Problem with ASL lite
Problem with ASL lite
Hello,
I'm new on this forum, I'm writing here (I don't know if this is the right session), because I have problems with the ASL lite installed on all our linux server, from yeserday all server starts to become slow with apache process after many check we disabled mod_security from apache and all servers came back to work normal.
The strange things is that we didn't find anything strange on the logs, and sites hosted went slow even if the machine load was very low.
Someone got the same issue ? Any suggest to how troubleshoot it ?
Thanks a lot.
I'm new on this forum, I'm writing here (I don't know if this is the right session), because I have problems with the ASL lite installed on all our linux server, from yeserday all server starts to become slow with apache process after many check we disabled mod_security from apache and all servers came back to work normal.
The strange things is that we didn't find anything strange on the logs, and sites hosted went slow even if the machine load was very low.
Someone got the same issue ? Any suggest to how troubleshoot it ?
Thanks a lot.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Problem with ASL lite
Ive got a pretty good idea yes, the way cpanel builds mod_security is very poor. They made several performance mistakes in their design that could be the culprit here.
You might want to give the ASL Cpanel beta a try, and see how that effects your performance. You can install it with a regular ASL or ASL Trial account. More about it in the thread here:
https://atomicorp.com/forum/viewtopic.php?f=21&t=4828
You might want to give the ASL Cpanel beta a try, and see how that effects your performance. You can install it with a regular ASL or ASL Trial account. More about it in the thread here:
https://atomicorp.com/forum/viewtopic.php?f=21&t=4828
Re: Problem with ASL lite
Hello,
thanks a lot for your prompt reply, anyway the server who are giving problems are all plesk 9.5.3
The asl lite was installed on these servers few months ago, and not only it worked good, but we really have to say that asl really fix several security issue, so it's really important for us continue to use it.
We have found that disabling rbl rules increase a lot the speed, there's any cache for rbl rules or is possible enable it ?
Thanks
thanks a lot for your prompt reply, anyway the server who are giving problems are all plesk 9.5.3
The asl lite was installed on these servers few months ago, and not only it worked good, but we really have to say that asl really fix several security issue, so it's really important for us continue to use it.
We have found that disabling rbl rules increase a lot the speed, there's any cache for rbl rules or is possible enable it ?
Thanks
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Problem with ASL lite
Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
How would you do that?scott wrote:Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Problem with ASL lite
Make it the first entry in resolv.conf
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
OK, so recommended practice when using ASL is to run a DNS server on the same server and set the first search in resolve.conf to 127.0.0.1? ASL recommend bind or djbdns or tinydns?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Problem with ASL lite
Thank you for the question. If you use any kind of Real Time Blacklisting (RBL) technology (such as in spamassassin, or RBL rules, etc.) you should always run a local DNS. In fact, you should always run a local DNS no matter what you are doing, theres just no reason not to - a local DNS will be so much much faster than a remote DNS server its like night and day. If you are using Plesk you should already have a local DNS server, so just make sure you add 127.0.0.1 to the first line in /etc/resolv.conf like this:
nameserver 127.0.0.1
As for ASL, this does not have anything special to do with running ASL (or not running it). So, for ASL no you dont need a local DNS.
With that said, you will need a local DNS if you use any king of RBL technology, including spamassassin, other email antispam tools, web log analyzers, and so. If you use the WAF RBL rules, for example (which are disabled by default), you will want to have a local DNS. RBLs (again, like the ones in spamassassin) perform DNS lookups, and a local DNS will be several orders of magnitude faster than a remote DNS, so much so that you really need to have a local DNS. You will also experience full time outs with a remote DNS given the volume of traffic a local system generates these days (again, this is not specific to ASL, this includes ALL computers). And these elays can be quite large with a remote DNS server to the point that lookups will fail. No matter what you are are doing, a remote DNS server will always be slower than a local one, even for just plain old look ups. You will always see a huge performance gain if you have a local DNS server when doing DNS lookups, and as other things rely on DNS you'll see performance gains all over the system with a local DNS.
