I tried to optimize my small 360 as much as I could accordingly to all the advices from this and other forums. And I am very pleased with how it's working. It's by far one of the best solutions I came across. But then I started securing it. After a few days of testing with snort I left it alone because is a huge memory hog. Now I have psad, apache's mod_security, php's suhosin patch, and a very restrictive iptables rule set, allowing only 2 ports, but logging everything else for the psad. In the mod_security I activated only the 10_asl_rules.conf and 99_asl_jitp.conf.
Getting to the point, my problem with mod_security is for once the committed memory reported by munin, and the considerably decreased number of request per second (bench-marked with ab) when it is activated. I understand that it is processing the request bodies and that takes a lot of resources but my question is how important is mod_security? Is there some kind of alternative to mod_security worth taking into consideration and with a smaller footprint over the system?

Thank you in advance.

This a weekly graph of my 360 linode, with a lot of caching, a little swap and the committed memory.

Impossible to guess.

Are you protecting Fort Knox or your kid's tee-ball league fan site?

Security is always a trade off between resource allocation, convenience, and security.

Personally, I keep detailed (and up to date) documentation on how my sites/systems are setup, current (and frequent) backups, and reasonable security (mostly via patched system/apps, simple light footprint monitoring, and iptables).

If my site goes down (from a hardware/software error or from nefarious activity) I can rebuild my site from scratch in about an hour.

For me, that's good enough.

Exactly, that's why I am struggling to find the best way of balancing those. I searched a lot about the memory consumption of the mod_security module in apache but either people don't use it so much, either they don't use it in conjunction with munin. For me it's a little like overselling the resources. If God forbid I will have an increase in traffic which for the moment is so low that even the kid's tee-ball league fan site is more profitable than mine, I want to be on the safe side, and all the resources could fit comfortably in my limits.

Remember that VMem commited != VMem allocated.
~600M of commit is actually the exact value I have on my 360, but large part of it isn't really used... or for that matter, taking any amount of "real resources".

Say a bit more about your Apache config - which MPM, what are the MPM's parameters, is your PHP an Apache module or a FastCGI setup... oh, and, what about the CPU graph? If content scanning is really at fault, you should see quite a difference in CPU load with it enabled and not.

Also,

ps axv

I agree with vonskippy, how important is security to you? Personally I don't use mod_security (since I use nginx). I don't use suhosin since the last time I installed it, it screwed up mt_rand making it..well not random.

mod_security often is used to protected against sql injection and accessing files that really shouldn't be accessible, if you have sensible code and keep your permissions locked down you should be fine.

This is what I was interested in. The only sites I have are using Drupal and Wordpress, so I suppose that the code is pretty well written. The rest of my administration and monitoring scripts are behind a .httpasswd. As far as the permissions, the user www-data does not have write permission, and my user is the only one who can acces the ssh daemon only with the public key.
I prefer working with Apache and mod_php because with a good configuration is much better than anything else. So probably I should not use it in the first place.
And this is my configuration:
Apache http://p.linode.com/?dl=3772
PHP loaded by the Apache module mod_php with Suhosin Patch and APC with default settings
ps axv: http://p.linode.com/?dl=3773
mysqltuner output which I will update with the new set suggestions at the bottom: http://p.linode.com/?dl=3774




APC fragmentation 0% for
Hits: 28665 (61.9%)
Misses: 17664 (38.1%):

Yeah they tend to be fine it's the plugins which have problems, you should sign up to their security mailing lists, keep your installations up to date and you'll be fine.

How did you get that memory graph? I would like something like that on my linode.

check out http://library.linode.com/server-monitoring/munin/

Is there a way to find out how much committed memory each process needs, because maybe it's not apache the reason it's so high?

top will show you, and I believe ps will too.

I like htop it's prettier.