Articles in this section

See more

Cannot disable ModSecurity rules via Switch off security rules in Plesk

Avatar
Alexandr Shadrin
Updated
Follow

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Symptoms

  • Cannot disable ModSecurity rules: Tools & Settings > Web Application Firewall > General > Switch off security rules list settings are ignored, however, the rule IDs are written to /etc/httpd/conf/plesk.conf.d/server.conf :

    CONFIG_TEXT: SecRuleEngine On
    SecRuleRemoveById 340159 340162 340523

  • Access to a website page keeps being blocked with the following error:

    CONFIG_TEXT: HTTP 403 Forbidden

  • The following entry appears in Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs:

    CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]

Cause

Modsecurity issue MODSEC-274 : rules defined within LocationMatch cannot be excluded by SecRuleRemoveById directive.

Resolution

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache. It is possible to add it via Plesk Interface. For that:

  1. Log into Plesk.

  2. Go to Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs and retrieve the location and the rule ID matched. For example:

    CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]

  3. Go to Subscriptions > example.com > Websites & Domains Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives (replacing 1000001 with ANY other unique ID):

    <IfModule mod_security2.c>
        SecRule REQUEST_FILENAME "@rx ^/manager/index.php$" "phase:1,id:'1000001',t:none,pass,ctl:ruleRemoveById=340523,ctl:ruleRemoveById=340524"
    </IfModule>

  4. Press OK to apply the changes.

Note: this issue affects only the rules defined using LocationMatch directive. For the other rules, removing via Tools & Settings > Web Application Firewall > General > Switch off security rules should work.

Additional information

How to disable a single ModSecurity rule for a website?

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles