ip.pag size

BeZazz · February 21, 2016, 3:55pm

I just noticed on one server the ip.pag file is 6378.8M.

Checked another server and it is around 600M.

6Gig seems excessive to me or is that ok?

akabakov · February 22, 2016, 9:16am

Hello, I suppose ip collection store could not be moved for some reason. So ip.pag (ip database) is huge.
Possibly there are some brute-force attacks on this server.
Please, read this topic:

github.com/owasp-modsecurity/ModSecurity

IP persistence storage seems to not clean up

opened 08:24PM - 17 Oct 13 UTC

closed 09:05PM - 21 May 17 UTC

rcbarnett-zz

bug TBF by libmodsec

MODSEC-426: It seem that mod_security is not cleaning up the persistence storage… for the IP-storage I am using. Here is a simple test ruleset I am using (nothing else): SecRule IP:dos_block "@eq 1" \ "phase:2,block,msg:'IP address blocked due to high connection rate.', \ id:2003,status:403,severity:'CRITICAL',tag:'DoS'" SecRule SCRIPT_FILENAME "@rx /www/content/prod/dl/dl.php" \ "phase:5,chain,t:none,nolog,pass,id:2001,severity:'INFO',tag:'DoS',setvar:IP.dos_counter=+1,expirevar:IP.dos_counter=60" SecRule IP:dos_counter "@gt 100" \ "t:none,setvar:IP.dos_block,setvar:!IP.dos_counter,expirevar:IP.dos_block=60" The ruleset is working fine. But what I am noticing is, that the /var/tmp/ip.pag file is constantly growing. It is currently at >1GiB size. When I do a "strings" on that file, I see entries like this: __expire_KEY 1344192686 794.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 TIMEOUT 3600 __key 794.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 __name CREATE_TIME 1344189037 UPDATE_COUNTER dos_counter __expire_dos_counter 1344189097 LAST_UPDATE_TIME 1344189086 94.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 __expire_KEY 1343169406 868.167.225.250_77150c41806fda817314ba9c40e040c598830d5d TIMEOUT 3600 __key 868.167.225.250_77150c41806fda817314ba9c40e040c598830d5d __name CREATE_TIME 1343165769 UPDATE_COUNTER dos_counter __expire_dos_counter 1343165829 LAST_UPDATE_TIME 1343165806 68.167.225.250_77150c41806fda817314ba9c40e040c598830dIR __expire_KEY 1344005533 786.132.126.93_aa739e3aaaa1fbfc8667bb26120e9930df881a82 TIMEOUT 3600 __key 786.132.126.93_aa739e3aaaa1fbfc8667bb26120e9930df881a82 __name [...] Now when I convert the UNIX time strings to UTC, it shows me dates, which are already expired since weeks. I would asume, that if an entry is expired, that the garbage collection of mod_sec would remove the entry from the ip.pag file, to keep it small. Or am I wrong? Any assistance would be highly appreciated.

and check modsec_audit.log and web-server error.log.

Hedloff · February 22, 2016, 12:22pm

We had the same issue on all servers.

We added this line:
SecCollectionTimeout 600

In file:
/usr/local/apache/conf/modsec2.conf

ip.pag is not more than 700MB now

BeZazz · February 23, 2016, 8:00am

Thanks for the replies.

I will try that Hedloff.