Linode 360 Committed Memory

I tried to optimize my small 360 as much as I could accordingly to all the advices from this and other forums. And I am very pleased with how it's working. It's by far one of the best solutions I came across. But then I started securing it. After a few days of testing with snort I left it alone because is a huge memory hog. Now I have psad, apache's modsecurity, php's suhosin patch, and a very restrictive iptables rule set, allowing only 2 ports, but logging everything else for the psad. In the modsecurity I activated only the 10aslrules.conf and 99asljitp.conf.

Getting to the point, my problem with modsecurity is for once the committed memory reported by munin, and the considerably decreased number of request per second (bench-marked with ab) when it is activated. I understand that it is processing the request bodies and that takes a lot of resources but my question is how important is modsecurity? Is there some kind of alternative to mod_security worth taking into consideration and with a smaller footprint over the system?

Thank you in advance.

This a weekly graph of my 360 linode, with a lot of caching, a little swap and the committed memory.

![](" />

11 Replies

@nofun:

my question is how important is mod_security?
Impossible to guess.

Are you protecting Fort Knox or your kid's tee-ball league fan site?

Security is always a trade off between resource allocation, convenience, and security.

Personally, I keep detailed (and up to date) documentation on how my sites/systems are setup, current (and frequent) backups, and reasonable security (mostly via patched system/apps, simple light footprint monitoring, and iptables).

If my site goes down (from a hardware/software error or from nefarious activity) I can rebuild my site from scratch in about an hour.

For me, that's good enough.

@vonskippy:

Security is always a trade off between resource allocation, convenience, and security.

Exactly, that's why I am struggling to find the best way of balancing those. I searched a lot about the memory consumption of the mod_security module in apache but either people don't use it so much, either they don't use it in conjunction with munin. For me it's a little like overselling the resources. If God forbid I will have an increase in traffic which for the moment is so low that even the kid's tee-ball league fan site is more profitable than mine, I want to be on the safe side, and all the resources could fit comfortably in my limits.

Remember that VMem commited != VMem allocated.

~600M of commit is actually the exact value I have on my 360, but large part of it isn't really used… or for that matter, taking any amount of "real resources".

Say a bit more about your Apache config - which MPM, what are the MPM's parameters, is your PHP an Apache module or a FastCGI setup… oh, and, what about the CPU graph? If content scanning is really at fault, you should see quite a difference in CPU load with it enabled and not.

Also,

ps axv

I agree with vonskippy, how important is security to you? Personally I don't use modsecurity (since I use nginx). I don't use suhosin since the last time I installed it, it screwed up mtrand making it..well not random.

mod_security often is used to protected against sql injection and accessing files that really shouldn't be accessible, if you have sensible code and keep your permissions locked down you should be fine.

@obs:

mod_security often is used to protected against sql injection and accessing files that really shouldn't be accessible, if you have sensible code and keep your permissions locked down you should be fine.

This is what I was interested in. The only sites I have are using Drupal and Wordpress, so I suppose that the code is pretty well written. The rest of my administration and monitoring scripts are behind a .httpasswd. As far as the permissions, the user www-data does not have write permission, and my user is the only one who can acces the ssh daemon only with the public key.

I prefer working with Apache and mod_php because with a good configuration is much better than anything else. So probably I should not use it in the first place.

And this is my configuration:

Apache http://p.linode.com/?dl=3772

PHP loaded by the Apache module mod_php with Suhosin Patch and APC with default settings

ps axv: http://p.linode.com/?dl=3773

mysqltuner output which I will update with the new set suggestions at the bottom: http://p.linode.com/?dl=3774

~~![](<URL url=)http://vladgh.com/images/Srv.VladGh.com-cpu-week.png" />

~~![](<URL url=)http://vladgh.com/images/Srv.VladGh.com-load-week.png" />

APC fragmentation 0% for

Hits: 28665 (61.9%)

Misses: 17664 (38.1%):

![](" />~~~~

@nofun:

The only sites I have are using Drupal and Wordpress, so I suppose that the code is pretty well written.

Yeah they tend to be fine it's the plugins which have problems, you should sign up to their security mailing lists, keep your installations up to date and you'll be fine.

How did you get that memory graph? I would like something like that on my linode.

@lvthunder:

How did you get that memory graph? I would like something like that on my linode.

check out http://library.linode.com/server-monitoring/munin/

Is there a way to find out how much committed memory each process needs, because maybe it's not apache the reason it's so high?

@nofun:

Is there a way to find out how much committed memory each process needs, because maybe it's not apache the reason it's so high?

top will show you, and I believe ps will too.

I like htop it's prettier.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct