Articles in this section

See more

Tuning and managing modsecurity Rules

Avatar
tara shinn
  • Updated
Follow

Disabling Rules

Important Notes

Note: ASL users should disable rules from the rule manager. There is no need to create custom rules, apache configuration files or other customizations when using ASL, and ASL supports disabling any rule on both a global and per domain basis.

For non-ASL users, LocationMatch and Location do not work for phase:1 rules. Location and LocationMatch are not available in apache until phase:2. If you need to disable a phase:1 rule, use ASL which can disable phase:1 rules on a per domain and global basis.

If you are not using ASL, and need to disable a phase:1 rule, you will need to create a custom rule to do this. This following is an example of a custom rule to do this for rule 123456.

SecRule REQUEST_HEADERS:Host "example.com$" "phase:1,id:91001,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=123456"

In the example above, "example.com" is the domain to exclude this rule. This custom rule must be loaded before the rule you want to disable.

If you do not know how to create this kind of custom rule, please contact support and we'll put a quote together to help develop these custom rules for you.

Global

Disabling Mod_Security Globally

If you are using ASL, just change this setting:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_ENABLED

If you are not using ASL, you will need to do this manually:

Step 1) Disable config file

mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled

Step 2) Restart Apache

service httpd restart

Disable Mod_security on a global URL

Step 1) Create a global exclude file

vim /etc/httpd/modsecurity.d/00_custom_exclude.conf

Step 2) Add the LocationMatch for the url to exclude. Example: /server.php

<LocationMatch /server.php>
  <IfModule mod_security2.c>
    SecRuleEngine Off 
  </IfModule>
</LocationMatch>

Step 3) Restart apache

service httpd restart

 

Step 3) Restart apache

service httpd restart

Set a URL to alert only

Step 1) Create a global exclude file

vim /etc/httpd/modsecurity.d/00000_custom_exclude.conf

Step 2) Add a custom rule

In this example the URL is: /foo/bar

Add this line to the file you created in Step 1:

SecRule REQUEST_URI "/foo/bar" "phase:1,id:1000000,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly"

Important Note: See the section customizing rules below to pick a unique id for your rule above. Duplicate rule ids will cause the rule to not load.

Step 3) Restart apache

service httpd restart

Per domain

Disabling Mod_security per domain

For Plesk Based Systems

For Plesk and similar systems you can also disable modsecurity in the Apache configuration.

Step 1) Edit the vhost/vhost_ssl.conf for the domain

 vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the following

<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>

Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4.

Step 3) Add vhost.conf to domain config

Plesk 9:

/usr/local/psa/admin/bin/websrvmng -a

Plesk 10/11:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <domain_name>

Step 4) Restart Apache

service httpd restart
For Cpanel based systems with EasyApache 4

For full information about include file path expectations, see the official cPanel documentation at Modify Apache Virtual Hosts with Include Files

Step 1) Create the following paths, replacing <user> and <domain> with the correct values for your needs:

  • mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/<user>/<domain>
  • mkdir -p /etc/apache2/conf.d/userdata/std/2_4/<user>/<domain>

Step 2) In each of the above paths, create a file named 'vhost.conf'

Step 3) Add in the lines below to this file:

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

Step 4) After any addition, modification or removal of userdata files, cPanel requires both of the following scripts to be run:

  • /usr/local/cpanel/scripts/rebuildhttpdconf
  • /usr/local/cpanel/scripts/restartsrv_httpd

 

For Cpanel based systems with EasyApache 3

Step 1) Create the custom modsecurity configuration directory for the domain

For example, if the domain is example.com, you would need to create this directory:


mkdir /usr/local/apache/conf/userdata/std/2/username/example.com

Step 2) Create the file vhost.conf in this directory

cd /usr/local/apache/conf/userdata/std/2/username/example.com

touch vhost.conf

Step 3) Add in the lines below to this file:

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

Step 4) Run the vhost includes script, for example if the domains username is "example":

/scripts/ensure_vhost_includes --user=example

Disabling Mod_security per domain for an IP address

For Plesk based systems

For Plesk and similar systems you can also disable modsecurity in the Apache configuration.

Step 1) Edit the vhost/vhost_ssl.conf for the domain

 vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the following

<IfModule mod_security2.c>
 SecRule REMOTE_ADDR "^1.2.3.4$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
</IfModule>

Note: You must change id: to a number that you have not used for any other custom rules. Customer generated rules should use the range 1-99999. Numbers about 99999 are reserved and will cause conflicts and are not supported.

Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4.

