Learning About Mod_security and Disabling Mod_security

Mod_security is an apache module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets and is enabled on all InMotion web hosting plans. Mod_Security can potentially block common code injection attacks which strengthens the security of the server. If you need to disable the mod_security rules we can show you how, and help you do so.

When coding a dynamic website, sometimes users forget to write code to help prevent hacks by doing things such as validating input. Mod_security can help in some cases those users that run sites that don’t have security checks in their code.

This is a simple SQL injection where visiting this would cause the database to DROP and delete the users table from the database:

https://www.webapp.com/login.php?username=admin'”>DROP%20TABLE%20users–

If you are running Mod_security on your server it will block this from running. Typically, you would see a 406 error in this case if mod_security is enabled. To read more about 406 errors read our article. You set up rules for Mod_security to check http requests against and determine if a threat is present.

Recognizing Mod_security is pretty easy. Any website that calls a string forbidden by a mod_security rule will give a 406 error instead of displaying the page. On our shared servers, if you would like to disable mod_security for one or all of your domains, this can be done using our Modsec manager plugin for cPanel.

If you’d like to simply disable a certain rule that is being triggered instead of disabling mod_security for the entire domain, please contact our Live Support team.

If you are a VPS or Dedicated hosting customer you can disable mod_security for the entire server as well. This can be accomplished in WHM by selecting “No Configuration” from WHM >Mod Security. Please take note that mod_security is enabled as an extra layer of security and removing it can expose you to potential risks.

Manually Disabling Mod_Security on a VPS or Dedicated Server

Some applications may require you to disable mod_security for them to function correctly. This is perfectly fine and since the set_modsec tool is only available on shared servers you will need to disable mod_security for a single domain:

  1. SSH into the server and open the httpd.conf file. Find the VirtualHost entry for that specific domain. Uncomment out the include line that looks like this:
    Include "/usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.COM/*.conf"

  2. Copy the line you uncommented and mkdir
    mkdir -p /usr/local/apache/userdata/std/2/USER/DOMAIN.COM
  3. Insert the rule to turn off mod_security
    echo "SecRuleEngine Off" > /usr/local/apache/userdata/std/2/USER/DOMAIN.COM/modsec.conf
  4. Restart Apache
    service httpd restart

Disabling Specific Mod_Security Rules on VPS and Dedicated

Using SecRuleRemoveById, you can disable individual mod_security rules. To find the ID to disable, you need to look in the apache error log (/usr/local/apache/logs/error_log). You can grep for the domain that is having the problem and ModSecurity to find the problem:

grep domain.com /usr/local/apache/logs/error_log | grep ModSecurity

These lines will provide a section that looks like this: [id “950004”] The number is the ID of the ModSecurity rule that you will disable. You can then enter the following line in an applicable .htaccess file (replacing the ID of your matched error with the 950004 example used below):

SecRuleRemoveById 950004
Carrie Smaha
Carrie Smaha Senior Manager Marketing Operations

Carrie enjoys working on demand generation and product marketing projects that tap into multi-touch campaign design, technical SEO, content marketing, software design, and business operations.

More Articles by Carrie

18 thoughts on “Learning About Mod_security and Disabling Mod_security

  1. Hi, Is it possible to block all IP’s by COUNTRY?

    I use a security plugin from IT SECURITY THEMES, and my /wp-login.php page has been getting attacked repeadtly/hourly by Russia, China, India, Israel, Germany…

    Now I’m not able to login with admin rights (I do not have a username of: ADMIN)

    Thanks inmotion for having the insight to implement this MOD SECURITY thing!

  2. hello…

    i am working online as a writer…I was given access by my boss to the company’s WordPress account and in order to do my job i need to access WordPress…Now, at first everything was fine…then just as i was about to log into the site, i was faced with error 406 Not Acceptable, something about Mod_Security…and i have no idea about this…when i told my boss, he said that he can log into the site even from 2 ifferent computers with no problem…so i tried logging in from another computer and still the same…i cannot access admin…and whenever i try to manually input the username and password, i always get “invalid username” even if it is the username given by my boss…my boss also doesn’t know about this and i reaally don’t know what to do nymore…i keep googling for answers and i cannot understand as some terms are progrmming terms…is this really a problem on my end? or does my boss have to do something bout the wordpress site he is managing? i hope you can give me answers…thnk you

    1. Hello Jenny, to be honest, without looking at the site itself it’s hard to tell. It sounds like maybe theirs some security in place that would block IPs from accessing the WP-Admin page where you log into. This is a common practice. If this is the case, usually, it’s done in a file called the .htaccess. What’s your website and we can see if we can find out what the issue is?

  3. hey is it possible to update the owasp modsecurity crs, or once installed thats all, 

    how to proceed with the custom rules- do i make a new file (if so in which directory) and write your custom rules

    which is the Best UI for Modsecurity

    1. Hello Rishi,

      I would suggest creating new files and including them within your Apache configuration. I have used the following pdf on writing Modsec rules in the past and found it fairly informational. There is no UI for Modsecurity that I am aware of as it is mostly edited through SSH. When it comes to updating Modsec rules I would suggest letting Apache handling the updates so everything is compatible.

      Best Regards,
      TJ Edens

  4. Hi TJEdens.

         Our application is developed in Struts2 . so from jsp page user is trying to acces pdf file which opens in Online Viewer DRM fileoprn plugin , at that time mod security founds large byte array range and it block the documet.

     

    1. Hello Yogesh,

      You may need to either turn off mod_security or modify the rules to allow larger documents, if you are on a VPS/Dedicated server with root access.

      Best Regards,
      TJ Edens

  5. my personal opinion use comodo web application . its a best firewall i ever used 

    you can download from: https://modsecurity.comodo.com/

  6. Our application send request to server for document and  opens document in browser.Most probably pdf files.

    1. Hello Yogesh,

      When your application is sending this request does it use anything like curl/wget or just a php call? Are you using a user-agent with the request?

      Best Regards,
      TJ Edens

  7. In our application we are getting “ApacheKiller DoS – Range Header Too many fields” in modsecurity log.  As we are unable to recognisze the same, can you please tell us what could be the root cause and what action should be taken to resolve this issue.

    1. Hello Yogesh,

      Thank you for contacting us. This error is caused by the “denial of service” protection built-in to Apache. We are happy to help, but will need some additional information.

      What steps are you taking when this error occurs? For example, are you installing a theme, or plugin?

      Thank you,
      John-Paul

Was this article helpful? Join the conversation!