As we’ve grown, I’ve started seeing some occasional strange errors when trying to SSH or push to GIT repositories on certain user accounts on our cPanel server.
Then today, when switching an account to PHP8, the error locked up SSH entirely, and would only go away when I rolled back to PHP7.4
Turns out, the site in question was going over the cPanel fork bomb protection limit of 35 user processes.
Table of Contents
What Is Fork Bomb Protection?
Fork bomb protection is a cPanel option that protects your server from a user spawning so many processes that it kills the server.
A traditional fork bomb (also called rabbit virus or wabbit) is a self-replicating process (recursive function) that spawns multiple copies of itself to create a denial of service.
A classic example is the bash fork bomb:
:(){ :|:& };:
Each time the function (called “:
“) runs, it calls itself TWICE, creating a rapidly escalating number of processes.
So fork bomb protection is a GOOD THING… but in this case, is set too low.
When fork bomb protection is enabled, a user account cannot have more than 35 processes.
If that limit (or others) is breached, the system will prevent the process from spawning and the dreaded “resource temporarily unavailable” message appears.
What I had not appreciated before was that this limit is for all of a user processes… including IMAP, PHP-FPM and other account specific services!
This explains the rather intermittent nature of the error – depending on how busy the site was, the process count could quickly climb as it spun up PHP processes etc!
Overriding The Fork Bomb Settings (Safely)
Turning off fork bomb protection in cPanel isn’t a great idea. It leaves the server vulnerable to misconfigurations, miscreants or malware that can quickly take the server down.
But cPanel doesn’t make it simple to configure in WHM… so you have to use the terminal.
Here’s how…
When you enable fork bomb protection in WHM, cPanel grabs the following files:
/usr/local/cpanel/etc/login_profile/limits.csh
/usr/local/cpanel/etc/login_profile/limits.sh
And copies them to:
/etc/profile.d/limits.csh
/etc/profile.d/limits.sh
It then ALSO injects the contents of limits.sh into the following files:
/etc/bashrc
/etc/profile
Sooooo, rather than edit 4 files and risk getting it messed up… the safer option is to edit both the original files, then turn fork bomb protection off and on again!
Simples!
Editing /usr/local/cpanel/etc/login_profile/limits.sh
This is what the shipped default file looks like in WHM v102:
#cPanel Added Limit Protections -- BEGIN
#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
LIMITUSER=$(/usr/bin/whoami)
fi
# Limit the user only if we are not root and are a regular user (UID greater
# than or equal to UID_MIN).
if [ "$LIMITUSER" != "root" ] &&
! id -Gn | grep -qsP '(^| )(wheel|sudo)( |$)' &&
[ "$(id -u)" -ge "$( (grep -s '^UID_MIN' /etc/login.defs || echo 'x 500') | awk '{print $2}')" ]
then
ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END
The part to change is this line:
ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
You can set whatever limits suit you, but I set mine so the number of open files (-n) is 2048 and the number of processes (-u) is 350.
ulimit -n 2048 -u 350 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
Editing /usr/local/cpanel/etc/login_profile/limits.csh
This is what the shipped default file looks like in WHM v102:
#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" != "root" ) then
limit descriptors 100
limit maxproc 35
limit memoryuse 200000
limit datasize 200000
limit stacksize 8192
limit coredumpsize 200000
else
limit descriptors 4096
limit maxproc 14335
limit memoryuse unlimited
limit datasize unlimited
limit stacksize 8192
limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END
As with the other file, the part to change is:
limit descriptors 100
limit maxproc 35
You should make sure the numbers you set here reflect what you chose for the other file:
limit descriptors 2048
limit maxproc 350
Finally, go to WHM and switch Fork Bomb Protection OFF, then switch it back ON.
Final Thoughts
It’s possible that the default configuration files will be overwritten when you upgrade your cPanel software, and this update may be flushed through to all the other files.
So if the issue comes back, you may need to do the edits once again and turn fork bomb protection off and on again to reset things.
An alternative approach, if this happens too frequently, is to leave fork bomb protection OFF and push your own version manually, as detailed in this cPanel tutorial.
Of course, if you do it manually, you are always at risk of some helpful server admin coming along and turning the default protection back on!
So that’s why we’ve gone with the above approach… Fork Bomb protection shows as being ON in WHM, and the limits are more workable for our sites.