Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to stop Fork Bomb in Debian

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

How to stop Fork Bomb in Debian

#1 Post by bkpsusmitaa »

There is a tutorial at the following link:

http://jbakshi.50webs.com/Linux_tutoria ... kbomb.html

What is a Fork Bomb:

Code: Select all

chainreaction() { chainreaction|chainreaction& }; chainreaction
or
The Fork Bomb Code
The Fork Bomb Code
Untitled.jpg (4.28 KiB) Viewed 6914 times
which guides user to protect the system from Fork Bomb:
Temporary Solution

Fork Bomb is a chain reaction tool and it gradually creates new processes. It can only be controlled with restriction on maximum number of allowed processes. "ulimit" plays a nice role here. "ulimit -a" display all system resources allowed to your shell.

Code: Select all

root@debian:~$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 16382
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Fine tune the output to know the maximum process allowed

Code: Select all

root@debian:~$ ulimit -u
Output: unlimited


Restrict the maximum allowed process to say 200

Code: Select all

root@debian:~$ ulimit -u 200
Then

Code: Select all

root@debian:~$ ulimit -u
Output: 200


Now execute the one liner

Code: Select all

user@debian:~$ :(){ :|:& };:
Output:
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
Permanent Solution:

Modifying /etc/security/limits.conf is the permanent (unlike ulimit) approach to fight against Fork Bombing.

Here is an example

admin hard 300
@student soft nproc 100
@student hard nproc 150
But the above-mentioned solution does not seem to work on Debian. Could someone provide us with a solution?
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

User avatar
Telemachus
Posts: 4574
Joined: 2006-12-25 15:53
Been thanked: 2 times

Re: How to stop Fork Bomb in Debian

#2 Post by Telemachus »

Since I don't feel like tossing a fork bomb into my system to test, can you please explain a little more how it doesn't work? What goes wrong? Give details, please?
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#3 Post by jw013 »

Since you say /etc/security/limits.conf doesn't do anything, my next guess is you probably have to edit your pam configuration in /etc/pam.d/ for this to work. Specifically you probably want a line like "session required pam_limits.so". The pam_limits module gets its settings from your limits.conf. You could add that line to individual services like login, or perhaps just add it to /etc/pam.d/common-session so it automatically goes in any file that includes common-session.

Hope that helps

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#4 Post by bkpsusmitaa »

Dear Telemachus,
You say:
Since I don't feel like tossing a fork bomb into my system to test, can you please explain a little more how it doesn't work? What goes wrong? Give details, please?
After all the settings when I post the fork bomb at the terminal, the system goes dead.
and
Dear jw013,
You say:
edit your pam configuration in /etc/pam.d/ for this to work. Specifically you probably want a line like "session required pam_limits.so"
There is no pam configuration file.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#5 Post by jw013 »

I am pretty sure you should have PAM installed unless someone has gone to great pains and removed it (important things like login and passwd depend on it). Check to see if you have packages installed that have names like libpam. PAM configuration files are located at /etc/pam.conf or in the /etc/pam.d/ directory (usually the latter case for Debian). Try reading the manpages for pam and pam.conf. On my system all the relevant pam.d/* files already include pam_limits.so, although I don't have a limits.conf.

If you don't have PAM installed, I can think of two things to try: either (1) install pam or (2) add the ulimit command to /etc/bash.bashrc, which will cause it to be run for all users (assuming that /etc/profile sources /etc/bash.bashrc, which is the case on my system). AFAIK, bash doesn't let anyone except root raise "hard" ulimits, so setting that in the system bash startup file which gets read before the users' own startup files should work.

Just another thought: I assume you are not just copying verbatim the example limits.conf in the URL you cited? You need to use the users and groups on your own system (I know it seems obvious, but just trying to cover all the bases here). Also, the example given appears to have incorrect syntax, as the "admin" line is missing the word "nproc" (see the lines below it).

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: How to stop Fork Bomb in Debian

#6 Post by craigevil »

Simple easy way to limit processes run Bastille and set the processes per user to a sane number like 150-200. No need to edit various config files.
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#7 Post by bkpsusmitaa »

Dear jw013,
You say:
add the ulimit command to /etc/bash.bashrc
. Where in the file should I enter this command.

