PSQL / Apache process memory cpu limits (prevent DOS)
Howdy,
As part of securing my Linux machine, i would like to impose limits on
PSQL database and Apache web server daemons (and others) from
consuming excessive memory, cpu, disk IO and child processes.
Basically i would like to prevent a DOS attack by way of limiting the
amount of memory cpu disk and processes daemons such as Apache and
Postgresql.
Preferably i would like to set the limits *external* to the daemon.
For example: the OS itself prevents the daemons from consuming
excessive resources. (e.g. not limiting the amount of child processes
from within Apache)
The security ideology that i am following is, if someone attempts a
buffer overflow that goes wrong, and the PSQL daemon begins to
increase memory consumption, i would not like it to consume all memory
available to my machine (as an example).
AFAIK xinetd is a TCP wrapper daemon that can prevent excessive tcp
connections (processes etc etc) - but i would like to include memory
consumption, disk io as well.
Any thoughts about if this is the correct path to take, how i could
accomplish this ideology, would be greatly appreciated.
Thanks in advance
dirk
Re: PSQL / Apache process memory cpu limits (prevent DOS)
[email]geemail99@gmail.com[/email] wrote:[color=blue]
> Howdy,
>
> As part of securing my Linux machine, i would like to impose limits on
> PSQL database and Apache web server daemons (and others) from
> consuming excessive memory, cpu, disk IO and child processes.[/color]
man ulimit
[color=blue]
>
> Basically i would like to prevent a DOS attack by way of limiting the
> amount of memory cpu disk and processes daemons such as Apache and
> Postgresql.
>
> Preferably i would like to set the limits *external* to the daemon.
> For example: the OS itself prevents the daemons from consuming
> excessive resources. (e.g. not limiting the amount of child processes
> from within Apache)
>
> The security ideology that i am following is, if someone attempts a
> buffer overflow that goes wrong, and the PSQL daemon begins to
> increase memory consumption, i would not like it to consume all memory
> available to my machine (as an example).
>
> AFAIK xinetd is a TCP wrapper daemon that can prevent excessive tcp
> connections (processes etc etc) - but i would like to include memory
> consumption, disk io as well.
>
>
> Any thoughts about if this is the correct path to take, how i could
> accomplish this ideology, would be greatly appreciated.
>
>
> Thanks in advance
> dirk
>[/color]
