Page 1 of 2

Problem with ASL lite

Posted: Thu Mar 10, 2011 7:46 am
by mairj
Hello,
I'm new on this forum, I'm writing here (I don't know if this is the right session), because I have problems with the ASL lite installed on all our linux server, from yeserday all server starts to become slow with apache process after many check we disabled mod_security from apache and all servers came back to work normal.
The strange things is that we didn't find anything strange on the logs, and sites hosted went slow even if the machine load was very low.
Someone got the same issue ? Any suggest to how troubleshoot it ?
Thanks a lot.

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 11:04 am
by scott
Ive got a pretty good idea yes, the way cpanel builds mod_security is very poor. They made several performance mistakes in their design that could be the culprit here.

You might want to give the ASL Cpanel beta a try, and see how that effects your performance. You can install it with a regular ASL or ASL Trial account. More about it in the thread here:
https://atomicorp.com/forum/viewtopic.php?f=21&t=4828

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 1:27 pm
by mairj
Hello,
thanks a lot for your prompt reply, anyway the server who are giving problems are all plesk 9.5.3
The asl lite was installed on these servers few months ago, and not only it worked good, but we really have to say that asl really fix several security issue, so it's really important for us continue to use it.
We have found that disabling rbl rules increase a lot the speed, there's any cache for rbl rules or is possible enable it ?
Thanks

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 2:07 pm
by scott
Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 8:00 pm
by premierhosting
scott wrote:Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.
How would you do that?

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 8:46 pm
by scott
Make it the first entry in resolv.conf

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 8:53 pm
by premierhosting
OK, so recommended practice when using ASL is to run a DNS server on the same server and set the first search in resolve.conf to 127.0.0.1? ASL recommend bind or djbdns or tinydns?

Re: Problem with ASL lite

Posted: Thu Mar 10, 2011 11:15 pm
by mikeshinn
Thank you for the question. If you use any kind of Real Time Blacklisting (RBL) technology (such as in spamassassin, or RBL rules, etc.) you should always run a local DNS. In fact, you should always run a local DNS no matter what you are doing, theres just no reason not to - a local DNS will be so much much faster than a remote DNS server its like night and day. If you are using Plesk you should already have a local DNS server, so just make sure you add 127.0.0.1 to the first line in /etc/resolv.conf like this:

nameserver 127.0.0.1

As for ASL, this does not have anything special to do with running ASL (or not running it). So, for ASL no you dont need a local DNS.

With that said, you will need a local DNS if you use any king of RBL technology, including spamassassin, other email antispam tools, web log analyzers, and so. If you use the WAF RBL rules, for example (which are disabled by default), you will want to have a local DNS. RBLs (again, like the ones in spamassassin) perform DNS lookups, and a local DNS will be several orders of magnitude faster than a remote DNS, so much so that you really need to have a local DNS. You will also experience full time outs with a remote DNS given the volume of traffic a local system generates these days (again, this is not specific to ASL, this includes ALL computers). And these elays can be quite large with a remote DNS server to the point that lookups will fail. No matter what you are are doing, a remote DNS server will always be slower than a local one, even for just plain old look ups. You will always see a huge performance gain if you have a local DNS server when doing DNS lookups, and as other things rely on DNS you'll see performance gains all over the system with a local DNS.

So, moral of the story: You should always have a local DNS server, no matter what you are doing. You need a local DNS server if you do DNS lookups to make decisions in realtime and block an action until the lookup completes. Again, this has nothing to do with ASL. Remote DNS servers, in any form, will always always always be slower than a local DNS. Did I mention that they are much slower than a local DNS? :-)

Re: Problem with ASL lite

Posted: Fri Mar 11, 2011 9:17 am
by scott
I wouldnt say this is just for ASL, any server is going to gain considerable performance benefits from using a local dns server.

Re: Problem with ASL lite

Posted: Fri Mar 11, 2011 5:01 pm
by premierhosting
OK. What would you look for in a Plesk default installed local DNS server? The ones I'm familiar with do not appear to be installed, or they're somewhere I am having a hard time seeing.

Re: Problem with ASL lite

Posted: Fri Apr 29, 2011 5:28 am
by mairj
Hello,
I have to confirm that settings a local DNS fix the issue.
Thanks

Re: Problem with ASL lite

Posted: Thu Jan 12, 2012 5:13 pm
by premierhosting
I'm still trying to figure out this local DNS server thing.

Code: Select all

[root@server1 ~]# rpm -qa | grep bind
bind-utils-9.3.6-16.P1.el5_7.1
bind-libs-9.3.6-16.P1.el5_7.1
bind-9.3.6-16.P1.el5_7.1
How can I tell if it's installed correctly or running? My /etc/resolv.conf is pointing to remote DNS servers so it's not being used. Bind doesn't come up as a running process, it doesn't come up in the startup scripts, or xinetd, I can't seem to find simple instructions for installing or verifying it. I'm on Plesk 10.3 not seeing it as part of that.

Re: Problem with ASL lite

Posted: Fri Jan 13, 2012 7:08 am
by faris
Typically, Plesk will insist on bind being installed during installation, as it makes changes to its configuration.

Code: Select all

dig @localhost some-remote-domain.tld


should give you an indication if it is running or not, as will

Code: Select all

service named status
(and remember when using ps that you are looking for "named" not "bind")

Re: Problem with ASL lite

Posted: Fri Jan 13, 2012 5:16 pm
by premierhosting
Thanks faris, you're a big help! Now to route resolv.conf to the local dns....

Code: Select all

[root@server1 psa]# dig @localhost google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> @localhost google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55487
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.225.50
google.com.             300     IN      A       74.125.225.51
google.com.             300     IN      A       74.125.225.52
google.com.             300     IN      A       74.125.225.48
google.com.             300     IN      A       74.125.225.49

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns4.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns3.google.com.

;; Query time: 659 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:15:02 2012
;; MSG SIZE  rcvd: 180

[root@server1 psa]# service named status
number of zones: 82
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
named (pid  28862) is running...

Re: Problem with ASL lite

Posted: Mon Jan 23, 2012 7:54 pm
by premierhosting
Something seems to have other ideas about resolv.conf

; generated by /sbin/dhclient-script

Removed my setting.

Changed again, and chattr +i the file, hopefully that will keep it from being edited.