store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Sep 22, 2014 6:17 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 7:46 am 
Offline
New Forum User
New Forum User

Joined: Thu Mar 10, 2011 7:38 am
Posts: 4
Location: Rome
Hello,
I'm new on this forum, I'm writing here (I don't know if this is the right session), because I have problems with the ASL lite installed on all our linux server, from yeserday all server starts to become slow with apache process after many check we disabled mod_security from apache and all servers came back to work normal.
The strange things is that we didn't find anything strange on the logs, and sites hosted went slow even if the machine load was very low.
Someone got the same issue ? Any suggest to how troubleshoot it ?
Thanks a lot.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 11:04 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7901
Location: earth
Ive got a pretty good idea yes, the way cpanel builds mod_security is very poor. They made several performance mistakes in their design that could be the culprit here.

You might want to give the ASL Cpanel beta a try, and see how that effects your performance. You can install it with a regular ASL or ASL Trial account. More about it in the thread here:
viewtopic.php?f=21&t=4828


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 1:27 pm 
Offline
New Forum User
New Forum User

Joined: Thu Mar 10, 2011 7:38 am
Posts: 4
Location: Rome
Hello,
thanks a lot for your prompt reply, anyway the server who are giving problems are all plesk 9.5.3
The asl lite was installed on these servers few months ago, and not only it worked good, but we really have to say that asl really fix several security issue, so it's really important for us continue to use it.
We have found that disabling rbl rules increase a lot the speed, there's any cache for rbl rules or is possible enable it ?
Thanks


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 2:07 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7901
Location: earth
Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 8:00 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
scott wrote:
Yeah you should make sure you're using the local dns on the system. Its going to speed up a lot of things, mail, statistics, spamassassin, etc.


How would you do that?


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 8:46 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7901
Location: earth
Make it the first entry in resolv.conf


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 8:53 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
OK, so recommended practice when using ASL is to run a DNS server on the same server and set the first search in resolve.conf to 127.0.0.1? ASL recommend bind or djbdns or tinydns?


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Mar 10, 2011 11:15 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
Thank you for the question. If you use any kind of Real Time Blacklisting (RBL) technology (such as in spamassassin, or RBL rules, etc.) you should always run a local DNS. In fact, you should always run a local DNS no matter what you are doing, theres just no reason not to - a local DNS will be so much much faster than a remote DNS server its like night and day. If you are using Plesk you should already have a local DNS server, so just make sure you add 127.0.0.1 to the first line in /etc/resolv.conf like this:

nameserver 127.0.0.1

As for ASL, this does not have anything special to do with running ASL (or not running it). So, for ASL no you dont need a local DNS.

With that said, you will need a local DNS if you use any king of RBL technology, including spamassassin, other email antispam tools, web log analyzers, and so. If you use the WAF RBL rules, for example (which are disabled by default), you will want to have a local DNS. RBLs (again, like the ones in spamassassin) perform DNS lookups, and a local DNS will be several orders of magnitude faster than a remote DNS, so much so that you really need to have a local DNS. You will also experience full time outs with a remote DNS given the volume of traffic a local system generates these days (again, this is not specific to ASL, this includes ALL computers). And these elays can be quite large with a remote DNS server to the point that lookups will fail. No matter what you are are doing, a remote DNS server will always be slower than a local one, even for just plain old look ups. You will always see a huge performance gain if you have a local DNS server when doing DNS lookups, and as other things rely on DNS you'll see performance gains all over the system with a local DNS.

So, moral of the story: You should always have a local DNS server, no matter what you are doing. You need a local DNS server if you do DNS lookups to make decisions in realtime and block an action until the lookup completes. Again, this has nothing to do with ASL. Remote DNS servers, in any form, will always always always be slower than a local DNS. Did I mention that they are much slower than a local DNS? :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Fri Mar 11, 2011 9:17 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7901
Location: earth
I wouldnt say this is just for ASL, any server is going to gain considerable performance benefits from using a local dns server.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Fri Mar 11, 2011 5:01 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
OK. What would you look for in a Plesk default installed local DNS server? The ones I'm familiar with do not appear to be installed, or they're somewhere I am having a hard time seeing.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Fri Apr 29, 2011 5:28 am 
Offline
New Forum User
New Forum User

Joined: Thu Mar 10, 2011 7:38 am
Posts: 4
Location: Rome
Hello,
I have to confirm that settings a local DNS fix the issue.
Thanks


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Thu Jan 12, 2012 5:13 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
I'm still trying to figure out this local DNS server thing.

Code:
[root@server1 ~]# rpm -qa | grep bind
bind-utils-9.3.6-16.P1.el5_7.1
bind-libs-9.3.6-16.P1.el5_7.1
bind-9.3.6-16.P1.el5_7.1


How can I tell if it's installed correctly or running? My /etc/resolv.conf is pointing to remote DNS servers so it's not being used. Bind doesn't come up as a running process, it doesn't come up in the startup scripts, or xinetd, I can't seem to find simple instructions for installing or verifying it. I'm on Plesk 10.3 not seeing it as part of that.


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Fri Jan 13, 2012 7:08 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2049
Typically, Plesk will insist on bind being installed during installation, as it makes changes to its configuration.

Code:
dig @localhost some-remote-domain.tld


should give you an indication if it is running or not, as will

Code:
service named status


(and remember when using ps that you are looking for "named" not "bind")

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Fri Jan 13, 2012 5:16 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Thanks faris, you're a big help! Now to route resolv.conf to the local dns....

Code:
[root@server1 psa]# dig @localhost google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> @localhost google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55487
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.225.50
google.com.             300     IN      A       74.125.225.51
google.com.             300     IN      A       74.125.225.52
google.com.             300     IN      A       74.125.225.48
google.com.             300     IN      A       74.125.225.49

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns4.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns3.google.com.

;; Query time: 659 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:15:02 2012
;; MSG SIZE  rcvd: 180

[root@server1 psa]# service named status
number of zones: 82
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
named (pid  28862) is running...


Top
 Profile  
 
 Post subject: Re: Problem with ASL lite
Unread postPosted: Mon Jan 23, 2012 7:54 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Something seems to have other ideas about resolv.conf

; generated by /sbin/dhclient-script

Removed my setting.

Changed again, and chattr +i the file, hopefully that will keep it from being edited.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group