Server langsam durch mod_security, mod_evasive?

[Sancty]

Hallöchen.

Hab eben auf meinem RootServer (openSuSE 10.1) mod_security und mod_evasive eingerichtet und den Apache2 reloaded.
Seitdem bauen sich alle Websites die darauf gehostet sind sehr, sehr langsam auf.

<IfModule mod_security.c>

# Enable ModSecurity
SecFilterEngine On

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Designate a directory for temporary files
# storage. It is a good idea to change the
# value below to a private directory, just as
# an additional measure against race conditions
SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
#SecAuditEngine On

# Uncomment below to record responses with unusual statuses
# SecAuditLogRelevantStatus ^5
SecAuditLog /var/log/apache2/security/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/security/modsec_debug_log

# Filterregeln aus mod-security.d einbinden
Include /etc/apache2/mod-security.d/[^.#]*

</IfModule>

/etc/apache2/mod-security.d/
Dort liegen momentan alle Core Rules vom mod_security Hersteller.

<IfModule mod_evasive20.c>
  DOSHashTableSize 3097
  DOSPageCount 5
  DOSSiteCount 100
  DOSPageInterval 2
  DOSSiteInterval 2
  DOSBlockingPeriod 600
  DOSEmailNotify meine@mailadresse.de
</IfModule>

Kann es an den beiden Modulen liegen?
Oder doch eher am frisch installierten ClamAV und SpamAsassin?
Ping liegt bei 15ms.

Weiß atm nicht weiter :-(

 

[marneus]

Du müsstest mal so Befehle, wie top, ps aufx etc. absetzen, um zu schauen, was die Last erzeugt. Hast Du die Rulesets von mod_security angepasst?

--marneus

 

[Sancty]

top - 18:34:31 up 16 days,  3:15,  1 user,  load average: 0.17, 0.32, 0.46
Tasks: 110 total,   2 running, 108 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0% us,  0.0% sy,  0.0% ni, 100.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:   1017968k total,   882780k used,   135188k free,    19356k buffers
Swap:  1052248k total,      808k used,  1051440k free,   262744k cached

