Applicable to:
- Plesk Onyx for Linux
Symptoms
-
Unable to disable ModSecurity rules by SecRuleRemoveById: How to disable a single ModSecurity rule for a website?
-
The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:
CONFIG_TEXT: <IfModule mod_security2.c>
SecRuleRemoveById 340476
</IfModule>-
If the ModSecurity rules were switched off at Plesk server level, check the following configuration file:
/etc/httpd/conf/plesk.conf.d/server.conf -
If the ModSecurity rules were switched off at domain level, check the following configuration file:
/var/www/vhosts/system/example.com/conf/httpd.conf
-
-
Access to a website page keeps being blocked with the following error:
CONFIG_TEXT: HTTP 403 Forbidden
-
Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:
CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php
-
Analyzing the error message, the ModSecurity configuration file
/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:CONFIG_TEXT: # less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
...
<LocationMatch>
SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index\.php\?fuse=admin)" \
"phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
SecRule
...
</LocationMatch>
Cause
Modsecurity issue MODSEC-274: rules defined within
LocationMatch
cannot be excluded by
SecRuleRemoveById directive.
Resolution
Note: This issue affects only the rules defined using
LocationMatch
directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?
In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:
-
Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:
CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php
-
Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:
CONFIG_TEXT: <IfModule mod_security2.c>
SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340476"
</IfModule>*Where:
-
/admin/index.php needs to be replaced by the URI location from the Step 2
-
1000001 needs to be replaced by ANY other unique ID
-
340476 needs to be replaced by the ModSecurity rule ID from the Step 2
-
Comments
To resolve this for the whole server, you can follow the instructions above, but put the new rules in Tools & Settings > Web Application Firewall > Settings > Custom directives
Note that the id: part must be unique - you can make it up but it has to be unique per rule you override.
ruleRemoveById: part is copied from the error message
Please sign in to leave a comment.