How to protect Ubuntu from fork bomb
Solution 1:
You can easily limit the amount of processes that can be spawned in Ubuntu and most other Linux distributions by modifying /etc/security/limits.conf
sudoedit /etc/security/limits.conf
Then add this line to the bottom of that file:
* hard nproc nnn
where:
-
hard
sets the limit at the kernel level so that it cannot be changed without rebooting. -
nproc
is the maximum number of processes per user. -
nnn
is a number that you should calculate for your system by:ps aux -L | cut --delimiter=" " --fields=1 | sort | uniq --count | sort --numeric-sort | tail --lines=1
The above command will list all processes for all users including threads, sum them up and list the user name with the largest amount of processes. To be on the safe side, open as many applications as you normally need before running the above command and then double that number for safety.
After this limit is put into place, you'll need to reboot, but it will affect each non-root user on the system. So if a fork bomb is executed by any non-root user it'll have that hard limit.
Group and wildcard limits do not apply to the root user by default.
Use the literal username root
in the rules if you want to apply a rule to the superuser.
Also, if you're not looking to restart any time soon, you can use sudo ulimit -u 800
which will place the restriction only on the running session but can be easily circumvented by a fork bomb with sudo
privileges!
After restart, whatever is in /etc/security/limits.conf
will then be used.
Some additional information about fork bombs: They aren't malware or anything dreadful. They typically consist of something as basic as a script that calls itself twice - thereby growing its presence on the machine exponentially. Even though they have a small memory footprint given the rapid pace they multiple they quickly fill all available RAM and the machine freezes or reboots. The only danger is loosing unsaved information. I would classify a forkbomb much more as a prank than malicious software.
An important reminder:
You should rarely ever execute anything in command line when you aren't 98% certain of its action. If you can't read the commands you're executing - don't do it. This applies double to unreadable chunks of hex/base64 characters, which can be used to obscure all sorts of nastiness. If you're uncertain of a command you can always search for it's actions in the Ubuntu Manpages and be extra cautions when using sudo
since that will execute as the root user.