Results 1 to 20 of 20

Thread: [HOWTO] Limit directadmin users max processes on linux

  1. #1
    Join Date
    Aug 2008
    Posts
    4,697

    [HOWTO] Limit directadmin users max processes on linux

    This guide is to create a limit on the amount of processes directadmin users can run at a single time. It uses /etc/security/limits.conf

    This example would limit all directadmin users to 20 processes max.

    If you want to limit to a different number of processes change the 20 in user_create_post.sh to a different number.

    Hopefully its useful to someone. I had to create this because of some abusive users.

    1. Create the following file if it doesnt already exist: /usr/local/directadmin/scripts/custom/user_create_post.sh

    Insert the following code:

    Code:
    #!/bin/sh
    
    #Add user to /etc/security/limits.conf
    echo "$username hard nproc 20" >> /etc/security/limits.conf
    Save the file and run the following commands:

    Code:
    chown diradmin:diradmin /usr/local/directadmin/scripts/custom/user_create_post.sh
    chmod 750 /usr/local/directadmin/scripts/custom/user_create_post.sh
    2. Create the following file if it doesnt exist: /usr/local/directadmin/scripts/custom/user_destroy_post.sh

    Insert the following code:

    Code:
    #!/bin/sh
    
    # Remove user from limits.conf
    sed -i '' -e "s/"$username.*"//g" /etc/security/limits.conf
    Save the file and run the following commands:

    Code:
    chown diradmin:diradmin /usr/local/directadmin/scripts/custom/user_destroy_post.sh
    chmod 750 /usr/local/directadmin/scripts/custom/user_destroy_post.sh
    Thats it. Enjoy.
    Last edited by scsi; 03-02-2012 at 06:22 PM.

  2. #2
    Join Date
    Feb 2012
    Posts
    24
    What happens when a user needs more on a certain moment?
    Will the website stop working or are there other risks?

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Let me answer the question.

    It mostly affects CRON and SHELL tasks, and you'll see in logs something like this:

    Code:
     Mar  2 12:00:03 server crond[5268]: CRON (username) ERROR: failed to open PAM security session:  есƒ€с в€еменно недос‚ƒпен
    Will it affect browsing your web-site or not, it depends on your configuration. If you use mod_ruid2/suPHP and do a file hosting, where you give files with a PHP script, then you surely would get into a limit of 20 concurrent downloads from a single user account. In other cases (in normal situations) Apache processes lives too little time, so it's rather hard to get close to the limit.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  4. #4
    Join Date
    Jun 2007
    Location
    California
    Posts
    498
    Alex,

    I think you're posting that it's not a good idea to use 20 as a limit with mod_ruid2. Am I right? If so, what might be a good limit? We've got a client who could use limits, so I'd like some suggestions.

    Jeff
    Serving the DirectAdmin community since 2003
    See Additional posts under user nobaloney

    directadmin@nobaloney.net +1 951 643-5345
    Contract DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    http://www.nobaloney.net
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Jeff,

    No, I'm not. I was pointing on how it would or would not affect Apache, and browsing a single site. As a hosting company we've got nevertheless the same limit of 20 processes per user, and that is stated in our TOS as well as some other limits. More to say according to our experience the limit stays invisible almost for all of our customers, and I hardly could remember any complain about that.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  6. #6
    Join Date
    Jun 2007
    Location
    California
    Posts
    498
    Thanks, zEitEr, for the clarification. Do you use some method for early warning or notification? I suppose this must be the method (or similar to the method) companies use who offer unlimited bandwidth or disk space, but need some way to limit their clients from taking over the whole server.

    Jeff
    Serving the DirectAdmin community since 2003
    See Additional posts under user nobaloney

    directadmin@nobaloney.net +1 951 643-5345
    Contract DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    http://www.nobaloney.net
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #7
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Do you use some method for early warning or notification?
    Nothing of that kind, if I understand you correct. But we do send warnings about disk space usage.

