Knowledge Base

Cannot disable ModSecurity rules via Switch off security rules in Plesk

Symptoms

Unable to disable ModSecurity rules by SecRuleRemoveById: How to disable a single ModSecurity rule for a website?
The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:

<IfModule mod_security2.c>
SecRuleRemoveById 340476
</IfModule>
- If the ModSecurity rules were switched off at Plesk server level, check the following configuration file: /etc/httpd/conf/plesk.conf.d/server.conf
- If the ModSecurity rules were switched off at domain level, check the following configuration file: /var/www/vhosts/system/example.com/conf/httpd.conf
Access to a website page keeps being blocked with the following error:

HTTP 403 Forbidden
Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:

ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php
Analyzing the error message, the ModSecurity configuration file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:

# less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
...
<LocationMatch>
SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index.php?fuse=admin)"
"phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
SecRule
...
</LocationMatch>

Cause

Modsecurity issue MODSEC-274: rules defined within LocationMatchcannot be excluded by SecRuleRemoveById directive.

Resolution

Note: This issue affects only the rules defined using LocationMatch directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:

Log in to Plesk GUI
Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:

ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php
Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:

<IfModule mod_security2.c>
SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog…

How to Host a Go App on Plesk

Your Complete .htaccess Guide: Including .htaccess Basics and More

NGINX vs Apache – Which Is the Best Web Server in 2024?

Knowledge Base

How to configure Apache to process PHP code inside an .html file on a Plesk server

Websites on Plesk server are slow or show error 500 or PHP mail cannot be sent: ap_pass_brigade failed

Website on Plesk server is not accessible: 504 Gateway Time-out: The timeout specified has expired: [client 203.0.113.2:54693] AH01075: Error dispatching request to

Websites hosted on Plesk server are unavailable with 502 Bad Gateway: upstream sent too big header while reading response header

Hosting Wiki