So, moral of the story: You should always have a local DNS server, no matter what you are doing. You need a local DNS server if you do DNS lookups to make decisions in realtime and block an action until the lookup completes. Again, this has nothing to do with ASL. Remote DNS servers, in any form, will always always always be slower than a local DNS. Did I mention that they are much slower than a local DNS?
nameserver 127.0.0.1
As for ASL, this does not have anything special to do with running ASL (or not running it). So, for ASL no you dont need a local DNS.
With that said, you will need a local DNS if you use any king of RBL technology, including spamassassin, other email antispam tools, web log analyzers, and so. If you use the WAF RBL rules, for example (which are disabled by default), you will want to have a local DNS. RBLs (again, like the ones in spamassassin) perform DNS lookups, and a local DNS will be several orders of magnitude faster than a remote DNS, so much so that you really need to have a local DNS. You will also experience full time outs with a remote DNS given the volume of traffic a local system generates these days (again, this is not specific to ASL, this includes ALL computers). And these elays can be quite large with a remote DNS server to the point that lookups will fail. No matter what you are are doing, a remote DNS server will always be slower than a local one, even for just plain old look ups. You will always see a huge performance gain if you have a local DNS server when doing DNS lookups, and as other things rely on DNS you'll see performance gains all over the system with a local DNS.
So, moral of the story: You should always have a local DNS server, no matter what you are doing. You need a local DNS server if you do DNS lookups to make decisions in realtime and block an action until the lookup completes. Again, this has nothing to do with ASL. Remote DNS servers, in any form, will always always always be slower than a local DNS. Did I mention that they are much slower than a local DNS?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Problem with ASL lite
I wouldnt say this is just for ASL, any server is going to gain considerable performance benefits from using a local dns server.
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
OK. What would you look for in a Plesk default installed local DNS server? The ones I'm familiar with do not appear to be installed, or they're somewhere I am having a hard time seeing.
Re: Problem with ASL lite
Hello,
I have to confirm that settings a local DNS fix the issue.
Thanks
I have to confirm that settings a local DNS fix the issue.
Thanks
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
I'm still trying to figure out this local DNS server thing.
How can I tell if it's installed correctly or running? My /etc/resolv.conf is pointing to remote DNS servers so it's not being used. Bind doesn't come up as a running process, it doesn't come up in the startup scripts, or xinetd, I can't seem to find simple instructions for installing or verifying it. I'm on Plesk 10.3 not seeing it as part of that.
Code: Select all
[root@server1 ~]# rpm -qa | grep bind
bind-utils-9.3.6-16.P1.el5_7.1
bind-libs-9.3.6-16.P1.el5_7.1
bind-9.3.6-16.P1.el5_7.1
Re: Problem with ASL lite
Typically, Plesk will insist on bind being installed during installation, as it makes changes to its configuration.
should give you an indication if it is running or not, as will
(and remember when using ps that you are looking for "named" not "bind")
Code: Select all
dig @localhost some-remote-domain.tld
should give you an indication if it is running or not, as will
Code: Select all
service named status
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
Thanks faris, you're a big help! Now to route resolv.conf to the local dns....
Code: Select all
[root@server1 psa]# dig @localhost google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> @localhost google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55487
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 74.125.225.50
google.com. 300 IN A 74.125.225.51
google.com. 300 IN A 74.125.225.52
google.com. 300 IN A 74.125.225.48
google.com. 300 IN A 74.125.225.49
;; AUTHORITY SECTION:
google.com. 172800 IN NS ns4.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
;; Query time: 659 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:15:02 2012
;; MSG SIZE rcvd: 180
[root@server1 psa]# service named status
number of zones: 82
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
named (pid 28862) is running...
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: Problem with ASL lite
Something seems to have other ideas about resolv.conf
; generated by /sbin/dhclient-script
Removed my setting.
Changed again, and chattr +i the file, hopefully that will keep it from being edited.
; generated by /sbin/dhclient-script
Removed my setting.
Changed again, and chattr +i the file, hopefully that will keep it from being edited.