How to stop Fork Bomb in Debian

If none of the more specific forums is the right place to ask

How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-24 10:46

There is a tutorial at the following link:

http://jbakshi.50webs.com/Linux_tutoria ... kbomb.html

What is a Fork Bomb:
Code: Select all
chainreaction() { chainreaction|chainreaction& }; chainreaction

or
Untitled.jpg
The Fork Bomb Code
Untitled.jpg (4.28 KiB) Viewed 2126 times


which guides user to protect the system from Fork Bomb:

Temporary Solution

Fork Bomb is a chain reaction tool and it gradually creates new processes. It can only be controlled with restriction on maximum number of allowed processes. "ulimit" plays a nice role here. "ulimit -a" display all system resources allowed to your shell.

Code: Select all
root@debian:~$ ulimit -a



core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 16382
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited



Fine tune the output to know the maximum process allowed

Code: Select all
root@debian:~$ ulimit -u

Output: unlimited


Restrict the maximum allowed process to say 200
Code: Select all
root@debian:~$ ulimit -u 200


Then
Code: Select all
root@debian:~$ ulimit -u


Output: 200


Now execute the one liner

Code: Select all
user@debian:~$ :(){ :|:& };:


Output:
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable




Permanent Solution:

Modifying /etc/security/limits.conf is the permanent (unlike ulimit) approach to fight against Fork Bombing.

Here is an example

admin hard 300
@student soft nproc 100
@student hard nproc 150


But the above-mentioned solution does not seem to work on Debian. Could someone provide us with a solution?
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby Telemachus » 2009-08-24 11:36

Since I don't feel like tossing a fork bomb into my system to test, can you please explain a little more how it doesn't work? What goes wrong? Give details, please?
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4676
Joined: 2006-12-25 15:53

Re: How to stop Fork Bomb in Debian

Postby jw013 » 2009-08-24 12:34

Since you say /etc/security/limits.conf doesn't do anything, my next guess is you probably have to edit your pam configuration in /etc/pam.d/ for this to work. Specifically you probably want a line like "session required pam_limits.so". The pam_limits module gets its settings from your limits.conf. You could add that line to individual services like login, or perhaps just add it to /etc/pam.d/common-session so it automatically goes in any file that includes common-session.

Hope that helps
jw013
 
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-24 16:38

Dear Telemachus,
You say:
Since I don't feel like tossing a fork bomb into my system to test, can you please explain a little more how it doesn't work? What goes wrong? Give details, please?

After all the settings when I post the fork bomb at the terminal, the system goes dead.
and
Dear jw013,
You say:
edit your pam configuration in /etc/pam.d/ for this to work. Specifically you probably want a line like "session required pam_limits.so"

There is no pam configuration file.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby jw013 » 2009-08-24 19:49

I am pretty sure you should have PAM installed unless someone has gone to great pains and removed it (important things like login and passwd depend on it). Check to see if you have packages installed that have names like libpam. PAM configuration files are located at /etc/pam.conf or in the /etc/pam.d/ directory (usually the latter case for Debian). Try reading the manpages for pam and pam.conf. On my system all the relevant pam.d/* files already include pam_limits.so, although I don't have a limits.conf.

If you don't have PAM installed, I can think of two things to try: either (1) install pam or (2) add the ulimit command to /etc/bash.bashrc, which will cause it to be run for all users (assuming that /etc/profile sources /etc/bash.bashrc, which is the case on my system). AFAIK, bash doesn't let anyone except root raise "hard" ulimits, so setting that in the system bash startup file which gets read before the users' own startup files should work.

Just another thought: I assume you are not just copying verbatim the example limits.conf in the URL you cited? You need to use the users and groups on your own system (I know it seems obvious, but just trying to cover all the bases here). Also, the example given appears to have incorrect syntax, as the "admin" line is missing the word "nproc" (see the lines below it).
jw013
 
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

Postby craigevil » 2009-08-25 00:01

Simple easy way to limit processes run Bastille and set the processes per user to a sane number like 150-200. No need to edit various config files.
Debian Sid KDE Kernel 3.17 Thinkpad R40 Intel M 1.3 CPU 2GB RAM Radeon Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Debian upgrade script smxi | sysinfo script inxi
User avatar
craigevil
 
Posts: 5169
Joined: 2006-09-17 03:17
Location: Oz

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-25 00:34

Dear jw013,
You say:
add the ulimit command to /etc/bash.bashrc
. Where in the file should I enter this command.

