Date: Fri, 10 Mar 2006 16:08:57 +0200 (EET) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Michael Proto <mike@jellydonut.org> Cc: freebsd-stable@freebsd.org Subject: Re: RELENG_4 on flash disk and swap Message-ID: <20060310155404.A40396@atlantis.atlantis.dp.ua> In-Reply-To: <441178F8.1070503@jellydonut.org> References: <441178F8.1070503@jellydonut.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Fri, 10 Mar 2006, Michael Proto wrote: > My suggestion would then be to utilize resource limits in > /etc/login.conf for the sshd user (in your example) or other user > accounts for applications that you don't want running out of control. > See login.conf(5) and login_cap(3) for more details on this. In > particular, the datasize, stacksize, memoryuse, and vmemoryuse options > may be of benefit. OK, I'm aware about this measure. But have your tried it yourself against, e.g., OpenSSH? I doubt it. Look at the following: dmitry@test$ ps axu |grep ssh root 20213 0.0 1.3 54724 3356 ?? Is 4:00PM 0:00.10 sshd: dmitry [priv] dmitry 20216 0.0 1.3 54724 3356 ?? I 4:00PM 0:00.03 sshd: dmitry@tty root 20229 0.0 1.3 54724 3356 ?? Ss 4:00PM 0:00.10 sshd: dmitry [priv] dmitry 20232 0.0 1.3 54724 3356 ?? S 4:00PM 0:00.03 sshd: dmitry@tty It's the result of 2 incoming OpenSSH sessions: 2 processes per session, one of them root's and another user's. SSH.COM's sshd always works as a root. Also, during the DoS attack (simultaneous setup of many incoming TCP connections to 22th port) there will be many root's processes like this: root 20278 0.0 1.1 52016 2884 ?? Is 4:07PM 0:00.04 sshd: [accepted] Do you really advise to lower root's limits? I'm sure you don't ;) Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060310155404.A40396>