|
From: Brian R. <Bri...@br...> - 2010-03-25 20:54:01
|
Ruiyuan Jiang wrote: > Hi, all > > I have two Apache reverse proxy servers that has the same hardware: > > SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. > > One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. > > The server with Apache 2.2.14 runs fine no problem. > The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. > > Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. > > Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: > > ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] > > I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > Sounds like you have quite a bit of traffic and not enough RAM. I'd first try turning off response inspection and do not enable any of the optional CRS rules. You did not mention... * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). * What rules you have enabled in the CRS (and what CRS version). * Speed of your CPUs. * Memory usage without ModSecurity and with normal traffic. If you are tight on RAM already, ModSecurity + Full CRS may destroy you, heh. -B -- Brian Rectanus Breach Security |
