where to set global ulimit ?
This is a discussion on where to set global ulimit ? within the Slackware Linux Support forums, part of the Unix Operating Systems category; --> core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-19-2008, 10:48 AM
| ||||
| ||||
 where to set global ulimit ? core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 7168 virtual memory (kbytes, -v) unlimited Is what I currently have. But were can i configure it systemwide so users can't DoS my server with lots of memusage/processes. And do you have recommended settings? And will this also influence running services? Its a system with 1G of ram and about 20 users and a webserver and a gameserver. Thanks in advance, spacey      |
|
02-19-2008, 10:48 AM
| |||
| |||
| Re: where to set global ulimit ? On Tue, 20 Apr 2004 10:06:48 +0200, spacey wrote: [ Snip, standard (mostly) unlimited settings. ] > Is what I currently have. But were can i configure it systemwide First, have a read through "man limits", "man getrlimit" and "man proc". After that edit: /etc/limits > so users can't DoS my server with lots of memusage/processes. Well, they can probably still flood your logs. Fill out /tmp and/or /var/tmp - with junk, etc. file:///etc/rc.d/rc.M file:///usr/doc/Linux-HOWTOs/Quota SYN flood your webserver (over loopback) stuff like that ... sysctl -w fs.file-max=1000000 sysctl -w net.ipv4.tcp_syncookies=1 > And do you have recommended settings? Not realy. I'd probably setup Linux-VServer (vserver): http://www.13thfloor.at/vserver/s_release/overview/ Or atleast, "chroot" users to a jail, here are two kits: http://sourceforge.net/projects/jail/ http://olivier.sessink.nl/jailkit/ > And will this also influence running services? I don't think so. You _can_ have it infuence services (network deamons) on startup. You'd have to edit /etc/rc.d/rc.<service_name> for it: http://groups.google.nl/groups?threa...94.126.101.124 > Its a system with 1G of ram and about 20 users and a webserver and a > gameserver. I'd strongly consider the "vserver" option mesioned above ... You might also want to have a look at UML (user mode linux): http://www.google.nl/groups?selm=pan...0deskt op.lan And you can ofcource still "chroot" (and limit) services resorces within the a UML virirtual machine, here is deamon chroot-kit: http://www.prongs.org/virtfs/ > Thanks in advance, Hoop this helps. BTW, be sure to test out (ie: 'attack') your own settings! Have fun. -- -Menno. |
|
02-19-2008, 10:49 AM
| |||
| |||
| Re: where to set global ulimit ? Thanks for you help. I've set /etc/limits but somehow the settings only seem to effect tty logged in users. Users that log in with ssh do not seem to be affected. Any idea how this can happen? Thanks, spacey Menno Duursma wrote: > On Tue, 20 Apr 2004 10:06:48 +0200, spacey wrote: > > [ Snip, standard (mostly) unlimited settings. ] > > >>Is what I currently have. But were can i configure it systemwide > > > First, have a read through "man limits", "man getrlimit" and "man proc". > After that edit: > > /etc/limits > > >>so users can't DoS my server with lots of memusage/processes. > > > Well, they can probably still flood your logs. > Fill out /tmp and/or /var/tmp - with junk, etc. > > file:///etc/rc.d/rc.M > file:///usr/doc/Linux-HOWTOs/Quota > > SYN flood your webserver (over loopback) stuff like that ... > > sysctl -w fs.file-max=1000000 > sysctl -w net.ipv4.tcp_syncookies=1 > > >>And do you have recommended settings? > > > Not realy. > > I'd probably setup Linux-VServer (vserver): > http://www.13thfloor.at/vserver/s_release/overview/ > > Or atleast, "chroot" users to a jail, here are two kits: > http://sourceforge.net/projects/jail/ > http://olivier.sessink.nl/jailkit/ > > >>And will this also influence running services? > > > I don't think so. You _can_ have it infuence services (network deamons) > on startup. You'd have to edit /etc/rc.d/rc.<service_name> for it: > > http://groups.google.nl/groups?threa...94.126.101.124 > > >>Its a system with 1G of ram and about 20 users and a webserver and a >>gameserver. > > > I'd strongly consider the "vserver" option mesioned above ... > > You might also want to have a look at UML (user mode linux): > http://www.google.nl/groups?selm=pan...0deskt op.lan > > And you can ofcource still "chroot" (and limit) services resorces within > the a UML virirtual machine, here is deamon chroot-kit: > http://www.prongs.org/virtfs/ > > >>Thanks in advance, > > > Hoop this helps. > BTW, be sure to test out (ie: 'attack') your own settings! > > Have fun. > |
|
02-19-2008, 10:49 AM
| |||
| |||
| Re: where to set global ulimit ? On Tue, 20 Apr 2004 21:54:56 +0200, spacey wrote: > Menno Duursma wrote: >> On Tue, 20 Apr 2004 10:06:48 +0200, spacey wrote: [ Please don't top-post. ] > Thanks for you help. I've set /etc/limits but somehow the settings only > seem to effect tty logged in users. Yes. It only parsed by a few programs (noteably login). You can edit /etc/login.defs to set the file size limit for login also. But to do that for other programs as well, you need in /etc/passwd : luser:x:1000:100:ulimit=10000:/home/luser:/bin/bash > Users that log in with ssh do not seem to be affected. On other distros it uses the PAM limits module ... And well apparently that doesn't look in /etc/limits instead itself. > Any idea how this can happen? Read above. Basically, you need a wrapper to set it such as PAM ... But *do* have a look at "lshell" (and read the README carefully): http://rm-f.net/lshell/ Otherwise, write something yourself for setting it: "man setrlimit". I'd personally rather run a ulimit on UML under a user account. But that takes a speed inpact, ofcource. Thus, IMO best you can do seems to be: Linux-VServer. -- -Menno. |
|
02-19-2008, 10:51 AM
| |||
| |||
| Re: where to set global ulimit ? spacey <spacey@blaat.com> wrote: >core file size (blocks, -c) 0 >data seg size (kbytes, -d) unlimited >file size (blocks, -f) unlimited >max locked memory (kbytes, -l) unlimited >max memory size (kbytes, -m) unlimited >open files (-n) 1024 >pipe size (512 bytes, -p) 8 >stack size (kbytes, -s) 8192 >cpu time (seconds, -t) unlimited >max user processes (-u) 7168 >virtual memory (kbytes, -v) unlimited > >Is what I currently have. But were can i configure it systemwide so >users can't DoS my server with lots of memusage/processes. Copy /sbin/initscript.sample to /sbin/initscript and put your ulimit commands there. |
|
02-19-2008, 10:52 AM
| ||||
| ||||
| Re: where to set global ulimit ? Petri Kaukasoina wrote: > spacey <spacey@blaat.com> wrote: > >>core file size (blocks, -c) 0 >>data seg size (kbytes, -d) unlimited >>file size (blocks, -f) unlimited >>max locked memory (kbytes, -l) unlimited >>max memory size (kbytes, -m) unlimited >>open files (-n) 1024 >>pipe size (512 bytes, -p) 8 >>stack size (kbytes, -s) 8192 >>cpu time (seconds, -t) unlimited >>max user processes (-u) 7168 >>virtual memory (kbytes, -v) unlimited >> >>Is what I currently have. But were can i configure it systemwide so >>users can't DoS my server with lots of memusage/processes. > > > Copy /sbin/initscript.sample to /sbin/initscript and put your ulimit > commands there. it does not seem to take effect. Unless you start a program with it. |
Linear Mode
