Cannot disable ModSecurity rules via Switch off security rules in Plesk
Follow

Created:

2017-05-26 17:06:53 UTC

Modified:

2017-08-16 14:12:54 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Cannot disable ModSecurity rules via Switch off security rules in Plesk

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Symptoms

  • Cannot disable ModSecurity rules: Tools & Settings > Web Application Firewall > General > Switch off security rules list settings are ignored, however, the rule IDs are written to /etc/httpd/conf/plesk.conf.d/server.conf :

    CONFIG_TEXT: SecRuleEngine On
    SecRuleRemoveById 340159 340162 340523

  • Access to a website page keeps being blocked with the following error: 

    HTTP 403 Forbidden

  • The following entry appears in Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs: 

    ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]

Cause

Modsecurity issue MODSEC-274 : rules defined whithin LocationMatch of cannot be excluded by SecRuleRemoveById .

Resolution

1. Go to Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs and retrieve the location and the rule ID matched. For example: 

ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]

2. Go to Subscriptions > example.com > Websites & Domains Apache and nginx Settings > Additional Apache directives and add the following (replacing 1000001 with some unique ID): 

<IfModule mod_security2.c>
    SecRule REQUEST_FILENAME "@rx ^/manager/index.php$" "phase:1,id:'1000001',t:none,pass,ctl:ruleRemoveById=340523,ctl:ruleRemoveById=340524"
</IfModule>

3. Press OK to apply the changes.

Note: this issue affects only the rules defined using LocationMatch directive. For the other rules, removing via Tools & Settings > Web Application Firewall > General > Switch off security rules should work.

Have more questions? Submit a request
Please sign in to leave a comment.