/etc/security/limits.conf的CPU限制的问题

Question

格式里怎样的啊？
我的P1。8G的50%应该是个多大的数字？
查了一天GOOGLE也没查出来。

Answer 1

http://www.userlocal.com/security/secpam.php
好像没有办法限制PU使用率的问题。不过可以限制用户额进程的优先级，达到类似的效果。

Answer 2

刚才查到了一点，好象数字是在4000 左右
就是ulimit -t 4000
就可以限制CPU比较合适，不过。每次我 logout后再登陆进去，
ulimit -a看了一下，CPU又没有限制了。

我用了/etc/security/limits.conf
好像没有一点效果。已经写了/etc/pam.d/login
seesion required pam_limits.so
了。也重启过了。

Answer 3

你可以把ulimit -t写在用户的profile里。
limits.conf我也没有写过
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.12
可以参考一下这个

Answer 4

好的，谢谢sakulagi先

Answer 5

原帖由 "sakulagi" 发表：
http://www.userlocal.com/security/secpam.php
好像没有办法限制PU使用率的问题。不过可以限制用户额进程的优先级，达到类似的效果。

怎么样限制？
两位老大，这个话题不错

Answer 6

Linux Security: Securing PAM
PAM: Not the cooking spray

PAM stands for Pluggable Authentication Modules. Most distros come with PAM and a lot of the base programs(su, login, etc..) come already enabled with PAM support. On Redhat and Mandrake systems you have two directories on your system "/etc/pam.d/" and "/etc/security/". /etc/pam.d/ is where the modules are located /etc/security/ is where some of the configuration files for some of these modules are. I'm only gonna touch on /etc/security/limits.conf in this, to learn further about PAM I suggest you read up on it at http://www.us.kernel.org/pub/linux/libs/pam/ .

In certain kinds of attacks, the attacker doesn't attempt to gain access, but instead to break a certain part of your computer's operation. Often, this will be used so that the attacker can make his computer impersonate yours, for the purpose of hiding his identity or breaking into machines that trust your computer. When an attack is primarily intended to disrupt operation of the target host, it is known as a Denial of Service, or DoS, attack.

You can protect against certain types of denial of service attacks by modifying /etc/security/limits.conf. This file sets limits on system resources for each user. Since several major daemons, including the web, name and ftp servers, may run as a particular user, this has the effect of stopping many attacks against these applications from crippling the entire machine. Further, many local DoS attacks should be defeated by this action.

Now lets open /etc/security/limits.conf...

You'll see something like this:

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#            
#
#Where:
# can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#
# can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
# can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit
#        - maxlogins - max number of logins for this user
#        - priority - the priority to run user process with
#
#                 
#
#<domain>;        <type>;           <item>;         <value>;

#*                        soft                core                 0
#*                        hard               rss               10000
#@student           hard               nproc              20
#@faculty             soft                nproc              20
#@faculty             hard               nproc              50
#ftp                      hard               nproc               0
#@student             -                  maxlogins         4

# End of file

Now what we're gonna do is limit how many processes a user may have/run, as well as limit the maxium size of a file a user may have.

First we add these lines to restrict user processes to a specified amount given here.

# Limit user processes
*   soft    nproc   100
*   hard    nproc   150

Look above for at the beginning of /etc/security/limits.conf as to what this means.

Now we add the last line to restrict users from having a file over 40 megs in size.

# limits size of any one of users' files" /etc/security/limits.conf
*     hard    40000

And that's about it, I didn't touch a great deal on how everything works, because I didn't want to confuse or mislead you. See the link to the official PAM homepage at the top of the page.

Answer 7

试过几次，将ulimit -t写进了profile里，但没有效果的。
想想也是，因为它是bash的内部命令。没有bash, 它也就不会执行的了。

还有一件怪事，我的系统里忽然多了个/command
不知道是哪里来的。应该不是装webmin或者usermin来的吧？

但哪个程序会产生/command呢？
不会是中木马了吧？