Mailing List Archive

protecting agains forkbombs (and similar problems)
Hi!

Inspired by this article (http://www.securityfocus.com/bid/12298) at
security focus, I was wondering what can be done to protect our gentoo
machine against forkbombs or similar problems.

What is the best way to protect our system against this?

Do you think this kind of problems are important when were talking about
our desktop box or only in big system with many users?


BTW, I tried a fork bomb on my gentoo desktop box. Couldn't even log in
as root to stop it. :\


--
Rui Covelo
http://ruicovelo.2ya.com







--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sat, 19 Mar 2005 11:15:06 +0000, Rui Covelo <rpfc@mega.ist.utl.pt> wrote:
> Hi!
>
> Inspired by this article (http://www.securityfocus.com/bid/12298) at
> security focus, I was wondering what can be done to protect our gentoo
> machine against forkbombs or similar problems.
>
> What is the best way to protect our system against this?
>
> Do you think this kind of problems are important when were talking about
> our desktop box or only in big system with many users?
>
> BTW, I tried a fork bomb on my gentoo desktop box. Couldn't even log in
> as root to stop it. :\
>
> --

Hi Rui,

To protect against this kind of attack you should put the appropriate limits
into /etc/security/limits.conf. E.g.

* soft nproc 100
* hard nproc 150

will prevent the spawning of more than 150 processes per user and thereby
limit the impact of forkbomb attacks. Personally, I think it would be a good
idea to have some sane default values in this file. If somebody really needs
more processes, open files, etc. they can always up them.

cheers,
Markus
--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sat, Mar 19, 2005 at 05:37:18AM -0600, Markus Dittrich wrote:
> To protect against this kind of attack you should put the appropriate limits
> into /etc/security/limits.conf. E.g.
>
> * soft nproc 100
> * hard nproc 150
>
> will prevent the spawning of more than 150 processes per user and thereby
> limit the impact of forkbomb attacks. Personally, I think it would be a good
> idea to have some sane default values in this file. If somebody really needs
> more processes, open files, etc. they can always up them.

See http://bugs.gentoo.org/show_bug.cgi?id=85656 for discussion and
progress on integrating sane defaults into Gentoo's limits.conf.

--
Sven Wegener
Gentoo Linux Developer
http://www.gentoo.org/
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sat, Mar 19, 2005 at 05:37:18AM -0600, Markus Dittrich wrote:
> To protect against this kind of attack you should put the appropriate limits
> into /etc/security/limits.conf. E.g.
>
> * soft nproc 100
> * hard nproc 150
>
> will prevent the spawning of more than 150 processes per user and thereby
> limit the impact of forkbomb attacks. Personally, I think it would be a good
> idea to have some sane default values in this file. If somebody really needs
> more processes, open files, etc. they can always up them.

See http://bugs.gentoo.org/show_bug.cgi?id=85656 for discussion and
progress on integrating sane defaults into Gentoo's limits.conf.

--
Sven Wegener
Gentoo Linux Developer
http://www.gentoo.org/
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
> Hi Rui,
>
> To protect against this kind of attack you should put the appropriate
> limits into /etc/security/limits.conf. E.g.
>
(...)
> cheers,
> Markus

Nice! Didn't know about that file. That's a start. Thanks! ;)



--
Rui Covelo
http://ruicovelo.2ya.com
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
> Hi Rui,
>
> To protect against this kind of attack you should put the appropriate
> limits into /etc/security/limits.conf. E.g.
>
(...)
> cheers,
> Markus

Nice! Didn't know about that file. That's a start. Thanks! ;)



--
Rui Covelo
http://ruicovelo.2ya.com
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sun, Mar 20, 2005 at 09:26:29PM +0000, Rui Covelo wrote:
> > Hi Rui,
> >
> > To protect against this kind of attack you should put the appropriate
> > limits into /etc/security/limits.conf. E.g.
> >
> (...)
> > cheers,
> > Markus
>
> Nice! Didn't know about that file. That's a start. Thanks! ;)
>

Anyone else getting two copies of each message?

Calum
--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sun, Mar 20, 2005 at 09:26:29PM +0000, Rui Covelo wrote:
> > Hi Rui,
> >
> > To protect against this kind of attack you should put the appropriate
> > limits into /etc/security/limits.conf. E.g.
> >
> (...)
> > cheers,
> > Markus
>
> Nice! Didn't know about that file. That's a start. Thanks! ;)
>

Anyone else getting two copies of each message?