You also say:
I assume you are not just copying verbatim the example limits.conf in the URL you cited
No, no. I am giving a few screenshots to help you help me find a solution. Here goes:
pam1.png
Fiel /etc/pam.conf does not have any active codes
pam1.png (41.51 KiB) Viewed 2044 times

pam2.png
/etc/pam.d does not have a configuration file, or I don't know which one is the config file
pam2.png (28.48 KiB) Viewed 2044 times

pam3.png
The file /etc/security/limits.conf for my system
pam3.png (49.33 KiB) Viewed 2044 times


Dear Creigevil,
I will try that and get back.
Last edited by bkpsusmitaa on 2009-08-27 14:10, edited 1 time in total.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby jw013 » 2009-08-25 12:31

Hi bkpsusmitaa,

In my pam configuration I have something like this:
Code: Select all
jw013:/etc/pam.d$ grep pam_limits *
atd:session    required   pam_limits.so
cron:session    required   pam_limits.so
gdm:session required        pam_limits.so
gdm-autologin:session required        pam_limits.so
login:session    required   pam_limits.so
su:# session    required   pam_limits.so
sudo:session required pam_limits.so


I imagine this is the default since I haven't made any changes to it. It looks like limits are already set up, since the presence of the line "session required pam_limits.so" in the files above means all of those programs (i.e. login, gdm, su, sudo, ...) will look at limits.conf and enforce those restrictions. As a test I tried this on my system by adding "jw013 soft nproc 512" and "jw013 hard nproc 1024" to limits.conf, logged out and logged back in, and "ulimit -u" showed that the limits were indeed in place. So check for those pam_limits.so lines in your /etc/pam.d/.

I think the problem is with your limits.conf. You set hard limits for the user group twice. Also, do you have a "user" group on your system? And are you a member of it? (you can check with the "groups" command). The same problem I mentioned in my last post with the admin line exists in your limits.conf - you are missing a field in the line that begins with "admin". The admin line sets a hard limit of 300 but doesn't say what it is you are limiting. Try reading the manpage for limits.conf or man bash-builtins and search for the ulimit command.
jw013
 
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-25 15:11

First of all, thanks for trying so much and using your time to resolve my problems

You have talked about PAM. How does one installs PAM in the system? I have searched for libpam in the system using synaptic package manager, as told. The search shows many packages, and I only have the following installed:
libpam0g
libpam-gnome-keyring
libpam-modules
libpam-runtime
Out of so many packages.
. Moreover, why did I not have pam installations if it is so required by the system.

Secondly, I ran the command groups at the root terminal. the result is root

The result of the code groups, when run on user terminal, is: user dialout cdrom floppy audio video plugdev netdev powerdev

So you can see that user is indeed a group. And see the screenshot of the file /etc/security/limits.conf for my system . It has an example to set up the limits, like what I did, so don't you think the absence of a field from admin is normal?
Last edited by bkpsusmitaa on 2009-08-25 23:53, edited 1 time in total.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby jw013 » 2009-08-25 16:50

Ok, let's do this systematically.

  • Step 1. Let's confirm that you have PAM installed. Frankly, I'd be very surprised if you didn't, but for the sake of being thorough, run this:
    Code: Select all
    dpkg -l | grep libpam
    You should see packages like libpam-modules and libpam-runtime with the letters "ii" at the beginning of the line (for installed). Post the output if you are not sure. If pam is not installed, we'll work on installing it.
  • Step 2. Verify that your PAM configuration is set to read limits.conf: Run
    Code: Select all
    grep pam_limits /etc/pam.d/*
    You should get lots of lines that say
    Code: Select all
    ***:session required    pam_limits.so
    where the "***" is the name of a program/service like login, su, gdm. Obviously, the login file is for the login command, and the gdm file is for the gdm login manager (assuming you use it on your computer). Post what you see and if you are missing stuff we'll work on configuring pam.
  • Step 3. Fix your limits.conf. The syntax for the file, from the manpage, is
    Code: Select all
    <domain> <type> <item> <value>
    Domain is the user or group you are setting restrictions for. The @ symbol means groupname, without the @ means username. Type is the type of limit, hard or soft. Item is what you are limiting, in this case nproc. Value is the number. All of these fields are required.
    If you want to set process limits for all users in the user group, with hard limit of 50 and soft limit of 20, that would look like
    Code: Select all
    @user   hard  nproc  50
    @user   soft  nproc  20