You also say:
I assume you are not just copying verbatim the example limits.conf in the URL you cited
No, no. I am giving a few screenshots to help you help me find a solution. Here goes:
Fiel /etc/pam.conf does not have any active codes
Fiel /etc/pam.conf does not have any active codes
pam1.png (41.51 KiB) Viewed 6832 times
/etc/pam.d does not have a configuration file, or I don't know which one is the config file
/etc/pam.d does not have a configuration file, or I don't know which one is the config file
pam2.png (28.48 KiB) Viewed 6832 times
The file /etc/security/limits.conf for my system
The file /etc/security/limits.conf for my system
pam3.png (49.33 KiB) Viewed 6832 times

Dear Creigevil,
I will try that and get back.
Last edited by bkpsusmitaa on 2009-08-27 14:10, edited 1 time in total.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#8 Post by jw013 »

Hi bkpsusmitaa,

In my pam configuration I have something like this:

Code: Select all

jw013:/etc/pam.d$ grep pam_limits *
atd:session    required   pam_limits.so
cron:session    required   pam_limits.so
gdm:session required        pam_limits.so
gdm-autologin:session required        pam_limits.so
login:session    required   pam_limits.so
su:# session    required   pam_limits.so
sudo:session required pam_limits.so
I imagine this is the default since I haven't made any changes to it. It looks like limits are already set up, since the presence of the line "session required pam_limits.so" in the files above means all of those programs (i.e. login, gdm, su, sudo, ...) will look at limits.conf and enforce those restrictions. As a test I tried this on my system by adding "jw013 soft nproc 512" and "jw013 hard nproc 1024" to limits.conf, logged out and logged back in, and "ulimit -u" showed that the limits were indeed in place. So check for those pam_limits.so lines in your /etc/pam.d/.

I think the problem is with your limits.conf. You set hard limits for the user group twice. Also, do you have a "user" group on your system? And are you a member of it? (you can check with the "groups" command). The same problem I mentioned in my last post with the admin line exists in your limits.conf - you are missing a field in the line that begins with "admin". The admin line sets a hard limit of 300 but doesn't say what it is you are limiting. Try reading the manpage for limits.conf or man bash-builtins and search for the ulimit command.

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#9 Post by bkpsusmitaa »

First of all, thanks for trying so much and using your time to resolve my problems

You have talked about PAM. How does one installs PAM in the system? I have searched for libpam in the system using synaptic package manager, as told. The search shows many packages, and I only have the following installed:
libpam0g
libpam-gnome-keyring
libpam-modules
libpam-runtime
Out of so many packages.
. Moreover, why did I not have pam installations if it is so required by the system.

Secondly, I ran the command groups at the root terminal. the result is root

The result of the code groups, when run on user terminal, is: user dialout cdrom floppy audio video plugdev netdev powerdev

So you can see that user is indeed a group. And see the screenshot of the file /etc/security/limits.conf for my system . It has an example to set up the limits, like what I did, so don't you think the absence of a field from admin is normal?
Last edited by bkpsusmitaa on 2009-08-25 23:53, edited 1 time in total.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#10 Post by jw013 »

Ok, let's do this systematically.
  • Step 1. Let's confirm that you have PAM installed. Frankly, I'd be very surprised if you didn't, but for the sake of being thorough, run this:

    Code: Select all

    dpkg -l | grep libpam
    You should see packages like libpam-modules and libpam-runtime with the letters "ii" at the beginning of the line (for installed). Post the output if you are not sure. If pam is not installed, we'll work on installing it.
  • Step 2. Verify that your PAM configuration is set to read limits.conf: Run

    Code: Select all

    grep pam_limits /etc/pam.d/*
    You should get lots of lines that say

    Code: Select all

    ***:session required    pam_limits.so
    where the "***" is the name of a program/service like login, su, gdm. Obviously, the login file is for the login command, and the gdm file is for the gdm login manager (assuming you use it on your computer). Post what you see and if you are missing stuff we'll work on configuring pam.
  • Step 3. Fix your limits.conf. The syntax for the file, from the manpage, is

    Code: Select all

    <domain> <type> <item> <value>
    Domain is the user or group you are setting restrictions for. The @ symbol means groupname, without the @ means username. Type is the type of limit, hard or soft. Item is what you are limiting, in this case nproc. Value is the number. All of these fields are required.
    If you want to set process limits for all users in the user group, with hard limit of 50 and soft limit of 20, that would look like

    Code: Select all

    @user   hard  nproc  50
    @user   soft  nproc  20
    
    You have a duplicate @user hard line - while that doesn't prevent pam_limits from working properly it makes no sense. You should decide what you want the hard limit to be and delete/comment out the other one.
    If you want to set a hard process limit of 300 for the "admin" user, it would look like

    Code: Select all

    admin   hard  nproc  300
    The admin line in your limits.conf is an error. I tried putting something like that on my system and after logging in, I found a message in my logs marking the line as incorrect syntax and stating that it was skipped. Of course, if that line is skipped that shouldn't prevent the rest of the file from working. Also, are you sure you are trying to set limits for the "admin" user or for "root" user? Those are not the same things.
  • Step 4. Check to see if limits are set: Log out and log back in. Run

