|
From: Brian R. <Bri...@br...> - 2010-03-25 22:07:58
|
See some suggestions/comments below... Buy a ModSecurity book ;) Ivan's has a better performance tuning section and is much more detailed and Magnus' is a bit more introductory if all the technical aspects scare you ;) Ruiyuan Jiang wrote: > Hi, Brian > > Unfortunately I did not collect the web server stats. There are multiple virtual servers defined on the Apache. I can give you general information: > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > DS3 internet link And it is all being utilized for web traffic? ;) How much traffic is going to the web server? > > * What rules you have enabled in the CRS (and what CRS version). > > I used all the rules in CRS 2.0.6. > > Include modsecurity/*.conf > Include modsecurity/base_rules/*.conf > Include modsecurity/optional_rules/*.conf Don't do that ;) Start slower. Especially on a production site. Make sure response body inspection is off in the config for now. Include the basics first. Something like this (though I would *ALWAYS* list them all out explicitly instead of using the globbing, then comment the ones out I did not want): # Config modsecurity/modsecurity_crs_10_config.conf # Basics modsecurity/base_rules/modsecurity_crs_2*.conf modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf # Exceptions modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf # Blocking/Correlation modsecurity/base_rules/modsecurity_crs_49*.conf modsecurity/base_rules/modsecurity_crs_6*.conf Do not include the phpids rules (you don't have the resources). Do not include the et (Emerging Threat) rules (again, you do not have the resources). ***IGNORE THE OPTIONAL RULES FOR NOW*** Can I make that any clearer? How about again: ***IGNORE THE OPTIONAL RULES FOR NOW*** ;) Do not enable things you do not need. If you do not run a backend database, then no need to run the SQL injection rules. > > * Speed of your CPUs. > > 2 x 1 Ghz UltraSPARC III. Well, if you really have that much traffic and really want to enable all CRS rules, then you need a bigger machine. Or, better, you need to do some serious tuning. > > How do I turn off response inspection? When I did functionality test with little traffic, it worked fine. For the traffic, I only have production web servers and it causes me problem. SecResponseBodyAccess Off > > On the box without Mod Security, the available virtual space is about 1.8 GB. On the box with Mod Security, the available virtual space is about 2 GB when it worked fine. What do you mean by "virtual space"? Real RAM or swap or combined? Hope that helps. If you have more on CRS specifically, then use the other CRS list. -B > > Ryan > > > -----Original Message----- > From: Brian Rectanus [mailto:Bri...@br...] > Sent: Thursday, March 25, 2010 4:54 PM > To: Ruiyuan Jiang > Cc: mod...@li... > Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang > > Ruiyuan Jiang wrote: >> Hi, all >> >> I have two Apache reverse proxy servers that has the same hardware: >> >> SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. >> >> One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. >> >> The server with Apache 2.2.14 runs fine no problem. >> The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. >> >> Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. >> >> Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: >> >> ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] >> >> I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > > > Sounds like you have quite a bit of traffic and not enough RAM. I'd > first try turning off response inspection and do not enable any of the > optional CRS rules. > > You did not mention... > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > * What rules you have enabled in the CRS (and what CRS version). > > * Speed of your CPUs. > > * Memory usage without ModSecurity and with normal traffic. If you are > tight on RAM already, ModSecurity + Full CRS may destroy you, heh. > > > -B > -- Brian Rectanus Breach Security |
