Solved How to prevent a fork bomb

[nbari]

I have just installed FreeBSD 7.1 amd64, created a jail and inside the jail executed the following code:

#include <stdio.h> int main() { while(1) fork(); }

gcc -o fork forc.c

$./fork

After few seconds the server stops responding and the load average increased a lot:

977.85 527.55 311.05

On the console I got a lot of this:

maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).

Any good hints/tips on how to avoid this on a production server? I pretend to give SSH to many users and would like to avoid this kind of problems.

Thanks in advance.

 

[SirDice]

AFAIK you can never prevent someone from running a fork bomb. You can however limit the effects by setting the user's limits in such a way a normal user can never take up all the resources.

 

[lme@]

See maxproc in /etc/login.conf and don't forget to run cap_mkdb /etc/login.conf after changing the file.

 

[nbari]

Well in all this time things have been improving.

FreeBSD 9 has now rctl: https://wiki.freebsd.org/Hierarchical_Resource_Limits

I can now prevent fork bombs inside jails using something like this:

[cmd=]rctl -a jail:myJail:maxproc:deny=100[/cmd]

 

[ta0kira]

See maxproc in /etc/login.conf and don't forget to run cap_mkdb /etc/login.conf after changing the file.

This is probably the best solution. Also, giving the user a lower priority (higher value) should cause those processes to run more slowly. I set

maxproc=64

and

priority=10

for "questionable" accounts, and the system CPU usage jumps by about 3% for a few seconds with the bash fork bomb, then goes back to normal. It takes about 5 seconds to completely die off.
Kevin Barry

PS In fact, it's a good policy to go through everything in /etc/login.conf and make restrictions where you can. I limit everything for normal user accounts, even my own. Eventually I plan to limit all processes that run in multiuser mode, but I haven't gotten around to figuring out the appropriate settings.

 

[nbari]

Remember this is for limiting resources to the full jail, not per user.

/etc/login.conf works perfectly when you want to limit resources only to local users, but the root user in the jail can still make a fork bomb and crash the host server, that is why using (on the host server) # rctl -a jail:myJail:maxproc:deny=100.

It applies the limits to the full jail, so that you can give root access to "untrusted" clients and be "safe" that the server will still be alive.

For this you have to recompile the kernel with the following options:

options RACCT
options RCTL

More info on rctl can be found here: http://www.manualpages.de/FreeBSD/FreeBSD-9.0-RELEASE/man8/rctl.8.html

 

[fluca1978]

maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).


Any good hints/tips on how to avoid this on a production server ?

Reading tuning(7) and login.conf(5) as suggested?

 

[Markand]

Reading tuning(7) and login.conf(5) as suggested?

I think since 2009 he finally found a solution.

 

[ta0kira]

I think since 2009 he finally found a solution

The original poster is the one who revived the thread.

 

[nbari]

I think since 2009 he finally found a solution

Right, freebsd FreeBSD 9 and rctl helped me tackle this issue.

 

[nbari]

To test with FreeBSD >9 and clang, on a file called code.c put this:

#include <stdio.h>
int main() { while(1) fork(); }

And compile using # clang code.c or in Python create a file fork_bomb.py with:

import os
while True:
    os.fork()

Run using # python fork_bomb.py.