Cannot disable ModSecurity rules via Switch off security rules in Plesk

Symptoms

• Unable to disable ModSecurity rules by SecRuleRemoveById: How to disable a single ModSecurity rule for a website?

• The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:

  CONFIG_TEXT: <IfModule mod_security2.c>
  SecRuleRemoveById 340476
  </IfModule>

  • If the ModSecurity rules were switched off at Plesk server level, check the following configuration file: /etc/httpd/conf/plesk.conf.d/server.conf

  • If the ModSecurity rules were switched off at domain level, check the following configuration file: /var/www/vhosts/system/example.com/conf/httpd.conf

• Access to a website page keeps being blocked with the following error:

  CONFIG_TEXT: HTTP 403 Forbidden

• Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:

  CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

• Analyzing the error message, the ModSecurity configuration file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:

  CONFIG_TEXT: # less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
  ...
  <LocationMatch>
  SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index\.php\?fuse=admin)" \
  "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
  SecRule
  ...
  </LocationMatch>

Cause

Modsecurity issue MODSEC-274: rules defined within LocationMatch cannot be excluded by SecRuleRemoveById directive.

Resolution

Note: This issue affects only the rules defined using LocationMatch directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:

1. Log in to Plesk GUI

2. Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:

   CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

3. Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:

   CONFIG_TEXT: <IfModule mod_security2.c>
   SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340476"
   </IfModule>

   *Where:

   • /admin/index.php needs to be replaced by the URI location from the Step 2

   • 1000001 needs to be replaced by ANY other unique ID

   • 340476 needs to be replaced by the ModSecurity rule ID from the Step 2