Step 3) Add vhost.conf to domain config

Plesk 9:

/usr/local/psa/admin/bin/websrvmng -a

Plesk 10/11:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <domain_name>

Step 4) Restart Apache

service httpd restart
For cpanel based systems

Step 1) Create the custom modsecurity configuration directory for the domain

For example, if the domain is example.com, you would need to create this directory:

mkdir /usr/local/apache/conf/userdata/std/2/username/example.com

Step 2) Create the file vhost.conf in this directory

cd /usr/local/apache/conf/userdata/std/2/username/example.com

touch vhost.conf

Step 3) Add in the lines below to this file:

<IfModule mod_security2.c>
 SecRule REMOTE_ADDR "^1.2.3.4$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
</IfModule>

Note: You must change id: to a number that you have not used for any other custom rules. Customer generated rules should use the range 1-99999. Numbers about 99999 are reserved and will cause conflicts and are not supported.

Step 4) Run the vhost includes script, for example if the domains username is "example":

/scripts/ensure_vhost_includes –user=example

Disable a rule for a single domain

If you have ASL installed:

Method 1:

Log into the ASL GUI, and click on the "ASL" tab. Then click "WAF & HIDS Rules", then click the "Rules" tab, then click the "WAF" tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule.

Type in the hostname into the Text box on the left side of the options you want to exclude the rule for, then click "add".

Keep in mind this is literal, so if you have a vhost with the name "example.com" that serves content for "ftp.example.com" and "www.example.com" you will need to add those FQDNs as well, or a regular expression *.example.com.

Note: You can use regular expressions in this field, but each end of the expression is anchored.


Method 2: Run this command as root:

In ASL v3.x:

 asl -dr RULE_ID --vhost www.example.com

Replace RULE_ID with the ID of the rule you want to disable for the vhost. Keep in mind this is literal, so if you have a vhost with the name "example.com" that serves content for "ftp.example.com" and "www.example.com" you will need to add those as well. For example:

 asl -dr RULE_ID --vhost www.example.com

 asl -dr RULE_ID --vhost ftp.example.com

 asl -dr RULE_ID --vhost example.com


In ASL v4:

 asl -drv RULE_ID[,RULE_ID...] VHOST[,VHOST...]
    or 
 asl --disable-rule-vhost RULE_ID[,RULE_ID...] VHOST[,VHOST...]

 All supplied rules will be disabled on all supplied vhosts.

 asl -drv 111111,222222,333333 www.example.com,ftp.example.com,example.com

 


If you do not have ASL installed you will have to do this manually:

Step 1) Edit your domains vhost.conf file (the location of this file will vary based on your control panel, contact your control panel vendor for assistance)

vim vhost.conf

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
  </IfModule>
</LocationMatch>

If you want to disable multiple rules:

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
  </IfModule>
</LocationMatch>

Disable a rule for all domains

Method 1:

Log into the ASL GUI, and click on the "Configuration" tab. Then click "Rule Management", then click the "Rules" tab, then click the "WAF" tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule.

Set "disabled" to yes and click update.

Method 2:

Use ASL utility to disable rule by ID. Example: 950005

asl --disable-rule 950005

Note: This requires that Atomic Secured Linux be installed. If you do not have Atomic Secured Linux installed you can disable a rule globally manually by adding a rule to your own custom rules files that contains a line similar to this:

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 340000
  </IfModule>
</LocationMatch>

Custom rules should be loaded after atomicorp rules. A good place to add this, again only if you do not have ASL installed, is in the 999_user_exclude.conf file. If you don't have this file, just create it. Then make sure your modsecurity configuration is setup to load this file.

Per IP or network

Disable Mod_security for an IP address

In ASL, just click the "Whitelist" button.

If you are not using ASL, simply add your IP address to the file:

/etc/asl/whitelist

And restart Apache.

Note: For this rule to work, in ASL you must have the MODSEC_00_WHITELIST ruleset enabled.

If you are not using ASL, then you must have the 00_asl_whitelist.conf ruleset loaded.

Whitelist an IP

See above, "Disable Mod_security for an IP address"

Disable a rule by IP or network

You will need to create a custom rule, loaded after all your other rules. Lets say you wanted to exclude rule id 330039 for the network 1.2.0.0/16. You would construct a custom rule like this:

SecRule REMOTE_HOST "@ipmatch 1.2.0.0/16" \
"id:12345,phase:2,t:none,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"

Note: ipmatch can also use a list, with a combination of IPs and network for example:

@ipmatch 1.2.0.0/16,5.6.7.8,127.0.0.0/8

Warning: If the CIDR is invalid, this may cause a segfault of the mod_security module. Check to make sure your CIDR is valid before use.

Per application

Disable modsecurity for a specific web application

Note: this is not recommended

Add a custom rule (see the section below on creating custom rules) after all your rules have been loaded. For example, if you wanted to disable modsecurity for the application /foo/bar.cgi you would add a custom rule like this:

 <LocationMatch /foo/bar.cgi>
  SecRuleEngine Off

 </LocationMatch>

Comments

0 comments

Article is closed for comments.

Powered by Zendesk