, 1999 at 10:53:48AM +0200, Petter Wahlman <petter () proact no> escribió:

      to limit the maximum number of processes you can use the Linux-PAM

      edit /etc/pam.d/login

      #%PAM-1.0
      auth       required     /lib/security/pam_securetty.so
      auth       required     /lib/security/pam_pwdb.so shadow nullok
      auth       required     /lib/security/pam_nologin.so
      account    required     /lib/security/pam_pwdb.so
      password   required     /lib/security/pam_cracklib.so
      password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
      session    required     /lib/security/pam_pwdb.so
      session    required     /lib/security/pam_limits.so

      you have to add the last two lines

      then edit

      /etc/security/limits.conf

      # /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit
#        - maxlogins - max number of logins for this user
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#*               hard    rss             10000
# () student        hard    nproc           20
# () faculty        soft    nproc           20
# () faculty        hard    nproc           50
#ftp             hard    nproc           0
# () student        -       maxlogins       4


      as you can see you can limit the number of process and much more
      like cpu, stack ...

It works fine, but if you use non-standard login such ssh it's overriden,
as sshd does not look PAM plugin to start authentication.

The best solution would be incorporate PAM use in sshd, and in any of the
login methods allowed on a (Linux) system, but often it's not possible.

So a workaround could be to easily incorporate adding some lines in
/etc/profile or any automatically executed script at shell login.

adding
ulimit -h <some-kind-of-limit>
an hard limit is set to the specified value for the given resource (see
man bash).

Any shell has a builtin feature to set this hard limit. Please note that
this hard limit is kernel imposed, so, when is set, no user except root
could raise the given value.

Baciamo le mani
k0

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]