Question Request to Configure CPU, RAM, Process, and Background Process Restrictions

Thomas Oryon

Regular Pleskian
Server operating system version
Rhel 9
Plesk version and microupdate number
18.0.78
Hello Support Team,

We would like to check whether the following CPU, RAM, and process restrictions can be configured and enforced on our Plesk Linux hosting server:

1. Creation of core dumps should be prohibited.
2. Simultaneous processes should not exceed 5 per account.
3. Execution of scripts or binaries that result in a fork bomb should be prohibited.
4. Running background processes, bots, services, or daemons should not be allowed.

Please confirm whether these restrictions can be applied per customer/subscription in Plesk.

If Plesk does not support these controls directly, kindly advise the recommended solution to enforce these limits. We would like to know whether this can be achieved using systemd/cgroups, custom scripts, OS-level limits, CloudLinux, or any other supported method.

Also, please advise whether accounts can be automatically suspended or restricted if they exceed the configured CPU, RAM, or process limits.

Awaiting your advice.
 
On Plesk Obsidian for Linux (RHEL 9), the recommended way to enforce these types of restrictions is through CloudLinux LVE (if installed) or through a combination of systemd/PAM limits, PHP-FPM settings, and Plesk subscription configuration.


Here's how each requirement can be handled:


RequirementPossible?Recommended Method
Prohibit core dumpsYesDisable core dumps via PAM/systemd limits
Max 5 simultaneous processesYesCloudLinux NPROC limit or PAM limits
Prevent fork bombsYesProcess limits (NPROC) and CloudLinux LVE
Disallow background processes/daemonsPartiallyProcess limits + jailed environment + monitoring

1. Prohibit Creation of Core Dumps​

Configure system limits:

/etc/security/limits.conf

Bash:
* hard core 0
* soft core 0

Also disable at the kernel level:

Bash:
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
sysctl -p

Verify:

Bash:
ulimit -c

Should return:

Bash:
0

This prevents users from generating core dump files.

2. Limit Simultaneous Processes to 5 per Account​

If Using CloudLinux (Recommended)​


Set:
Code:
NPROC = 5
for the package or individual account.

This limits the total number of processes a hosting account can run simultaneously.

Without CloudLinux​

Use PAM limits:

Bash:
username hard nproc 5
username soft nproc 5

or per-group limits.

However, CloudLinux is significantly better for shared hosting because limits are enforced consistently across Apache, PHP-FPM, CGI, cron jobs, and shell sessions.

3. Prevent Fork Bombs​


Fork bombs rely on creating large numbers of child processes.

The standard protection is:
Code:
NPROC limit
Example:
Code:
NPROC = 5
Once the account reaches 5 processes:
Code:
fork(): Resource temporarily unavailable
and additional processes cannot be spawned.

CloudLinux's LVE manager is specifically designed to prevent fork bombs from affecting the server.

Without CloudLinux:
Bash:
ulimit -u 5
or PAM nproc limits provide similar protection.

4. Disallow Background Processes, Bots, Services, or Daemons​

This is the most difficult requirement because Linux itself cannot always distinguish between:
  • a legitimate PHP process
  • a cron job
  • a bot
  • a daemon
However, you can significantly restrict users.

Disable SSH Access​

In Plesk:

Code:
Subscriptions
→ Hosting & DNS
→ Web Hosting Access
→ Forbidden

or:
Code:
No shell access
This prevents users from launching long-running services manually.

Disable Scheduled Tasks​

In Plesk:
Tools & Settings
→ Scheduled Tasks
Restrict or disable customer cron access.

Use PHP-FPM Limits​

Configure:

Code:
pm.max_children
request_terminate_timeout
max_execution_time

Example:
Code:
request_terminate_timeout = 60
This kills long-running PHP processes.

Use CloudLinux​

CloudLinux can enforce:
  • CPU limits
  • RAM limits
  • Process limits
  • Entry process limits
Example shared-hosting profile:
Code:
CPU = 100%
Memory = 1 GB
NPROC = 5
EP = 20
IO = 5 Mb/s

This makes it extrem
ely difficult to run bots, miners, daemons, or abusive background tasks.