    I suppose this must be the method (or similar to the method) companies use who offer unlimited bandwidth or disk space, but need some way to limit their clients from taking over the whole server.
    I don't believe in "unlimited" resources, everything is limited in this or that meaning. For example if we do not count traffic of our customers, and do not limit bandwidth directly, we do limit number of concurrent connections to a VirtualHost from a single IP with different methods, and concurrent connections to a VirtualHost from different IPs directly or with other limits. If you try to buy "unlimited" disk space from some company (not us, we do limit disk space), you might run into a limited number of disk inodes, or a limited size of a single file, and who knows what else you might meet there: limited number of MySQL queries, limited CPU, RAM, etc.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  8. #8
    Join Date
    Aug 2007
    Posts
    412
    Quote Originally Posted by NoBaloney2 View Post
    Thanks, zEitEr, for the clarification. Do you use some method for early warning or notification? I suppose this must be the method (or similar to the method) companies use who offer unlimited bandwidth or disk space, but need some way to limit their clients from taking over the whole server.

    Jeff
    The only way I can think of warning/notifying the user, would be to track the log file and start counting the amount of time the limit was exceeded.
    I don't think there's a linux way of knowing someone has reached 80% of the limit (20 processes in this thread's example), since it's not even logged.

    am I right?

  9. #9
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Though I've never thought of this, but you seem to be right. I've never worried about this much, as users usually can't overuse it.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  10. #10
    Join Date
    Oct 2005
    Location
    Montreal - Canada
    Posts
    296
    how add this limit for all users already on the server ?? ( not just for new.. ) ?

  11. #11
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Run the script from the first step for all existing users.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  12. #12
    Join Date
    Oct 2005
    Location
    Montreal - Canada
    Posts
    296
    its just add this : hard nproc 30

  13. #13
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    And with this you've limited all users on your server including system users (apache,root,mail, etc).
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  14. #14
    Join Date
    Oct 2005
    Location
    Montreal - Canada
    Posts
    296
    yes and its what you said to do ! and i remove what you said to me to do...

    i want add all users clients, NOT user services

    so anyway i found how for just put all list of users who are in /home

  15. #15
    Join Date
    Feb 2012
    Posts
    9
    Quote Originally Posted by duke28 View Post
    yes and its what you said to do ! and i remove what you said to me to do...

    i want add all users clients, NOT user services

    so anyway i found how for just put all list of users who are in /home
    Do you mind sharing how you achieved this?

  16. #16
    Join Date
    Nov 2009
    Posts
    52
    I think this method is for php CGI or mod_ruid2 not for CLI (run by apache user). Am I right ?

  17. #17
    Join Date
    Aug 2008
    Posts
    4,697
    Yes since all cli is executed by apache user.

  18. #18
    Join Date
    Apr 2010
    Posts
    13
    Hi,

    Thanks for this.

    I was using this and found the destroy script left a blank line which in time would make a messy file with lots of users being added/removed (just in the interests of keeping a tidy file).

    Also I was advised the current remove script would remove "joesmith2" when removing "joesmith".

    So we updated /usr/local/directadmin/scripts/custom/user_destroy_post.sh to:
    sed -i "/^${username} /d" /etc/security/limits.conf

    I've tested it and it seems to work well.

    Thanks again.

  19. #19
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    @scsi,

    I just revisited this today because of a link to it in: this recent thread. Did you set the limit of 20 processes arbitrarily? Does that limit continue to work for you or have you adjusted it?

    Thanks.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  20. #20
    Join Date
    Feb 2014
    Posts
    1

    thank you

    Thanh you!

Similar Threads

  1. Limit ot the Processes Running
    By WHI in forum Feedback & Feature Requests
    Replies: 5
    Last Post: 06-18-2010, 05:30 AM
  2. Lockdown DA or Linux? FTP Users Can See Root
    By open4biz in forum General Technical Discussion & Troubleshooting
    Replies: 6
    Last Post: 10-13-2009, 06:15 AM
  3. Prevent users from running processes
    By gazkin in forum General Technical Discussion & Troubleshooting
    Replies: 2
    Last Post: 08-26-2009, 10:25 AM
  4. can i limit mysql processes per user?
    By sde in forum MySQL / PHP
    Replies: 1
    Last Post: 05-25-2006, 08:07 AM
  5. Howto screen when I set up my linux?
    By amnesys in forum Off-Topic Discussion
    Replies: 2
    Last Post: 06-14-2005, 02:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •