How to protect Ubuntu from fork bomb

You can easily limit the amount of processes that can be spawned in Ubuntu and most other Linux distributions by modifying /etc/security/limits.conf

sudoedit /etc/security/limits.conf

Then add this line to the bottom of that file:

*    hard     nproc     nnn

where:

  • hard sets the limit at the kernel level so that it cannot be changed without rebooting.
  • nproc is the maximum number of processes per user.
  • nnn is a number that you should calculate for your system by:

    ps aux -L | cut --delimiter=" " --fields=1 | sort | uniq --count | sort --numeric-sort | tail --lines=1
    

The above command will list all processes for all users including threads, sum them up and list the user name with the largest amount of processes. To be on the safe side, open as many applications as you normally need before running the above command and then double that number for safety.

After this limit is put into place, you'll need to reboot, but it will affect each non-root user on the system. So if a fork bomb is executed by any non-root user it'll have that hard limit.

Group and wildcard limits do not apply to the root user by default. Use the literal username root in the rules if you want to apply a rule to the superuser.

Also, if you're not looking to restart any time soon, you can use sudo ulimit -u 800 which will place the restriction only on the running session but can be easily circumvented by a fork bomb with sudo privileges!

After restart, whatever is in /etc/security/limits.conf will then be used.

Some additional information about fork bombs: They aren't malware or anything dreadful. They typically consist of something as basic as a script that calls itself twice - thereby growing its presence on the machine exponentially. Even though they have a small memory footprint given the rapid pace they multiple they quickly fill all available RAM and the machine freezes or reboots. The only danger is loosing unsaved information. I would classify a forkbomb much more as a prank than malicious software.

An important reminder:

You should rarely ever execute anything in command line when you aren't 98% certain of its action. If you can't read the commands you're executing - don't do it. This applies double to unreadable chunks of hex/base64 characters, which can be used to obscure all sorts of nastiness. If you're uncertain of a command you can always search for it's actions in the Ubuntu Manpages and be extra cautions when using sudo since that will execute as the root user.