Linux /etc/security/limits.conf CPU限制的问题

Linux Security: Securing PAM
PAM: Not cooking spray

PAM stands for Pluggable Authentication Modules. Most distros come with PAM and a lot of the base programs(su, login, etc..) come already enabled with PAM support. On Redhat and Mandrake systems you have two direcries on your system "/etc/pam.d/" and "/etc/security/". /etc/pam.d/ is where the modules are located /etc/security/ is where some of the configuration files for some of these modules are. I'm only gonna uch on /etc/security/limits.conf in this, to learn further about PAM I suggest you read up on it at http://www.us.kernel.org/pub/linux/libs/pam/ .

In certain kinds of attacks, the attacker doesn't attempt to gain access, but instead to break a certain part of your computer's operation. Often, this will be used so that the attacker can make his computer impersonate yours, for the purpose of hiding his identity or breaking into machines that trust your computer. When an attack is primarily intended to disrupt operation of the target host, it is known as a Denial of Service, or DoS, attack.

You can protect against certain types of denial of service attacks by modifying /etc/security/limits.conf. This file sets limits on system resources for each user. Since several major daemons, including the web, name and ftp servers, may run as a particular user, this has the effect of stopping many attacks against these applications from crippling the entire machine. Further, many local DoS attacks should be defeated by this action.

Now lets open /etc/security/limits.conf...

You'll see something like this:



# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#         
#
#Where:
# can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#
# can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
# can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit
#        - maxlogins - max number of logins for this user
#        - priority - the priority to run user process with
#
#                
#
#<domain>;        <type>;           <item>;       <value>;

#*                      soft             core                 0
#*                      hard             rss             10000
#@student           hard             nproc              20
#@faculty          soft             nproc              20
#@faculty          hard             nproc              50
#ftp                   hard             nproc             0
#@student          -                maxlogins       4

# End of file



Now what we're gonna do is limit how many processes a user may have/run, as well as limit the maxium size of a file a user may have.

First we add these lines to restrict user processes to a specified amount given here.


# Limit user processes
* soft nproc 100
* hard nproc 150



Look above for at the beginning of /etc/security/limits.conf as to what this means.

Now we add the last line to restrict users from having a file over 40 megs in size.


# limits size of any one of users' files" /etc/security/limits.conf
*     hard 40000



And that's about it, I didn't touch a great deal on how everything works, because I didn't want to confuse or mislead you. See the link to the official PAM homepage at the top of the page.