RELENG_4 on flash disk and swap
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Sat Mar 11 02:05:57 UTC 2006
Hello!
On Fri, 10 Mar 2006, Michael Proto wrote:
> My suggestion would then be to utilize resource limits in
> /etc/login.conf for the sshd user (in your example) or other user
> accounts for applications that you don't want running out of control.
> See login.conf(5) and login_cap(3) for more details on this. In
> particular, the datasize, stacksize, memoryuse, and vmemoryuse options
> may be of benefit.
OK, I'm aware about this measure. But have your tried it yourself against,
e.g., OpenSSH? I doubt it. Look at the following:
dmitry at test$ ps axu |grep ssh
root 20213 0.0 1.3 54724 3356 ?? Is 4:00PM 0:00.10 sshd: dmitry
[priv]
dmitry 20216 0.0 1.3 54724 3356 ?? I 4:00PM 0:00.03 sshd:
dmitry at tty
root 20229 0.0 1.3 54724 3356 ?? Ss 4:00PM 0:00.10 sshd: dmitry
[priv]
dmitry 20232 0.0 1.3 54724 3356 ?? S 4:00PM 0:00.03 sshd:
dmitry at tty
It's the result of 2 incoming OpenSSH sessions: 2 processes per session,
one of them root's and another user's. SSH.COM's sshd always works as a root.
Also, during the DoS attack (simultaneous setup of many incoming TCP
connections to 22th port) there will be many root's processes like this:
root 20278 0.0 1.1 52016 2884 ?? Is 4:07PM 0:00.04 sshd:
[accepted]
Do you really advise to lower root's limits? I'm sure you don't ;)
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-stable
mailing list