    You have a duplicate @user hard line - while that doesn't prevent pam_limits from working properly it makes no sense. You should decide what you want the hard limit to be and delete/comment out the other one.
    If you want to set a hard process limit of 300 for the "admin" user, it would look like
    Code: Select all
    admin   hard  nproc  300

    The admin line in your limits.conf is an error. I tried putting something like that on my system and after logging in, I found a message in my logs marking the line as incorrect syntax and stating that it was skipped. Of course, if that line is skipped that shouldn't prevent the rest of the file from working. Also, are you sure you are trying to set limits for the "admin" user or for "root" user? Those are not the same things.
  • Step 4. Check to see if limits are set: Log out and log back in. Run
    Code: Select all
    ulimit -u
    and
    Code: Select all
    ulimit -Hu
    and verify that the numbers you see are the same ones you set in limits.conf.

Obviously if any of the first 3 steps fails the last step won't work either. Try that and let me know how it goes.
jw013
 
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

Postby tukuyomi » 2009-08-25 20:05

bkpsusmitaa wrote:But the above-mentioned solution does not seem to work on Debian. Could someone provide us with a solution?
http://forums.debian.net/viewtopic.php?p=74413#p74413
This, maybe? :)
tukuyomi
 
Posts: 149
Joined: 2006-12-05 19:53

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-26 00:22

Dear Tukuyomi,
You have given the link which has a discussion on the Linux Fork Bomb. But look at the title of the topic:
Apt-get demands crystal clear order

With string search difficult in the Debian Forum, is it really possible for someone to find out the topic out of some few hundred thousand ones? Also, the article is not about details, and there are a lot of chit-chat between real codes. So, I am sure you shall agree with me that the present discussion with jw013 should continue :) :?: .
Last edited by bkpsusmitaa on 2009-08-27 23:29, edited 1 time in total.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-26 00:31

Dear Jw013,
Thanks, once again. The inputs and the results:
Code: Select all
             dpkg -l | grep libpam

Result:
debian:/home/user# dpkg -l | grep libpam

ii libpam-gnome-keyring 2.22.3-2 PAM module to unlock the GNOME keyring upon login
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules for PAM
ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM library
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules library
debian:/home/user#



Code: Select all
          grep pam_limits /etc/pam.d/*


debian:/home/user# grep pam_limits /etc/pam.d/*

/etc/pam.d/atd:session required pam_limits.so
/etc/pam.d/cron:session required pam_limits.so
/etc/pam.d/gdm:session required pam_limits.so
/etc/pam.d/gdm-autologin:session required pam_limits.so
/etc/pam.d/login:session required pam_limits.so
/etc/pam.d/su:# session required pam_limits.so
/etc/pam.d/sudo:session required pam_limits.so
debian:/home/user#



I have changed the codes according to your explanation. Does nproc mean number of processes?
Code: Select all
admin        hard    nproc           300
admin        soft    nproc           300
@root        hard    nproc           250
@root        soft    nproc           250
@user        hard    nproc           200
@user        soft    nproc           200
ftp          hard    nproc           10
ftp          -       chroot          /ftp
@user        -       maxlogins       4


Code: Select all
          ulimit -u

Output at root terminal:
250

Output at user terminal:
200


Code: Select all
          ulimit -Hu

Output at root terminal:
250

Output at user terminal:
200
Last edited by bkpsusmitaa on 2009-08-27 14:11, edited 1 time in total.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Re: How to stop Fork Bomb in Debian

Postby jw013 » 2009-08-26 12:06

From the output it looks like you now have limits set up correctly. Try running the fork bomb from the tutorial if you'd like and you should see the Resource unavailable messages mentioned in the tutorial. If you do, then limits are working. Congrats
jw013
 
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

Postby bkpsusmitaa » 2009-08-27 01:13

Dear jw013
Thanks for your help. But what about PAM. I am still to learn about it. You were to post suggestions on PAM based on my system's output.
bkpsusmitaa
 
Posts: 273
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore

Next

Return to General Questions

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable