RELENG_4 on flash disk and swap

Dmitry Pryanishnikov dmitry at
Sat Mar 11 02:05:57 UTC 2006


On Fri, 10 Mar 2006, Michael Proto wrote:
> My suggestion would then be to utilize resource limits in
> /etc/login.conf for the sshd user (in your example) or other user
> accounts for applications that you don't want running out of control.
> See login.conf(5) and login_cap(3) for more details on this. In
> particular, the datasize, stacksize, memoryuse, and vmemoryuse options
> may be of benefit.

  OK, I'm aware about this measure. But have your tried it yourself against,
e.g., OpenSSH? I doubt it. Look at the following:

dmitry at test$ ps axu |grep ssh
root   20213  0.0  1.3 54724  3356  ??  Is    4:00PM   0:00.10 sshd: dmitry
dmitry 20216  0.0  1.3 54724  3356  ??  I     4:00PM   0:00.03 sshd:
 								dmitry at tty
root   20229  0.0  1.3 54724  3356  ??  Ss    4:00PM   0:00.10 sshd: dmitry
dmitry 20232  0.0  1.3 54724  3356  ??  S     4:00PM   0:00.03 sshd:
 								dmitry at tty

It's the result of 2 incoming OpenSSH sessions: 2 processes per session,
one of them root's and another user's. SSH.COM's sshd always works as a root.
Also, during the DoS attack (simultaneous setup of many incoming TCP 
connections to 22th port) there will be many root's processes like this:

root   20278  0.0  1.1 52016  2884  ??  Is    4:07PM   0:00.04 sshd:

Do you really advise to lower root's limits? I'm sure you don't ;)

Sincerely, Dmitry
Atlantis ISP, System Administrator
e-mail:  dmitry at
nic-hdl: LYNX-RIPE

More information about the freebsd-stable mailing list