How to disable ModSecurity rules

1. View ModSecurity Audit Log File.

  • We need to first find the rules that are being triggered by ModSecurity on your webserver.
  • Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file.
  • For Apache2 servers it is located in /var/log/apache2/ 
  • Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
  • The output should look similar to this screenshot below.
  • Look for Access denied with code 403 and work backwards to find the start of the rule entry based on the log entry id.
  • In this case the log entry ID is –00aee77f (see marked in yellow)
  • Find the GET item – in this example it is /modern-classic (see marked in blue)
  • Find the ModSecurity rule that was triggered by the GET – in this example the rule id 958291 (see marked in purple)


modsec_audit

2. Create a Local Exceptions ModSecurity rule file.

  • To disable / exclude certain ModSecurity rules you need to create a local exceptions file.
  • There are various places you can create this file you only need to make sure that ModSecurity loads it during startup.
  • We are going to create a whitelist.conf file in the /etc/modsecurity/activated_rules/ directory as all files with .conf extension will be loaded during ModSecurity startup.
  • Open the Terminal Window and enter :
sudo vi /etc/modsecurity/activated_rules/whitelist.conf
  • For our example we add the location of the GET and ModSecurity rule id from step 1.
  • Add the following to your whitelist.conf file and save :
<LocationMatch "/modern-classic">
    SecRuleRemoveById 958291
</LocationMatch>
  • You need to add the location as a regex of the directory path or file that is causing the ModSecurity rule to be triggered.
  • In the following example we add the location directly to the file that triggers the ModSecurity rule.
<LocationMatch "/wp-admin/update.php">
    SecRuleRemoveById 981173
</LocationMatch>

3. Restart Webserver.

  • To the changes to take effect you need to restart you webserver.
  • For Apache2 servers, open the Terminal Window and enter :
sudo service apache2 restart