In this article, I’m going to discuss how to find and disable specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing how to go in and find what rules are getting triggered and how to disable them can be handy.
This article is going to assume that you already know how to enable a ModSecurity configuration file for your domain which is discussed in my previous article about how to disable ModSecurity for a domain. However, when you get to the part talking about using SecRuleEngine Off you won’t want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity, in this article we’ll discuss using the SecRuleRemoveById setting instead to only disable one specific rule.
In order to follow along with this guide, you’ll need root access to either your VPS or dedicated server so that you have full access to modify your Apache configuration, and to create the ModSecurity configuration file.
Find ModSecurity Rules Getting Triggered
Following the steps below I’ll show you how you can use the Apache error log in order to determine what ModSecurity errors are being triggered on your websites.
- Login to your server via SSH as the root user.
- Run the following command to determine what ModSecurity rules are being triggered:
grep ModSecurity /usr/local/apache/logs/error_log | grep "\[id" | sed -E -e 's#^.*\[id "([0-9]*).*hostname "([a-z0-9\-\_\.]*)"].*uri "(.*?)".*"#\1 \2 \3#' | cut -d\" -f1 | sort -n | uniq -c | sort -n
This will give you something back like this:
129 990011 example.com /feed/
4668 950004 example.com /wp-content/themes/drone/jquery.cookie.js
29070 950004 www.example.com /wp-content/themes/drone/jquery.cookie.js
So we can see that the ModSecurity rule ID 950004 has been triggered at least 33,738 between example.com and www.example.com when trying to request the /wp-content/themes/drone/jquery.cookie.js file. - In order to disable just the specific ModSecurity rule for the 95004 rule, run the following command:
echo "SecRuleRemoveById 950004" >> /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf
Note that when we use >> this is going to append the rule to our ModSecurity configuration file, so we don’t overwrite any previous rules we’ve allowed as well. If you don’t already have your ModSecurity configuration file included in your Apache configuration, be sure to follow my guide on how to enable ModSecurity include and create a configuration file which covers this.
It’s also important to remember you can’t have the SecRuleEngine Off rule still in your ModSecurity configuration file if you’re just disabling specific rules, as it will completely turn off ModSecurity.
- Restart Apache.
Depending on your needs, it may be helpful to change the audit log level for cleaner logging.
You should now know how to locate what ModSecurity rules are being triggered, and how to individually disable those specific rules to stop triggering 406 ModSecurity errors on your website.
No matter if you're a developer, system administrator, or simply a fan of SSH and command line, InMotion's Cloud Hosting plans provide a fast, scalable environment that is budget-friendly.
i am searching the rule but i am not findindg this path /usr/local/apache/, path till only user/local,kindly help me its very urgent for me
I verified the path is accurate. Ensure you are logging into your server via ssh as the root user.
Thank you,
John-Paul
Might be out of topic here!
But then how do you differ from vendors link comodo mod security. FYI https://modsecurity.comodo.com/
Hello Percy08,
If you’re familiar with Modsecurity in WHM, then it’s possible to make many different rules. Comodo is providing pre-made rule sets that you can use with an Apache server and uses a different firewall. You would need to have root access and be subscribed to a dedicated or VPS server in order to implement something of this nature. We do not use this particular thing, so you may find more information by contacting the vendor in order to determine the differences between the cPanel ModSecurity rules and firewall and the solution that Comodo is selling.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
I want to allow request arguements “request.ui_dispatch_app and request.ui_dispatch_view” from “test.local.com” From other domain this should not allow and arguements other than these 2 like “request.something” from any domain including “test.local.com” should not allow in modsecurity. How to achieve this ?
Hello Yogesh Patel,
If you’re trying to change the mod security rules that apply to your websites, you will need to have root access to the account, and knowledge of how to change the rules. Otherwise, you will need to submit a request to technical support explaining what you are trying to accomplish. Bear in mind that changing the mod security rules may not be possible if you are on a shared server.
I hope this helps to answer your question, please let us know if you require any further assistance.
Regards,
Arnel C.
We have issues when ModSec Rule is enabled and get a 406 error for the User Agent Header. This occures after users pay for items using the SIM payment method and are then re-routed or relayed back to the website. I would like to just disable that rule for the USer Agent Header request. Where can I find that rule number? Also, would enabling Mod_Rewrite in my CMS configuration help at all?
Hello James,
Following Jacob’s instructions above should help you identify and disable the specific rule. Mod_rewrite is enabled by default on the servers, but it is enabled by the htaccess file usually as well by calling ‘RewriteEngine On’.
Kindest Regards,
Scott M
I have problem with this on my site https://villasdiani.com/ can you halp me with that? 🙁 For me it realy sounds like chinese:-(
Hello Martina,
Thank you for contacting us. Since your website seems to be hosted with Network Solutions we do not have access to your server.
We are still happy to help you, but will need more information. What are you trying to accomplish?
Are you having problems, or getting errors? Can you provide the errors?
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul
Hello Martina,
We are happy to help. At what part of the process are you getting stuck? Be sure you have root access in order to begin.
Kindest Regards,
Scott M
Hi I have a setup with modsec but it wot disable rules that I need to disable to allow directory listing (Indexes). Come across this before?
This is in my /etc/modsecurity/modsecurity.conf file
SecRuleRemoveById 970011
SecRuleRemoveById 971200
SecRuleRemoveById 971201
SecRuleRemoveById 971202
Hello Anon,
Since I can’t see your account, I am unable to determine if you have the permission to change the Modsec rule – you would need to have root access. If you’re finding that you are unable to make the changes, make sure that the file permissions allow you to change it, if you’re still having the problem, then contact our technical support team through email/phone/chat.
The technical support team may need to make the change for you, if you have a hosting account with us.
Regards,
Arnel C.