To enable PAM limits you need to ensure this line in
/etc/pam.d/login and
/etc/pam.d/ssh:
session required /lib/security/pam_limits.so
Configuration in
/etc/security/limits.conf.
Disable core dumps
Core files can be created when a program crashes. They have been used in security exploits, overwriting system files, or by containing sensitive information (such as passwords).
* hard core 0
Maximum data size
Prevent an attacker from trying to fill up the partitions your log files are stored on (10Mb):
@notroot hard data 10240
Number of times a user can login
@users hard maxlogins 2
Maximum CPU time
This is very useful for preventing run-away processes from eating up all the cpu time (in minutes).
@users hard cpu 15
Maximum number of processes
To prevent fork bombs:
* hard nproc 75
Maximum memory per process
Here we limiting to 10Mb:
* hard rss 10240
Check users in group
The output below shows who is in group users:
deby:~# grep ^users: /etc/group
users:x:100:
You can add user to this group:
usermod -a -G users user1
The best way to go with limits is to make them as low as possible, monitor it and increase limits as needed if any.
No comments :
Post a Comment