Linode 360 Committed Memory
Getting to the point, my problem with modsecurity is for once the committed memory reported by munin, and the considerably decreased number of request per second (bench-marked with ab) when it is activated. I understand that it is processing the request bodies and that takes a lot of resources but my question is how important is modsecurity? Is there some kind of alternative to mod_security worth taking into consideration and with a smaller footprint over the system?
Thank you in advance.
This a weekly graph of my 360 linode, with a lot of caching, a little swap and the committed memory.
@nofun:
my question is how important is mod_security?
Impossible to guess.
Are you protecting Fort Knox or your kid's tee-ball league fan site?
Security is always a trade off between resource allocation, convenience, and security.
Personally, I keep detailed (and up to date) documentation on how my sites/systems are setup, current (and frequent) backups, and reasonable security (mostly via patched system/apps, simple light footprint monitoring, and iptables).
If my site goes down (from a hardware/software error or from nefarious activity) I can rebuild my site from scratch in about an hour.
For me, that's good enough.
@vonskippy:
Security is always a trade off between resource allocation, convenience, and security.
Exactly, that's why I am struggling to find the best way of balancing those. I searched a lot about the memory consumption of the mod_security module in apache but either people don't use it so much, either they don't use it in conjunction with munin. For me it's a little like overselling the resources. If God forbid I will have an increase in traffic which for the moment is so low that even the kid's tee-ball league fan site is more profitable than mine, I want to be on the safe side, and all the resources could fit comfortably in my limits.
~600M of commit is actually the exact value I have on my 360, but large part of it isn't really used… or for that matter, taking any amount of "real resources".
Say a bit more about your Apache config - which MPM, what are the MPM's parameters, is your PHP an Apache module or a FastCGI setup… oh, and, what about the CPU graph? If content scanning is really at fault, you should see quite a difference in CPU load with it enabled and not.
Also,
ps axv
mod_security often is used to protected against sql injection and accessing files that really shouldn't be accessible, if you have sensible code and keep your permissions locked down you should be fine.
@obs:
mod_security often is used to protected against sql injection and accessing files that really shouldn't be accessible, if you have sensible code and keep your permissions locked down you should be fine.
This is what I was interested in. The only sites I have are using Drupal and Wordpress, so I suppose that the code is pretty well written. The rest of my administration and monitoring scripts are behind a .httpasswd. As far as the permissions, the user www-data does not have write permission, and my user is the only one who can acces the ssh daemon only with the public key.
I prefer working with Apache and mod_php because with a good configuration is much better than anything else. So probably I should not use it in the first place.
And this is my configuration:
Apache http://p.linode.com/?dl=3772
PHP loaded by the Apache module mod_php with Suhosin Patch and APC with default settings
ps axv: http://p.linode.com/?dl=3773
mysqltuner output which I will update with the new set suggestions at the bottom: http://p.linode.com/?dl=3774
~~http://vladgh.com/images/Srv.VladGh.com-cpu-week.png
~~http://vladgh.com/images/Srv.VladGh.com-load-week.png
APC fragmentation 0% for
Hits: 28665 (61.9%)
Misses: 17664 (38.1%):
@lvthunder:
How did you get that memory graph? I would like something like that on my linode.
check out
@nofun:
Is there a way to find out how much committed memory each process needs, because maybe it's not apache the reason it's so high?
top will show you, and I believe ps will too.