Why and How to Disable Mod_Security?

July 5, 2016 / General Discussion
why-and-how-disable-mod-security

An Apache module that helps to secure your website from several attacks is called Mod_security. Commonly known exploits blocked with mod_security by using regular expressions and rule sets. It helps in strengthening the security of your servers by potentially blocking common code injection attacks.

No doubt mod-security can be useful when properly configured but many hosting providers don’t do this job correctly leading to problems. The commonly faced problems include triggering of security protocols on standard actions which allowed, 403 or 404 errors, access denied errors, login issues, unable to modify categories and boards, or similar problems.

When a dynamic website coded there’s a possibility of users forgetting to write the code to help prevent hacks by doing things like validating input. Mod_security can help users who don’t have security checks enabled in their code.

http://www.webapp.com/login.php?username=admin'">DROP%20TABLE%20users--

The above code is a simple MySQL injection where visiting this will enable the database to DROP and delete the user’s table from the database. But if you have enabled mod_security on your server, it will block this from running or typically you might see a 404 error. Rules can be set up to check HTTP requests again and find whether the threat present.

You can recognize mod_security very easily. Any website that calls a string forbidden by a mod_security rule gives a 406 error instead of displaying the page.

If you are a Dedicated or VPS customer you can disable mod_security for the complete server too. For this, select “No Configuration” from WHM > Mod_security.

Note: Mod_security is an extra layer of security and if you disable/remove it your server exposed to potential risks.

Steps to Manually Disable Mod_Security on a Dedicated or VPS Server –

You might need to disable mod_security for some applications to help them function correctly. This is fine and as the set_modsec tool is available only on shared servers, disabling mode_security for a single domain is a must.

  1. SSH login into the server and open the httpd.conf file. Search the VirtualHost entry for that specific domain.  Uncomment out the included line that looks as below
    Include “/usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.COM/*.conf”

    NOTE: This line informs the Apache to INCLUDE into the VirtualHost config ANY file ending in .config. This is an advanced step.
  2. Copy the un commented line and mkdir
    mkdir -p /usr/local/apache/userdata/std/2/USER/DOMAIN.COM
  3. To turn off mod_security insert the rule
    echo "SecRuleEngine Off" > /usr/local/apache/userdata/std/2/USER/DOMAIN.COM/modsec.conf
  4. Restart Apache
    service httpd restart

Below are the Steps to Disable Mod_Security Rules on Dedicated or VPS Servers

In order to disable individual mod_security rules on Dedicated or VPS servers use SecRuleRemoveById. Check the Apache error log (/usr/local/apache/logs/error_log) for finding the ID to disable. The domain that is having the problem can be grep and use Mod_security to find the problem –

grep domain.com /usr/local/apache/logs/error_log | grep ModSecurity

This code will provide a section appearing like [id “950004”] which is the ID of the mod_security rule that needs to be disabled.

Now enter the following line in an applicable .htaccess file (replace the error of your matched error with the 950004 example used below)

SecRuleRemoveById 950004

Note: Including the SecRuleEngine Offline will completely disable Mod_Security.