5.15. Put limits on resource

The limits.conf file located under the /etc/security directory can be used to control and limit resources for the users on your system. It is important to set resource limits on all your users so they can't perform denial of service attacks number of processes, amount of memory, etc). These limits will have to be set up for the user when he or she logs in. For example, limits for all users on your system might look like this.

  1. Edit the limits.conf file vi /etc/security/limits.conf and add or change the lines to read:
               *	hard	core		0
                   *	hard	rss		5000
                   *	hard	nproc	20
    This says to prohibit the creation of core files - core 0, restrict the number of processes to 20 - nproc 20, and restrict memory usage to 5M - rss 5000 for everyone except the super user root. All of the above only concern users who have entered through the login prompt on your system. With this kind of quota, you have more control on the processes, core files, and memory usage that users may have on your system. The asterisk * mean: all users that logs in on the server.

  2. You must also edit the /etc/pam.d/login file and add the following line to the bottom of the file:
               session  required  /lib/security/pam_limits.so
    After adding the line above, the /etc/pam.d/login file should look like this:
                   auth	required     	/lib/security/pam_securetty.so
                   auth	required     	/lib/security/pam_pwdb.so shadow nullok
                   auth	required     	/lib/security/pam_nologin.so
                   account	required     	/lib/security/pam_pwdb.so
                   password	required     	/lib/security/pam_cracklib.so
                   password	required     	/lib/security/pam_pwdb.so nullok use_authtok md5 shadow
                   session	required     	/lib/security/pam_pwdb.so
                   session	required     	/lib/security/pam_limits.so
                   #session	optional    	/lib/security/pam_console.so

  3. Finally edit the /etc/profile file and change the following line:
               ulimit -c 1000000
    to read:
               ulimit -S -c 1000000 > /dev/null 2<&1
    This modification is required so as to avoid getting error messages like this Unable to reach limit during login:.