Apache child processes not dying/timing out

premierhosting · Wed Dec 01, 2010 6:12 am

Same problem posted here:
http://atomicorp.com/forums/viewtopic.php?f=1&t=4582

Anyone else notice that mod_security as implemented by ASL adds about 100MB of RSS to each httpd process? My load averages have been on the hot side since installing ASL and I think this is the prime culprit. Any thoughts?

Some of the 2006 vintage suggestions don't seem to apply directly to the current modsecurity rulesets.

premierhosting · Wed Dec 01, 2010 6:37 am

I was able to get between 10 and 40 mb taken off each httpd process by removing various files from /etc/httpd/modsecurity.d

The 10_asl_antimalware.conf was the biggest one.

Unread post by **mikeshinn** » Wed Dec 01, 2010 6:16 pm

https://atomicorp.com/forums/viewtopic.php?f=3&t=4574

Its not a bug, its a byproduct of how parallel searches are done. The malware domain list is around 10K entries long, if we did a normal search of that list the process would slow down the webserver (thats how it used to be done back in the modsec 1.x days) but wouldn't use much memory. Now we do parallel searches which are lightning fast, and require more memory. So its a trade off, speed for memory, or memory for speed. So, if you don't have enough memory then you probably shouldnt use the antimalware rules.

Given the night and day performance enhancement parallel searches gives us, its the only way to do lookups in milliseconds on large lists. Any other method would kill the server. Most people don't have any issues with this ruleset memory being pretty cheap these days. So if memory is an issue for you, then you won't be able to use the antimalware blocklist.

A box with 1.5 GB of memory will do just fine.

premierhosting · Wed Dec 01, 2010 6:24 pm

Running 2 gb of ram on a VPS on top of xen hypervisor.

Unread post by **mikeshinn** » Wed Dec 01, 2010 8:11 pm

You'll be fine then.

premierhosting · Wed Dec 01, 2010 8:17 pm

My loads have been pretty high. Seems that the 140-150mb httpd is part of that issue.

Unread post by **mikeshinn** » Wed Dec 01, 2010 8:45 pm

So with load, its not the memory usage that will increase load on Linux (unless you are thrashing and dont have enough that will increase load as you run into I/O bottlennecks). You should see your box doing more work, afterall you just added a WAF to the box itself and its inspecting all that traffic for malicious activity and that is somewhat CPU intensive.

When you say your load went up, what was your CPU utilization before and after turning on the WAF?

premierhosting · Wed Dec 01, 2010 9:27 pm

Good question, I'll have to check into that.

Atomicorp

Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out

Re: Apache child processes not dying/timing out