Calum
--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sun, 2005-03-20 at 23:10 +0000, Calum wrote:
> On Sun, Mar 20, 2005 at 09:26:29PM +0000, Rui Covelo wrote:
> > > Hi Rui,
> > >
> > > To protect against this kind of attack you should put the appropriate
> > > limits into /etc/security/limits.conf. E.g.
> > >
> > (...)
> > > cheers,
> > > Markus
> >
> > Nice! Didn't know about that file. That's a start. Thanks! ;)
> >
>
> Anyone else getting two copies of each message?

Yes.

Cheers

--
Andrew Ross
IT Officer
Whitley College

--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Sunday 20 March 2005 05:10 pm, Calum wrote:
> Anyone else getting two copies of each message?

The mailing list address is in both the To: and the CC: for this thread.
quite annoying.

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
On Mon, 2005-03-21 at 10:26 +1100, Andrew Ross wrote:
> On Sun, 2005-03-20 at 23:10 +0000, Calum wrote:
> > On Sun, Mar 20, 2005 at 09:26:29PM +0000, Rui Covelo wrote:
> > > > Hi Rui,
> > > >
> > > > To protect against this kind of attack you should put the appropriate
> > > > limits into /etc/security/limits.conf. E.g.
> > > >
> > > (...)
> > > > cheers,
> > > > Markus
> > >
> > > Nice! Didn't know about that file. That's a start. Thanks! ;)
> > >
> >
> > Anyone else getting two copies of each message?
>
> Yes.

but only when the sender includes gentoo-security in both the To and CC
fields.

Cheers

--
Andrew Ross
IT Officer
Whitley College

--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus Dittrich wrote:
| On Sat, 19 Mar 2005 11:15:06 +0000, Rui Covelo <rpfc@mega.ist.utl.pt> wrote:
|
|>Hi!
|>
|>Inspired by this article (http://www.securityfocus.com/bid/12298) at
|>security focus, I was wondering what can be done to protect our gentoo
|>machine against forkbombs or similar problems.
|>
|>What is the best way to protect our system against this?
|>
|>Do you think this kind of problems are important when were talking about
|>our desktop box or only in big system with many users?
|>
|>BTW, I tried a fork bomb on my gentoo desktop box. Couldn't even log in
|>as root to stop it. :\
|>
|>--
|
|
| Hi Rui,
|
| To protect against this kind of attack you should put the appropriate limits
| into /etc/security/limits.conf. E.g.
|
| * soft nproc 100
| * hard nproc 150
|
| will prevent the spawning of more than 150 processes per user and thereby
| limit the impact of forkbomb attacks. Personally, I think it would be a good
| idea to have some sane default values in this file. If somebody really needs
| more processes, open files, etc. they can always up them.

but who (what process(es) look into those files? init? login? pam plugins?
the kernel (hardly, I guess)?

where are the hooks to implement such limits?

regards,
pedro venda.
- --

Pedro João Lopes Venda
email: pjlv < at > mega.ist.utl.pt
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCPh/deRy7HWZxjWERAuYbAKCvPbBqisjJ761NKhscAaO8AbeYJgCfbj7m
N8kS5OsMRcRRcL94fqhG6ys=
=ooZ3
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: protecting agains forkbombs (and similar problems) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Calum wrote:
| On Sun, Mar 20, 2005 at 09:26:29PM +0000, Rui Covelo wrote:
|
|>>Hi Rui,
|>>
|>>To protect against this kind of attack you should put the appropriate
|>>limits into /etc/security/limits.conf. E.g.
|>>
|>
|>(...)
|>
|>>cheers,
|>>Markus
|>
|>Nice! Didn't know about that file. That's a start. Thanks! ;)
|>
|
|
| Anyone else getting two copies of each message?

yes.

regards,
pedro venda.
- --

Pedro João Lopes Venda
email: pjlv < at > mega.ist.utl.pt
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCPiAFeRy7HWZxjWERApqfAJ9kemUl88XKJjg/AysdE1JNXlkqfQCfbaH2
YJ44mtDjyQVSF6a/HbZD/VY=
=8j7f
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list