ServerTune

Browse by category

Search    |    Advanced search

Limit the resources for a specific user

Pluggable Authentication Modules (PAM) is included with the vast majority of Linux distributions including CentOS, Fedora Core, and RedHat.

On Redhat and Mandrake systems you have two directories on your system "/etc/pam.d/" and "/etc/security/". /etc/pam.d/ is where the modules are located /etc/security/ is where some of the configuration files for some of these modules are. I'm only gonna touch on /etc/security/limits.conf in this, to learn further about PAM I suggest you read up on it at Linux-PAM

In certain kinds of attacks, the attacker doesn't attempt to gain access, but instead to break a certain part of your OS. Often, this will be used so that the attacker can make his computer impersonate yours, for the purpose of hiding his identity or breaking into machines that trust your computer. When an attack is primarily intended to disrupt operation of the target host, it is known as a Denial of Service, or DoS, attack.

You can protect against certain types of denial of service attacks by modifying /etc/security/limits.conf. This file sets limits on system resources for each user. Since several major daemons, including the web, name and ftp servers, may run as a particular user, this has the effect of stopping many attacks against these applications from crippling the entire machine. Further, many local DoS attacks should be defeated by this action.

Now lets view /etc/security/limits.conf

#Each line describes a limit for a user in the form:
#
#<domain></domain> <type></type> <item></item> <value></value>
#
#Where:
#<domain></domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type></type> can have the two values:
# - "sof
t" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item></item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
#
#<domain></domain> <type></type> <item></item> <value></value>
#

#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4

For example, to limit the number of processes a user may have/run, as well as limit the maxium size of a file a user may have.

First we add these lines to restrict user processes to a specified amount given here.

	# Limit user processes
	*   soft    nproc   100
	*   hard    nproc   150

Look above for at the beginning of /etc/security/limits.conf as to what this means. Now we add the last line to restrict users from having a file over 40 megs in size.

	# limits size of any one of users' files" /etc/security/limits.conf
	*     hard    40000
 
 
Add comment
 
Views: 1042
 
Votes: 0
 
Comments: 0
 

Other articles in this Category

RSS