Plesk 360 login
Free Trial

Knowledge Base

Cannot disable ModSecurity rules via Switch off security rules in Plesk

 
apachedomainsfirewallgohttp

Symptoms

  • Unable to disable ModSecurity rules by SecRuleRemoveByIdHow to disable a single ModSecurity rule for a website?

  • The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:

    <IfModule mod_security2.c>
    SecRuleRemoveById 340476
    </IfModule>

    • If the ModSecurity rules were switched off at Plesk server level, check the following configuration file: /etc/httpd/conf/plesk.conf.d/server.conf

    • If the ModSecurity rules were switched off at domain level, check the following configuration file: /var/www/vhosts/system/example.com/conf/httpd.conf

  • Access to a website page keeps being blocked with the following error:

    HTTP 403 Forbidden

  • Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:

    ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

  • Analyzing the error message, the ModSecurity configuration file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:

    # less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
    ...
    <LocationMatch>
    SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index.php?fuse=admin)"
    "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
    SecRule
    ...
    </LocationMatch>

Cause

Modsecurity issue MODSEC-274: rules defined within
LocationMatch
cannot be excluded by
SecRuleRemoveById directive.

Resolution

Note: This issue affects only the rules defined using
LocationMatch
 directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:

  1. Log in to Plesk GUI

  2. Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:

    ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

  3. Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:

    <IfModule mod_security2.c>
    SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog…

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Install Cannot disable ModSecurity rules via Switch off security rules in Plesk extension

Hostname or IP or URL of your Plesk instance: