How to disable ModSecurity rules

1. View ModSecurity Audit Log File.

  • We need to first find the rules that are being triggered by ModSecurity on your webserver.
  • Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file.
  • For Apache2 servers it is located in /var/log/apache2/¬†
  • Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
  • The output should look similar to this screenshot below.
  • Look for Access denied with code 403¬†and work backwards to find the start of the rule entry based on the log entry id.
  • In this case the log entry ID is –00aee77f (see marked in yellow)
  • Find the GET item – in this example it is /modern-classic (see marked in blue)
  • Find the ModSecurity rule that was triggered by the GET – in this example the rule id 958291 (see marked in purple)

Read More