    Code: Select all

    ulimit -u
    and

    Code: Select all

    ulimit -Hu
    and verify that the numbers you see are the same ones you set in limits.conf.
Obviously if any of the first 3 steps fails the last step won't work either. Try that and let me know how it goes.

tukuyomi
Posts: 150
Joined: 2006-12-05 19:53
Contact:

Re: How to stop Fork Bomb in Debian

#11 Post by tukuyomi »

bkpsusmitaa wrote:But the above-mentioned solution does not seem to work on Debian. Could someone provide us with a solution?
http://forums.debian.net/viewtopic.php?p=74413#p74413
This, maybe? :)

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#12 Post by bkpsusmitaa »

Dear Tukuyomi,
You have given the link which has a discussion on the Linux Fork Bomb. But look at the title of the topic:
Apt-get demands crystal clear order
With string search difficult in the Debian Forum, is it really possible for someone to find out the topic out of some few hundred thousand ones? Also, the article is not about details, and there are a lot of chit-chat between real codes. So, I am sure you shall agree with me that the present discussion with jw013 should continue :) :?: .
Last edited by bkpsusmitaa on 2009-08-27 23:29, edited 1 time in total.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#13 Post by bkpsusmitaa »

Dear Jw013,
Thanks, once again. The inputs and the results:

Code: Select all

             dpkg -l | grep libpam
Result:
debian:/home/user# dpkg -l | grep libpam
ii libpam-gnome-keyring 2.22.3-2 PAM module to unlock the GNOME keyring upon login
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules for PAM
ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM library
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules library
debian:/home/user#

Code: Select all

          grep pam_limits /etc/pam.d/*
debian:/home/user# grep pam_limits /etc/pam.d/*
/etc/pam.d/atd:session required pam_limits.so
/etc/pam.d/cron:session required pam_limits.so
/etc/pam.d/gdm:session required pam_limits.so
/etc/pam.d/gdm-autologin:session required pam_limits.so
/etc/pam.d/login:session required pam_limits.so
/etc/pam.d/su:# session required pam_limits.so
/etc/pam.d/sudo:session required pam_limits.so
debian:/home/user#
I have changed the codes according to your explanation. Does nproc mean number of processes?

Code: Select all

admin        hard    nproc           300
admin        soft    nproc           300
@root        hard    nproc           250
@root        soft    nproc           250
@user        hard    nproc           200
@user        soft    nproc           200
ftp          hard    nproc           10
ftp          -       chroot          /ftp
@user        -       maxlogins       4

Code: Select all

          ulimit -u
Output at root terminal:
250
Output at user terminal:
200

Code: Select all

          ulimit -Hu
Output at root terminal:
250
Output at user terminal:
200
Last edited by bkpsusmitaa on 2009-08-27 14:11, edited 1 time in total.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#14 Post by jw013 »

From the output it looks like you now have limits set up correctly. Try running the fork bomb from the tutorial if you'd like and you should see the Resource unavailable messages mentioned in the tutorial. If you do, then limits are working. Congrats

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#15 Post by bkpsusmitaa »

Dear jw013
Thanks for your help. But what about PAM. I am still to learn about it. You were to post suggestions on PAM based on my system's output.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

jw013
Posts: 161
Joined: 2009-08-18 21:00

Re: How to stop Fork Bomb in Debian

#16 Post by jw013 »

The reason I mentioned PAM is because it is a low level service that handles much of the authentication and other security measures on most Linux systems, and it has replaced / extended a lot of functionality formerly provided by other configuration files. Sometimes when settings don't seem to get applied, it is because PAM is not configured to use them. For example, I'm pretty sure (although I could be wrong) editing /etc/securetty by itself on my system doesn't do anything - I need to add the pam_securetty module in my pam settings for securetty settings to be applied b/c PAM has replaced that functionality. In your case, PAM was set up correctly - it was your limits.conf that was incorrect.

If you want to learn more about PAM, you could start with the wikipedia page, or try this guide. The manual pages are also very useful. Start with man pam, then maybe pam.conf, and if you're interested, anything else that starts with pam_ for the various pam modules you can use.

bkpsusmitaa
Posts: 485
Joined: 2009-07-04 06:32
Location: Home: Barrackpore and Mysore
Has thanked: 5 times

Re: How to stop Fork Bomb in Debian

#17 Post by bkpsusmitaa »

Thanks, will get back to you after I have read the mentioned documents.

By the way, the system is giving anticipated response when we use the user terminal to put the Fork Bomb code, but still hangs when root terminal is used.
Freedom is impossible to conceive.
Books that help:
Dale Carnegie's How To Win Friends And Influence People and Emilie Post's Etiquette In Society, In Business, In Politics, And At Home

Post Reply