Monday, April 26, 2010

Limit resource usage with pam_limits

To enable PAM limits you need to ensure this line in /etc/pam.d/login and /etc/pam.d/ssh:
session  required /lib/security/pam_limits.so
Configuration in /etc/security/limits.conf.

Disable core dumps

Core files can be created when a program crashes. They have been used in security exploits, overwriting system files, or by containing sensitive information (such as passwords).
*               hard    core            0

Maximum data size

Prevent an attacker from trying to fill up the partitions your log files are stored on (10Mb):
@notroot        hard    data            10240

Number of times a user can login

@users          hard    maxlogins       2

Maximum CPU time

This is very useful for preventing run-away processes from eating up all the cpu time (in minutes).
@users          hard    cpu             15

Maximum number of processes

To prevent fork bombs:
*               hard    nproc           75

Maximum memory per process

Here we limiting to 10Mb:
*               hard    rss             10240

Check users in group

The output below shows who is in group users:
deby:~# grep ^users: /etc/group
users:x:100:
You can add user to this group:
usermod -a -G users user1
The best way to go with limits is to make them as low as possible, monitor it and increase limits as needed if any.

No comments :

Post a Comment