Wednesday, August 26, 2009

Why edit limits.conf ?

Edit /etc/security/limits.conf and add the following lines:
--------------------------------------------------------------------------------------
* soft nofile 4096
* hard nofile 65536
* soft nproc 2047
* hard nproc 16384

/etc/security/limits.conf:

Controlling resource usage can be very effective when trying to prevent a local Denial of
Service or restricting the maximum allowed logins for a group or user. However, too strict
settings will impede on your system's behavior and will result in program failures so make
sure that you check each setting first.

/etc/limits is very similar to the limit file /etc/security/limits.conf. The only difference is the
format and that it only works on users or wild cards (not groups). Let's have a look at a
sample configuration:

Here we set the default settings and a specific setting for the user kn. Limits are part of the
sys-apps/shadow package. It is not necessary to set any limits in this file if you have enabled
pam in /etc/make.conf.

You can protect against certain types of denial of service attacks by modifying
/etc/security/limits.conf. This file sets limits on system resources for each user. Since several
major daemons, including the web, name and ftp servers, may run as a particular user, this
has the effect of stopping many attacks against these applications from crippling the entire
machine. Further, many local DoS attacks should be defeated by this action.
Now lets open /etc/security/limits.conf...


Now what we're gonna do is limit how many processes a user may have/run, as well as limit
the maxium size of a file a user may have.

First we add these lines to restrict user processes to a specified amount given here.
# Limit user processes
* soft nproc 2047
* hard nproc 16384

Look above for at the beginning of /etc/security/limits.conf as to what this means.
Now we add the last line to restrict users from having a file over 40 megs in size.
# limits size of any one of users' files" /etc/security/limits.conf
* soft nofile 4096
* hard nofile 65536

Contributed by: Varun,Kalyan and Vinay

No comments:

Post a Comment