High memory usage

pasamsin · July 10, 2019, 8:16am

I am using comodo WAF on apache + nginx_reverse_proxy.

I gave the server 70GB Ram and after 3 days the server crashed with lack of memory.

There was no such problem on the Apache side.

I switched to OWASP rules because of this problem, and it doesn’t crash due to memory.

Does directadmin comodo WAF web based plugin manage owasp rules?

If OWASP rules cannot be managed, can I troubleshoot memory issues?

Ansari_WAF · July 10, 2019, 9:58am

Hi

Can you please find out, what are the file has more memory size in /tmp folder and send me the file details. I mentioned detail below
Locate:
:~$ cd /tmp/
:/tmp$ ls -l

pasamsin · July 10, 2019, 12:41pm

What does the file list in the /tmp folder have to do with running out of memory on the server?

There is no sizing limit in the /tmp folder.

Ansari_WAF · July 10, 2019, 1:11pm

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/nobodyippag-growing-big-t124573.0.html;msg889899#msg889899

1.You can disable the following rules IDs, if it is not needed for you.
2.Otherwise you have to schedule ip.pag file reset/truncate.
2.1. GitHub - SpiderLabs/modsec-sdbm-util: Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only.
2. 2 Locate the file ip.pag in /tmp folder and clear the file content :tmp# > ip.pag and default.SESSION file also and restart the webserver.

225180
225181
225182
240330
240331
240332
240333
240334
240335
240336
241140
241141
241142
241143

Thank you for contacting Us. If you have any doubt please let me know.

pasamsin · July 10, 2019, 7:39pm

The following rules already not exist. The ip.pag file does not exist.

225180
225181
225182
240330
240331
240332
240333
240334
240335
240336
241140
241141
241142
241143

pasamsin · July 10, 2019, 7:40pm

[root@server tmp]# ls -l
total 4
-rw-r–r-- 1 root root 17 Jul 10 20:53 cwaf_cookies.tmp
drwxr-xr-x 3 root root 17 Jul 10 21:21 pear
drwx------ 3 root root 16 Jul 10 21:17 systemd-private-45a20064c1e94adeb95f4764979dd5dd-exim.service-zwsHBm
drwx------ 3 root root 16 Jul 10 21:17 systemd-private-45a20064c1e94adeb95f4764979dd5dd-freshclam.service-fICUyD
drwx------ 3 root root 16 Jul 10 21:10 systemd-private-45a20064c1e94adeb95f4764979dd5dd-mariadb.service-li9cNj
drwx------ 3 root root 16 Jul 10 22:31 systemd-private-45a20064c1e94adeb95f4764979dd5dd-nginx.service-LDaLjN

Ansari_WAF · July 11, 2019, 3:44am

Hi
Then how did you confirm the issue in cwaf. Can you provide the following details

Web server.
Cwaf plugin version.
FYI the above mentioned cwaf signature enable by default for Apache server.

pasamsin · July 11, 2019, 8:53am

1.Directadmin => apache+nginx_reverse_proxy
2. CWAF plugin version 2.24.3 (Latest version)
Web Platform Nginx
Nginx version 1.17.1
Mod_security compatible yes
Mod_security loaded yes
Mod_security conf /etc/nginx/nginx-modsecurity.conf
Found websites 701

3.When I use the owasp rules, memory usage does not increase.

Ansari_WAF · July 11, 2019, 9:56am

Hi

Reinstall comodo cwaf. And follow instructions below

we have solution here. https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/nobodyippag-growing-big-t124573.0.html;msg889899#msg889899

1.You can disable the following rules IDs, if it is not needed for you.
2.Otherwise you have to schedule ip.pag file reset/truncate.
2.1. GitHub - SpiderLabs/modsec-sdbm-util: Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only.
2. 2 Locate the file ip.pag in /tmp folder and clear the file content :tmp# > ip.pag and default.SESSION file also and restart the webserver.

225180
225181
225182
240330
240331
240332
240333
240334
240335
240336
241140
241141
241142
241143

pasamsin · July 11, 2019, 11:28am

You’re talking about a different situation. I reinstall it. See the screenshot in the appendix, none of the rules you specify.

/tmp folder in the ip.pag and default.SESSION file does not exist.

Ansari_WAF · July 11, 2019, 12:27pm

Hi
1.I have attached screenshot, after successfully installed cwaf plugin with cwaf rules. We have 225180.
2.Based on your screenshot - you dont have comodo waf signatures.
Follow these instructions - Comodo Help
3.After success full installation, you ll get same output like as attachment.
4.After success full installation, Once you server meet overload, you ll check /tmp folder. if the file ip.pag and default.session has high memory, you have to clear the file content manually or using GitHub - SpiderLabs/modsec-sdbm-util: Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only. or you can create cron job for clear the file.

pasamsin · July 11, 2019, 2:51pm

cd /usr/local/directadmin/custombuild
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity

I’m doing the setup as above and the rules set number is as you will see in the attached screenshot.

And it still warns that rule 225180 could not be found.

Ansari_WAF · July 11, 2019, 4:31pm

Hi

What did you install modsec2 or modsec3 in your server
What did you download and install modsec2+nginx or modsec3+ nginx from cwaf

pasamsin · July 11, 2019, 4:58pm

/usr/local/directadmin/custombuild/modsecurity-v3.0.3/ version…

pasamsin · July 11, 2019, 8:06pm

nginx+modsec3