Recommended Shared Hosting Configuration​


For a typical Plesk Linux shared-hosting server:
Core Dumps: Disabled
Code:
SSH Access: Disabled
NPROC: 5
Entry Processes: 20
Cron Jobs: Restricted
CPU: 1 Core
RAM: 1 GB
PHP max_execution_time: 60 sec
PHP request_terminate_timeout: 60 sec

If you're running Plesk on RHEL 9 without CloudLinux, you can achieve most of these controls with PAM and system limits, but if you're selling shared hosting and want reliable per-account enforcement, CloudLinux with LVE Manager is the industry-standard solution and provides the cleanest way to enforce all four requirements.
 
Hello @TalkBuildHost ,

Thanks for the information.

We are not using PHP-FPM or CloudLinux on our server.

Our environment is as follows:

  • Plesk Linux: RHEL 9
  • Plesk Version: 18.0.78
  • Web Server: LiteSpeed
  • PHP Handler: FastCGI
----------------------------------------------------------
  • Windows Server: Windows Server 2022
  • PHP Handler: FastCGI
Based on the above environment, could you advise how we can achieve the mentioned restrictions, such as limiting simultaneous processes, preventing fork bombs, disabling core dumps, and restricting background processes or daemons?

If these controls cannot be enforced directly through Plesk, please suggest the recommended supported method for both Plesk Linux and Plesk Windows environments.

Awaiting your reply.
 
Hello @TalkBuildHost ,

Thanks for the information.

We are not using PHP-FPM or CloudLinux on our server.

Our environment is as follows:

  • Plesk Linux: RHEL 9
  • Plesk Version: 18.0.78
  • Web Server: LiteSpeed
  • PHP Handler: FastCGI
----------------------------------------------------------
  • Windows Server: Windows Server 2022
  • PHP Handler: FastCGI
Based on the above environment, could you advise how we can achieve the mentioned restrictions, such as limiting simultaneous processes, preventing fork bombs, disabling core dumps, and restricting background processes or daemons?

If these controls cannot be enforced directly through Plesk, please suggest the recommended supported method for both Plesk Linux and Plesk Windows environments.

Awaiting your reply.

It's taken me sometime to dummy test this to get it actually working here are some key Takeaways:

Without CloudLinux, the closest equivalents are:
  • Linux: systemd cgroup slices + SELinux = ~80% of CloudLinux's process isolation
  • Windows: IIS Application Pool isolation + AppLocker = equivalent isolation model for Windows
Neither platform requires PHP-FPM — all controls work at the FastCGI / OS / web server layer.
 

Process Restriction Without PHP-FPM / CloudLinux​


Given your stack (LiteSpeed + FastCGI on RHEL 9, and Windows Server 2022 + FastCGI), here's how to achieve each control:




Plesk Linux (RHEL 9 + LiteSpeed + FastCGI)​

1. Limit Simultaneous Processes​

FastCGI spawns PHP processes per-domain. Control this via LiteSpeed's external application settings:

In LiteSpeed WebAdmin Console:
  • Go to Virtual Hosts → [Domain] → External App
  • Set Max Connections (limits concurrent FastCGI workers)
  • Set Instances to a low number (e.g., 4–8)
  • Set Max Idle Time and Memory Soft/Hard Limit
Via httpd_config.conf or vhost template overrides:

Code:
extprocessor phpfcgi {
  type                    fcgi
  maxConns                5
  memSoftLimit            200M
  memHardLimit            300M
  procSoftLimit           400
  procHardLimit           500
}

2. Prevent Fork Bombs & Restrict Process Count​

Use systemd cgroups (native on RHEL 9) — this is the recommended approach without CloudLinux:

Create a per-domain or per-user slice:

Code:
# /etc/systemd/system/lsphp.service.d/limits.conf
[Service]
TasksMax=50
LimitNPROC=50
LimitNOFILE=1024
MemoryMax=512M
CPUQuota=50%

Reload: systemctl daemon-reexec && systemctl restart lsws

For per-user restrictions via /etc/security/limits.conf:

Code:
# Apply to the system user LiteSpeed runs PHP as (e.g., apache, nobody, or domain user)
apache          hard    nproc           50
apache          hard    nofile          1024

Note: limits.conf only applies to PAM-authenticated sessions. For LiteSpeed/FastCGI spawned processes, systemd slice limits are more reliable.

3. Disable Core Dumps​

Via limits.conf:

Code:
*    hard    core    0
apache    hard    core    0

Via systemd service override:

Code:
[Service]
LimitCORE=0

System-wide via sysctl:

Code:
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-security.conf
echo "kernel.core_pattern = /dev/null" >> /etc/sysctl.d/99-security.conf
sysctl --system

4. Restrict Background Processes / Daemons from PHP​

This is the hardest to enforce without CloudLinux. Options:

a) Disable PHP functions — in Plesk, per-domain php.ini:

Code:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,pcntl_fork,pcntl_exec,pcntl_signal,posix_setuid,posix_setsid

Set this in Plesk → Domains → PHP Settings → disable_functions

b) Use nohup/& detection via LiteSpeed's modsecurity rules
(blocks at the web layer, not foolproof)
c) SELinux (recommended on RHEL 9) — enforce a targeted policy for the LiteSpeed/PHP process user:

Code:
# Check current status
getenforce

# Set to enforcing if not already
setenforce 1
sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

SELinux will prevent PHP worker processes from spawning persistent daemons or binding ports outside their allowed context — this is the closest equivalent to CloudLinux on RHEL 9.

5. Summary Table — Linux​


ControlBest Method
Simultaneous process limitLiteSpeed maxConns + systemd TasksMax
Fork bomb preventionsystemd LimitNPROC=50 in service override
Core dump disablesysctl kernel.core_pattern=/dev/null + LimitCORE=0
Background process/daemon restrictiondisable_functions in php.ini + SELinux

Windows Server 2022 + FastCGI (Plesk)​

Windows has no limits.conf or cgroups equivalent, but several mechanisms apply:

1. Limit Simultaneous Processes (FastCGI)​

Via IIS/Plesk FastCGI settings (applicationHost.config or Plesk panel):

Code:
<fastCgi>
  <application fullPath="C:\plesk\Additional\PleskPHP82\php-cgi.exe"
    maxInstances="5"
    idleTimeout="300"
    activityTimeout="30"
    requestTimeout="90"
    instanceMaxRequests="10000" />
</fastCgi>

In Plesk → Tools & Settings → Web Server Settings, you can also cap PHP-CGI instances per domain.

2. Prevent Fork Bombs / Restrict Process Creation​

Windows Job Objects (enforced via IIS Application Pool isolation):

- In IIS Manager → Application Pools → [Pool] → Advanced Settings:
  • Set Maximum Worker Processes = 1 (or small number)
  • Enable Rapid Fail Protection

Plesk-managed domains automatically run each domain in its own Application Pool with its own identity - this provides process isolation by default.


For deeper restriction, use Windows Resource Manager (deprecated on 2022) or Job Objects via a startup script:

# Via PowerShell — wrap php-cgi in a job object with process limit
# This requires a custom wrapper; not natively configurable in IIS

The practical approach on Windows is to rely on Application Pool isolation (each site = separate pool = separate identity) combined with NTFS permissions.

3. Disable Core Dumps​


Via Windows Error Reporting (WER) — Group Policy or registry:

Code:
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting
  Disabled = 1 (DWORD)

Or via PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" -Name "Disabled" -Value 1


Disable automatic crash dumps for IIS worker processes:

Code:
# Disable WER for w3wp.exe specifically
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\w3wp.exe" /v DumpType /t REG_DWORD /d 0 /f

4. Restrict Background Processes / Daemons​


Disable dangerous PHP functions — in Plesk PHP profile per domain:

Code:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,pcntl_fork

Application Pool identity restrictions — run each pool as a low-privilege virtual account (IIS AppPool\DomainName) with:
  • No "Log on as a service" right
  • No "Log on as a batch job" right
  • Restricted via Local Security Policy → User Rights Assignment
Windows Defender Application Control (WDAC) or AppLocker — prevent PHP worker processes from spawning arbitrary executables:

# Example AppLocker rule: deny php-cgi.exe from launching cmd.exe or powershell.exe
# Configured via Group Policy: Computer Config → Windows Settings → Security Settings → Application Control Policies

5. Summary Table — Windows​


ControlBest Method
Simultaneous process limitIIS FastCGI maxInstances + Application Pool Max Worker Processes
Fork bomb preventionApplication Pool isolation (1 pool per site) + Rapid Fail Protection
Core dump disableWER registry key Disabled=1 + LocalDumps DumpType=0
Background process/daemon restrictiondisable_functions in php.ini + AppLocker rules + restricted pool identity
 
Back
Top