lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 2 Sep 2007 04:52:21 -0400 From: Kyle Moffett <mrmacman_g4@....com> To: Chris Snook <csnook@...hat.com> Cc: Anand Jahagirdar <anandjigar@...il.com>, Simon Arlott <simon@...e.lp0.eu>, Krzysztof Halasa <khc@...waw.pl>, linux-kernel@...r.kernel.org Subject: Re: Fork Bombing Patch On Aug 29, 2007, at 09:49:01, Chris Snook wrote: >> Like this there are many cases..(actually these cases has already >> been discussed On LKML 2 months before in my thread named "fork >> bombing >> attack"). in all these cases this printk helps adminstrator a lot. > > What exactly does this patch help the administrator do? If a box > is thrashing, you still have sysrq. You can also use cpusets and > taskset to put your root login session on a dedicated processor, > which is getting to be pretty cheap on modern many-core, many- > thread systems. Group scheduling is in the oven, which will allow > you to prioritize classes of users in a more general manner, even > on UP systems. I've also set up systems where there is a carefully rate-limited SCHED_RR 98 ssh process (NIC interrupt thread is SCHED_RR 99) behind an additional set of rate-limiting rules in IPtables. Basically, no matter what somebody is doing to the workstation, even if I let them create as many processes as they want or get the box completely into a swap storm, I can "ssh -p 222 root@...e.box". Once it connects I type in two passwords through a custom PAM plugin and then have my login script touch /etc/nologin and send SIGSTOP to every The resource consumption issue is immediately over and I can go about kicking the user and filling out all the icky paperwork. Cheers, Kyle Moffett - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists