Knowledge Base

Cannot disable ModSecurity rules via Switch off security rules in Plesk

Symptoms

Unable to disable ModSecurity rules by SecRuleRemoveById: How to disable a single ModSecurity rule for a website?
The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:
```
<IfModule mod_security2.c>
 SecRuleRemoveById 340476
 </IfModule>
```
- If the ModSecurity rules were switched off at Plesk server level, check the following configuration file: /etc/httpd/conf/plesk.conf.d/server.conf
- If the ModSecurity rules were switched off at domain level, check the following configuration file: /var/www/vhosts/system/example.com/conf/httpd.conf
Access to a website page keeps being blocked with the following error:
```
HTTP 403 Forbidden
```

Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:

ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

Analyzing the error message, the ModSecurity configuration file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:

# less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
 ...
 <LocationMatch>
 SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index.php?fuse=admin)" 
 "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
 SecRule
 ...
 </LocationMatch>

Cause

Modsecurity issue MODSEC-274: rules defined within LocationMatchcannot be excluded by SecRuleRemoveById directive.

Resolution

Note: This issue affects only the rules defined using LocationMatch directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:

Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:

ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:

<IfModule mod_security2.c>
 SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340476"
 </IfModule&gt…