diff --git a/pam-limit-nproc.patch b/pam-limit-nproc.patch
new file mode 100644
index 0000000..756946c
--- /dev/null
+++ b/pam-limit-nproc.patch
@@ -0,0 +1,15 @@
+Index: Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+===================================================================
+--- Linux-PAM-1.1.8.orig/modules/pam_limits/limits.conf
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+@@ -47,4 +47,10 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
++# harden against fork-bombs
++*               hard    nproc           800
++*               soft    nproc           700
++root            hard    nproc           900
++root            soft    nproc           850
++
+ # End of file
diff --git a/pam.changes b/pam.changes
index 573cc47..3fe0bf9 100644
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com
+
+- limit number of processes to 700 to harden against fork-bombs
+  Add pam-limit-nproc.patch
+
 -------------------------------------------------------------------
 Wed Apr  9 16:02:17 UTC 2014 - ckornacker@suse.com
 
diff --git a/pam.spec b/pam.spec
index 3d85e4b..da993fa 100644
--- a/pam.spec
+++ b/pam.spec
@@ -56,6 +56,7 @@ Patch1:         Linux-PAM-git-20140127.diff
 Patch2:         pam_loginuid-log_write_errors.diff
 Patch3:         pam_xauth-sigpipe.diff
 Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
+Patch5:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -104,6 +105,7 @@ building both PAM-aware applications and modules for use with PAM.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"