israel.garcia at cimex.com.cu wrote:> Hi again, I was reading from the net > http://www.kriptopolis.org/node/4067 about a forkbomb and ran it from a > root console in a non-critical machine running CentOS4.4 and the serevr > goes down... the command I ran was :(){ :|:& };: > > Please, does anyone knows how to aboid this on CentOS? >don't allow malicious users to have root access. in fact, don't allow malicious users to have ANY shell access to your servers.
On 4/24/07, israel.garcia at cimex.com.cu <israel.garcia at cimex.com.cu> wrote:> Hi again, I was reading from the net > http://www.kriptopolis.org/node/4067 about a forkbomb and ran it from a > root console in a non-critical machine running CentOS4.4 and the serevr > goes down... the command I ran was :(){ :|:& };: > > Please, does anyone knows how to aboid this on CentOS?Sure. Set process limits on your users. Check out /etc/security/limits.conf and salt the values to taste. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
mike.redan at bell.ca
2007-Apr-24 18:55 UTC
[CentOS] Regarding fork bomb in a CentOS 4.4 Server!
I quicker way to take down a machine is this: # dd if=/dev/random of=/dev/port bs=1M count=2 Should take a little less than a second to kernel panic your machine. As Jim mentioned, have a look at limits.conf to help fix your fork bomb problem...just don't set it too low!! (if someone has root access, they have *several* ways to take down your machine, including 'reboot', and 'shutdown'...) Cheers, Mike> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of > israel.garcia at cimex.com.cu > Sent: April 24, 2007 3:26 PM > To: centos at centos.org > Subject: [CentOS] Regarding fork bomb in a CentOS 4.4 Server! > > > Hi again, I was reading from the net > http://www.kriptopolis.org/node/4067 about a forkbomb and ran > it from a root console in a non-critical machine running > CentOS4.4 and the serevr goes down... the command I ran was > :(){ :|:& };: > > Please, does anyone knows how to aboid this on CentOS? > > regards, > Israel > > _______________________________________________ > CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >
israel.garcia at cimex.com.cu wrote:> Hi again, I was reading from the net > http://www.kriptopolis.org/node/4067 about a forkbomb and ran it from a > root console in a non-critical machine running CentOS4.4 and the serevr > goes down... the command I ran was :(){ :|:& };: > > Please, does anyone knows how to aboid this on CentOS? >If you don't want to be able to use all your resources, use 'ulimit' commands in /etc/profile to control the limits. -- Les Mikesell lesmikesell at gmail.com
On Apr 24, 2007, at 12:25 PM, <israel.garcia at cimex.com.cu> wrote:> Hi again, I was reading from the net > http://www.kriptopolis.org/node/4067 about a forkbomb and ran it > from a > root console in a non-critical machine running CentOS4.4 and the > serevr > goes down... the command I ran was :(){ :|:& };: > > Please, does anyone knows how to aboid this on CentOS?Easy: don't forkbomb your own system as root. First, understand that it didn't "go down". The system was working as designed. There's a limit to the number of processes that can be running, and you exhausted it. No new processes could start, so you couldn't log in again, or even use any functionality not built into the shell (ps, etc). Besides that, the load was quite high from many processes trying to fork as fast as they possibly could (even though all those fork() calls were failing with EAGAIN), so the system was slow. Since you were sitting at the shell that caused the problem, you could have hit ctrl-Z to suspend the first forkbomb subshell, then "kill -9 0" (a bash builtin) to kill the entire process group, and it would recover. Likewise if you happened to know the pid of the process group leader, "kill -9 -PID" would work. Or if you have a root shell running with a lot of builtin utilities (like BusyBox), you could use those to find the offending process group. Otherwise, you're screwed. It's possible to prevent unprivileged users from hogging all of the system resources (processes running, RAM, whatever) through the ulimit facility. But Linux (unlike other Unix systems) does not honor root's process limit. [1] Even if it did apply, hitting that artificially lower limit would still mean you couldn't fork() as root, so killing root processes would still be tricky - probably impossible without setup work. So basically, you can prevent unprivileged users from doing this but not root. That matches the Unix philosophy - root's supposed to know what he's doing: "UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things." ? Doug Gwyn Cheers, Scott [1] - <http://groups.google.com/group/mlist.linux.kernel/ browse_thread/thread/f771d3d01478babb>. More precisely, it's controlled by capability bits. In general, root has those bits set and other users don't. -- Scott Lamb <http://www.slamb.org/>
israel.garcia at cimex.com.cu
2007-Apr-24 19:25 UTC
[CentOS] Regarding fork bomb in a CentOS 4.4 Server!
Hi again, I was reading from the net
http://www.kriptopolis.org/node/4067 about a forkbomb and ran it from a
root console in a non-critical machine running CentOS4.4 and the serevr
goes down... the command I ran was :(){ :|:& };:
Please, does anyone knows how to aboid this on CentOS?
regards,
Israel
israel.garcia at cimex.com.cu
2007-Apr-24 20:15 UTC
[CentOS] Regarding fork bomb in a CentOS 4.4 Server!
Mike, I know if someone has root access to my server I'm dead!, but in
this case a non-root user can take down your server if he just run just
:(){ :|:& };:
Ulimit -u get this:
[israel at node1 ~]$ ulimit -u
3072
So, I change /etc/securitty/limit.conf and add this lines to limit to
100 process to users
* soft nproc 100
* hard nproc 100
Now:
[israel at node1 ~]$ ulimit -u
100
And a non-root user CAN NOT take down your server..
My last question is?
Why is not CentOS configured by default to aboid this known thigs?
Regards;
Israel
>I quicker way to take down a machine is this:
># dd if=/dev/random of=/dev/port bs=1M count=2
>Should take a little less than a second to kernel panic your machine.
>As Jim mentioned, have a look at limits.conf to help fix your fork bomb
>problem...just don't set it too low!!
>(if someone has root access, they have *several* ways to take down your
>machine, including 'reboot', and 'shutdown'...)
>Cheers,
>Mike
>> -----Original Message-----
>> From: centos-bounces at centos.org
<http://lists.centos.org/mailman/listinfo/centos>
>> [mailto:HYPERLINK
"http://lists.centos.org/mailman/listinfo/centos"centos-bounces at
centos.org <mailto:HYPERLINK> ] On Behalf Of >> israel.garcia at cimex.com.cu
<http://lists.centos.org/mailman/listinfo/centos> >> Sent: April 24, 2007 3:26 PM
>> To: centos at centos.org
<http://lists.centos.org/mailman/listinfo/centos> >> Subject: [CentOS] Regarding fork bomb in a CentOS 4.4 Server!
>>
>>
>> Hi again, I was reading from the net
>> http://www.kriptopolis.org/node/4067 about a forkbomb and ran
>> it from a root console in a non-critical machine running
>> CentOS4.4 and the serevr goes down... the command I ran was
>> :(){ :|:& };:
>
>> Please, does anyone knows how to aboid this on CentOS?