Problem with ASL lite

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
mairj
New Forum User
New Forum User
Posts: 4
Joined: Thu Mar 10, 2011 7:38 am
Location: Rome

Problem with ASL lite

Unread post by mairj »

Hello,
I'm new on this forum, I'm writing here (I don't know if this is the right session), because I have problems with the ASL lite installed on all our linux server, from yeserday all server starts to become slow with apache process after many check we disabled mod_security from apache and all servers came back to work normal.
The strange things is that we didn't find anything strange on the logs, and sites hosted went slow even if the machine load was very low.
Someone got the same issue ? Any suggest to how troubleshoot it ?
Thanks a lot.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Problem with ASL lite

Unread post by scott »

Ive got a pretty good idea yes, the way cpanel builds mod_security is very poor. They made several performance mistakes in their design that could be the culprit here.

You might want to give the ASL Cpanel beta a try, and see how that effects your performance. You can install it with a regular ASL or ASL Trial account. More about it in the thread here:
https://atomicorp.com/forum/viewtopic.php?f=21&t=4828
mairj
New Forum User
New Forum User
Posts: 4
Joined: Thu Mar 10, 2011 7:38 am
Location: Rome

Re: Problem with ASL lite

Unread post by mairj »

Hello,
thanks a lot for your prompt reply, anyway the server who are giving problems are all plesk 9.5.3
The asl lite was installed on these servers few months ago, and not only it worked good, but we really have to say that asl really fix several security issue, so it's really important for us continue to use it.
We have found that disabling rbl rules increase a lot the speed, there's any cache for rbl rules or is possible enable it ?
Thanks
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Problem with ASL lite

Unread post by scott »

Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

scott wrote:Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.
How would you do that?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Problem with ASL lite

Unread post by scott »

Make it the first entry in resolv.conf
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

OK, so recommended practice when using ASL is to run a DNS server on the same server and set the first search in resolve.conf to 127.0.0.1? ASL recommend bind or djbdns or tinydns?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Problem with ASL lite

Unread post by mikeshinn »

Thank you for the question. If you use any kind of Real Time Blacklisting (RBL) technology (such as in spamassassin, or RBL rules, etc.) you should always run a local DNS. In fact, you should always run a local DNS no matter what you are doing, theres just no reason not to - a local DNS will be so much much faster than a remote DNS server its like night and day. If you are using Plesk you should already have a local DNS server, so just make sure you add 127.0.0.1 to the first line in /etc/resolv.conf like this:

nameserver 127.0.0.1

As for ASL, this does not have anything special to do with running ASL (or not running it). So, for ASL no you dont need a local DNS.

With that said, you will need a local DNS if you use any king of RBL technology, including spamassassin, other email antispam tools, web log analyzers, and so. If you use the WAF RBL rules, for example (which are disabled by default), you will want to have a local DNS. RBLs (again, like the ones in spamassassin) perform DNS lookups, and a local DNS will be several orders of magnitude faster than a remote DNS, so much so that you really need to have a local DNS. You will also experience full time outs with a remote DNS given the volume of traffic a local system generates these days (again, this is not specific to ASL, this includes ALL computers). And these elays can be quite large with a remote DNS server to the point that lookups will fail. No matter what you are are doing, a remote DNS server will always be slower than a local one, even for just plain old look ups. You will always see a huge performance gain if you have a local DNS server when doing DNS lookups, and as other things rely on DNS you'll see performance gains all over the system with a local DNS.

So, moral of the story: You should always have a local DNS server, no matter what you are doing. You need a local DNS server if you do DNS lookups to make decisions in realtime and block an action until the lookup completes. Again, this has nothing to do with ASL. Remote DNS servers, in any form, will always always always be slower than a local DNS. Did I mention that they are much slower than a local DNS? :-)
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Problem with ASL lite

Unread post by scott »

I wouldnt say this is just for ASL, any server is going to gain considerable performance benefits from using a local dns server.
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

OK. What would you look for in a Plesk default installed local DNS server? The ones I'm familiar with do not appear to be installed, or they're somewhere I am having a hard time seeing.
mairj
New Forum User
New Forum User
Posts: 4
Joined: Thu Mar 10, 2011 7:38 am
Location: Rome

Re: Problem with ASL lite

Unread post by mairj »

Hello,
I have to confirm that settings a local DNS fix the issue.
Thanks
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

I'm still trying to figure out this local DNS server thing.

Code: Select all

[root@server1 ~]# rpm -qa | grep bind
bind-utils-9.3.6-16.P1.el5_7.1
bind-libs-9.3.6-16.P1.el5_7.1
bind-9.3.6-16.P1.el5_7.1
How can I tell if it's installed correctly or running? My /etc/resolv.conf is pointing to remote DNS servers so it's not being used. Bind doesn't come up as a running process, it doesn't come up in the startup scripts, or xinetd, I can't seem to find simple instructions for installing or verifying it. I'm on Plesk 10.3 not seeing it as part of that.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Problem with ASL lite

Unread post by faris »

Typically, Plesk will insist on bind being installed during installation, as it makes changes to its configuration.

Code: Select all

dig @localhost some-remote-domain.tld


should give you an indication if it is running or not, as will

Code: Select all

service named status
(and remember when using ps that you are looking for "named" not "bind")
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

Thanks faris, you're a big help! Now to route resolv.conf to the local dns....

Code: Select all

[root@server1 psa]# dig @localhost google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> @localhost google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55487
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.225.50
google.com.             300     IN      A       74.125.225.51
google.com.             300     IN      A       74.125.225.52
google.com.             300     IN      A       74.125.225.48
google.com.             300     IN      A       74.125.225.49

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns4.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns3.google.com.

;; Query time: 659 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:15:02 2012
;; MSG SIZE  rcvd: 180

[root@server1 psa]# service named status
number of zones: 82
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
named (pid  28862) is running...
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: Problem with ASL lite

Unread post by premierhosting »

Something seems to have other ideas about resolv.conf

; generated by /sbin/dhclient-script

Removed my setting.

Changed again, and chattr +i the file, hopefully that will keep it from being edited.
Post Reply