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0    720   252 ?        S    Jan30   0:04 init [3]
root         2  0.0  0.0      0     0 ?        S    Jan30   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   Jan30   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    Jan30   0:13 [migration/1]
root         5  0.0  0.0      0     0 ?        SN   Jan30   0:00 [ksoftirqd/1]
root         6  0.0  0.0      0     0 ?        S<   Jan30   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   Jan30   0:00 [events/1]
root         8  0.0  0.0      0     0 ?        S<   Jan30   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S<   Jan30   0:00 [kthread]
root        12  0.0  0.0      0     0 ?        S<   Jan30   0:00 [kblockd/0]
root        13  0.0  0.0      0     0 ?        S<   Jan30   0:00 [kblockd/1]
root        70  0.0  0.0      0     0 ?        S    Jan30   0:12 [kswapd0]
root        71  0.0  0.0      0     0 ?        S<   Jan30   0:00 [aio/0]
root        72  0.0  0.0      0     0 ?        S<   Jan30   0:00 [aio/1]
root       280  0.0  0.0      0     0 ?        S<   Jan30   0:00 [cqueue/0]
root       281  0.0  0.0      0     0 ?        S<   Jan30   0:00 [cqueue/1]
root       282  0.0  0.0      0     0 ?        S<   Jan30   0:00 [kseriod]
root       318  0.0  0.0      0     0 ?        S<   Jan30   0:00 [kpsmoused]
root       699  0.0  0.0      0     0 ?        S<   Jan30   0:00 [ata/0]
root       700  0.0  0.0      0     0 ?        S<   Jan30   0:00 [ata/1]
root       708  0.0  0.0      0     0 ?        S<   Jan30   0:00 [scsi_eh_0]
root       709  0.0  0.0      0     0 ?        S<   Jan30   0:00 [scsi_eh_1]
root       792  0.0  0.0      0     0 ?        S    Jan30   0:22 [kjournald]
root       849  0.0  0.0   1760   636 ?        S<s  Jan30   0:00 /sbin/udevd --daemon
root      1373  0.0  0.0      0     0 ?        S<   Jan30   0:00 [khubd]
100       1915  0.0  0.1   3416  1312 ?        Ss   Jan30   0:02 /usr/bin/dbus-daemon --system
root      1996  0.0  0.0   2228   900 ?        Ss   Jan30   0:00 /usr/sbin/xinetd
nobody    2220  0.0  0.0   1560   496 ?        Ss   Jan30   0:00 /sbin/portmap
root      2263  0.0  0.1   2524  1204 ?        S    Jan30   0:00 /bin/sh /usr/bin/mysqld_safe --user=mysql --pid-file=/var/lib/mysql/mysqld.pid --socket=/var
root      2325  0.0  0.0   3140   676 ?        Ss   Jan30   0:00 /usr/sbin/famd -t 4 -T 0 -L
mysql     2585  0.0  3.1 131792 32400 ?        Sl   Jan30   8:47 /usr/sbin/mysqld-max --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/li
postgres  2965  0.0  0.2  19956  3020 ?        Ss   Jan30   0:00 /usr/bin/postmaster -D /var/lib/pgsql/data
postgres  2966  0.0  0.1   9736  1132 ?        S    Jan30   0:00 postgres: logger process
postgres  2968  0.0  0.1  19956  1344 ?        S    Jan30   0:00 postgres: writer process
postgres  2969  0.0  0.0  10736   980 ?        S    Jan30   0:00 postgres: stats buffer process
postgres  2970  0.0  0.1   9880  1180 ?        S    Jan30   0:00 postgres: stats collector process
root      3051  0.0  0.0   1960   664 tty1     Ss+  Jan30   0:00 /sbin/mingetty --noclear tty1
root      3052  0.0  0.0   1956   640 tty2     Ss+  Jan30   0:00 /sbin/mingetty tty2
root      3054  0.0  0.0   1960   636 tty3     Ss+  Jan30   0:00 /sbin/mingetty tty3
root      3055  0.0  0.0   1960   640 tty4     Ss+  Jan30   0:00 /sbin/mingetty tty4
root      3057  0.0  0.0   1956   640 tty5     Ss+  Jan30   0:00 /sbin/mingetty tty5
root      3058  0.0  0.0   1960   636 tty6     Ss+  Jan30   0:00 /sbin/mingetty tty6
tomcat   11733  0.0  4.1 304408 42468 ?        Sl   Jan30   0:11 /usr/lib/jvm/java/bin/java -Djava.endorsed.dirs= -classpath /usr/lib/jvm/java/lib/tools.jar:
root     24581  0.0  0.0      0     0 ?        S    Feb01   0:00 [pdflush]
root     26155  0.0  0.0      0     0 ?        S    Feb01   0:01 [pdflush]
root     16562  0.0  0.0   3044   756 ?        S    Feb02   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root     16564  0.0  0.0   2952   864 ?        S    Feb02   0:00 /usr/sbin/courierlogger imapd
root     16573  0.0  0.0   3040   756 ?        S    Feb02   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root     16575  0.0  0.0   2948   860 ?        S    Feb02   0:00 /usr/sbin/courierlogger imapd-ssl
root     16582  0.0  0.0   3040   756 ?        S    Feb02   0:01 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root     16584  0.0  0.0   2952   864 ?        S    Feb02   0:00 /usr/sbin/courierlogger pop3d
root     16592  0.0  0.0   3044   760 ?        S    Feb02   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrlo
root     16594  0.0  0.0   2952   860 ?        S    Feb02   0:00 /usr/sbin/courierlogger pop3d-ssl
root     19994  0.0  0.9  43020  9376 ?        Ss   Feb02   0:00 /usr/local/psa/admin/bin/httpsd
psaadm   19998  0.0  2.5  42712 26056 ?        S    Feb02   0:21 /usr/local/psa/admin/bin/httpsd
psaadm   25640  0.0  2.9  44208 30360 ?        S    Feb02   0:17 /usr/local/psa/admin/bin/httpsd
tssuser  28356  0.0  0.2  79692  2464 ?        SNl  Feb06   0:11 ./server_linux -PID=tsserver2.pid
mailman   6380  0.0  0.4   9404  4440 ?        Ss   Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/mailmanctl --quiet --stale-lock-cleanup start
