{"id":1542,"date":"2012-10-02T12:31:23","date_gmt":"2012-10-02T04:31:23","guid":{"rendered":"http:\/\/rmohan.com\/?p=1542"},"modified":"2012-10-02T12:34:25","modified_gmt":"2012-10-02T04:34:25","slug":"disabling-mod_security","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1542","title":{"rendered":"Disabling Mod_Security"},"content":{"rendered":"

\u00a0\u00a0\u00a0 1 Disabling Mod_Security Globally
\u00a0\u00a0\u00a0 2 Disabling Mod_security per domain
\u00a0\u00a0\u00a0 3 Disabling Mod_security per domain for an IP address
\u00a0\u00a0\u00a0 4 Disable Mod_security on a global URL
\u00a0\u00a0\u00a0 5 Disable Mod_security for an IP address
\u00a0\u00a0\u00a0 6 Whitelist an IP
\u00a0\u00a0\u00a0 7 Disable a rule for a single domain
\u00a0\u00a0\u00a0 8 Disable Mod_security rule for a specific application in a single domain
\u00a0\u00a0\u00a0 9 Disable Mod_security rule for all domains
\u00a0\u00a0\u00a0 10 Disable Mod_security rules globally for a specific application
\u00a0\u00a0\u00a0 11 Disable Mod_security rules by domain, for a specific application, for a list of IPs
\u00a0\u00a0\u00a0 12 Customizing a rule
\u00a0\u00a0\u00a0 13 Configuring and Setting up mod_security<\/p>\n

[edit] Disabling Mod_Security Globally<\/p>\n

Step 1) Disable config file<\/p>\n

mv \/etc\/httpd\/conf.d\/00_mod_security.conf \/etc\/httpd\/conf.d\/00_mod_security.conf.disabled<\/p>\n

Step 2) Restart Apache<\/p>\n

service httpd restart<\/p>\n

[edit] Disabling Mod_security per domain<\/p>\n

For Plesk and similar systems you can also disable modsecurity in the Apache configuration.<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

\u00a0vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the following<\/p>\n

<IfModule mod_security2.c>
\u00a0 SecRuleEngine Off
<\/IfModule><\/p>\n

Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4.<\/p>\n

Step 3) Add vhost.conf to domain config<\/p>\n

\/usr\/local\/psa\/admin\/bin\/websrvmng -a<\/p>\n

Step 4) Restart Apache<\/p>\n

service httpd restart<\/p>\n

[edit] Disabling Mod_security per domain for an IP address<\/p>\n

For Plesk and similar systems you can also disable modsecurity in the Apache configuration.<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

\u00a0vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the following<\/p>\n

<IfModule mod_security2.c>
\u00a0SecRule REMOTE_ADDR “^1.2.3.4$ “phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off”
<\/IfModule><\/p>\n

Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4.<\/p>\n

Step 3) Add vhost.conf to domain config<\/p>\n

\/usr\/local\/psa\/admin\/bin\/websrvmng -a<\/p>\n

Step 4) Restart Apache<\/p>\n

service httpd restart<\/p>\n

[edit] Disable Mod_security on a global URL<\/p>\n

Step 1) Create a global exclude file<\/p>\n

vim \/etc\/httpd\/modsecurity.d\/00_custom_exclude.conf<\/p>\n

Step 2) Add the LocationMatch for the url to exclude. Example: \/server.php<\/p>\n

<LocationMatch \/server.php>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleEngine Off
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

Step 3) Restart apache<\/p>\n

service httpd restart<\/p>\n

[edit] Disable Mod_security for an IP address<\/p>\n

In ASL, just click the “Whitelist” button.<\/p>\n

If you are not using ASL, simply add your IP address to the file:<\/p>\n

\/etc\/asl\/whitelist<\/p>\n

And restart Apache.<\/p>\n

Note: For this rule to work, in ASL you must have the MODSEC_00_WHITELIST ruleset enabled.<\/p>\n