mailman   6382  0.0  0.5   8588  5808 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
mailman   6383  0.0  0.5   8596  5816 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
mailman   6384  0.0  0.5   8588  5812 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
mailman   6385  0.0  0.5   8524  5804 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
mailman   6386  0.0  0.5   8564  5844 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
mailman   6387  0.0  0.5   8552  5876 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
mailman   6388  0.0  0.5   8588  5808 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
mailman   6389  0.0  0.5   8588  5808 ?        S    Feb12   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
root     30648  0.0  0.0   1824   548 ?        Ss   Feb13   0:00 /usr/sbin/cron
root     30789  0.0  0.0   4452   868 ?        Ss   Feb13   0:00 /usr/sbin/saslauthd -a shadow
root     30791  0.0  0.0   4452   512 ?        S    Feb13   0:00 /usr/sbin/saslauthd -a shadow
root     30792  0.0  0.0   4452   460 ?        S    Feb13   0:00 /usr/sbin/saslauthd -a shadow
root     30793  0.0  0.0   4452   460 ?        S    Feb13   0:00 /usr/sbin/saslauthd -a shadow
root     30794  0.0  0.0   4452   460 ?        S    Feb13   0:00 /usr/sbin/saslauthd -a shadow
root     31375  0.0  0.2   4264  2852 ?        Ss   Feb13   0:00 /usr/sbin/hald --daemon=yes --retain-privileges
root     31725  0.0  0.0   2216   736 ?        Ss   Feb13   0:01 /sbin/syslog-ng
root     31728  0.0  0.0   1660   528 ?        Ss   Feb13   0:00 /sbin/klogd -c 1 -x -x
named    31913  0.0  0.2  31012  2904 ?        Ssl  Feb13   0:00 /usr/sbin/named -t /var/lib/named -u named
root      3590  0.0  0.1   4260  1752 ?        S    Feb13   0:00 /usr/sbin/powersaved -d -v 3
root      3718  0.0  2.7  30116 27572 ?        Ss   Feb13   0:00 /usr/sbin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail
popuser   3719  0.0  2.5  30116 26268 ?        S    Feb13   0:00 spamd child
popuser   3720  0.0  2.5  30116 26224 ?        S    Feb13   0:00 spamd child
root     11141  0.0  0.0      0     0 ?        S<   Feb14   0:00 [kauditd]
root     11491  0.0  0.1   5024  1136 ?        Ss   Feb14   0:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
root     14063  0.0  8.6  94004 88424 ?        Ss   Feb14   0:41 snort -D -o -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
root     25906  0.0  0.1 106484  1048 ?        Ssl  16:09   0:00 /usr/sbin/nscd
root     28186  0.0  0.2   9908  2484 ?        Ss   16:39   0:00 sshd: sshuser [priv]
sshuser  28189  0.0  0.1  10072  1724 ?        S    16:39   0:00 sshd: sshuser@pts/1
sshuser  28190  0.0  0.1   4424  1900 pts/1    Ss   16:39   0:00 -bash
root     28220  0.0  0.1   6828  1876 pts/1    S    16:39   0:00 su -
root     28228  0.0  0.1   4176  1964 pts/1    S    16:40   0:00 -bash
vscan    30830  0.1  6.7  80072 68696 ?        Ss   17:02   0:06 /usr/sbin/clamd
vscan    30841  0.0  0.0   2988   804 ?        Ss   17:02   0:00 /usr/bin/freshclam -d
qmails   32350  0.0  0.0   1564   404 ?        S    17:08   0:00 qmail-send
qmaill   32352  0.0  0.0   1524   460 ?        S    17:08   0:00 splogger qmail
root     32353  0.0  0.0   1548   364 ?        S    17:08   0:00 qmail-lspawn | /usr/bin/deliverquota ./Maildir
qmailr   32354  0.0  0.0   1548   384 ?        S    17:08   0:00 qmail-rspawn
qmailq   32355  0.0  0.0   1516   344 ?        S    17:08   0:00 qmail-clean
root      8316  0.0  2.7  76696 27508 ?        Ss   18:06   0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8317  0.0  2.0  76660 21188 ?        S    18:06   0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8318  3.0  4.0  94252 40824 ?        S    18:06   1:15 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8326  1.8  3.5  89572 35972 ?        S    18:06   0:44 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8327  1.5  3.4  88576 34972 ?        S    18:06   0:39 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8328  1.9  4.8 103312 49704 ?        S    18:06   0:47 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8467  0.7  3.4  88276 34848 ?        S    18:13   0:15 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8477  0.8  3.4  89104 35512 ?        S    18:14   0:18 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8484  2.0  3.4  88532 35100 ?        S    18:14   0:41 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8486  1.5  3.5  89292 35852 ?        S    18:14   0:31 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8492  1.6  3.3  88028 34348 ?        S    18:14   0:34 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun    8574  1.1  3.9  93412 39812 ?        S    18:17   0:21 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
root      8910  0.0  0.0   2420   864 pts/1    R+   18:48   0:00 ps aux

Um ehrlich zu sein, ich hab die Core Rules modsecurity-core-rules_2.1-1.5.1.tar.gz heruntergeladen, entpackt, reingeschoben und apache reloaded

 

[Sancty]

Problem erkannt.

Liegt an der Blacklist etc. in der die ganzen IP´s usw drin stehen.
Ist wohl etwas sehr groß geraten.

Blacklist gelöscht und schon läufts flüssig.