If you are not using ASL, then you must have the 00_asl_whitelist.conf ruleset loaded.<\/p>\n

[edit] Whitelist an IP<\/p>\n

See above, “Disable Mod_security for an IP address”
[edit] Disable a rule for a single domain<\/p>\n

If you have ASL installed:<\/p>\n

Method 1:<\/p>\n

Log into the ASL GUI, and click on the “Configuration” tab. Then click “Rule Management”, then click the “Rules” tab, then click the “WAF” tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule.<\/p>\n

Type in the vhost name into the Text box on the left side of the options, then click “add”.<\/p>\n

Keep in mind this is literal, so if you have a vhost with the name “example.com” that serves content for “ftp.example.com” and “www.example.com” you will need to add those FQDNs as well.<\/p>\n

Method 2: Run this command as root:<\/p>\n

\u00a0asl -dr RULE_ID –vhost www.example.com<\/p>\n

Replace RULE_ID with the ID of the rule you want to disable for the vhost. Keep in mind this is literal, so if you have a vhost with the name “example.com” that serves content for “ftp.example.com” and “www.example.com” you will need to add those as well. For example:<\/p>\n

\u00a0asl -dr RULE_ID –vhost www.example.com<\/p>\n

\u00a0asl -dr RULE_ID –vhost ftp.example.com<\/p>\n

\u00a0asl -dr RULE_ID –vhost example.com<\/p>\n

If you do not have ASL installed you will have to do this manually:<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005<\/p>\n

<LocationMatch .*>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleRemoveById 950005
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

If you want to disable multiple rules:<\/p>\n

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006<\/p>\n

<LocationMatch .*>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleRemoveById 950005
\u00a0\u00a0\u00a0 SecRuleRemoveById 950006
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

[edit] Disable Mod_security rule for a specific application in a single domain<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005<\/p>\n

<LocationMatch \/URL\/path\/to\/application.php>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleRemoveById 950005
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

[edit] Disable Mod_security rule for all domains<\/p>\n

Method 1:<\/p>\n

Log into the ASL GUI, and click on the “Configuration” tab. Then click “Rule Management”, then click the “Rules” tab, then click the “WAF” tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule.<\/p>\n

Set “disabled” to yes and click update.<\/p>\n

Method 2:<\/p>\n

Use ASL utility to disable rule by ID. Example: 950005<\/p>\n

asl –disable-rule 950005<\/p>\n

Note: This requires that Atomic Secured Linux be installed. If you do not have Atomic Secured Linux installed you can disable a rule globally manually by adding a rule to your own custom rules files that contains a line similar to this:<\/p>\n

<LocationMatch .*>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleRemoveById 340000
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

Custom rules should be loaded after atomicorp rules. A good place to add this, again only if you do not have ASL installed, is in the 999_user_exclude.conf file. If you don’t have this file, just create it. Then make sure your modsecurity configuration is setup to load this file.
[edit] Disable Mod_security rules globally for a specific application<\/p>\n

Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_user_exclude.conf file. If you don’t have this file, just create it. Then make sure your modsecurity configuration is setup to load this file.<\/p>\n

<LocationMatch \/url\/to\/your\/application>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRuleRemoveById 1234567
\u00a0\u00a0\u00a0 SecRuleRemoveById 9999999
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
[edit] Disable Mod_security rules by domain, for a specific application, for a list of IPs<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the LocationMatch for the rule to exclude.<\/p>\n

<LocationMatch \/foo\/bar.php>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRule REMOTE_ADDR “@pmFromFile \/etc\/asl\/whitelist” “nolog,phase:1,allow”
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

Step 3) Add IP to \/etc\/asl\/whitelist<\/p>\n

echo “10.11.12.13” >> \/etc\/asl\/whitelist<\/p>\n

Or:<\/p>\n

If you want to create a special whitelist for just that application:<\/p>\n

Step 1) Edit the vhost\/vhost_ssl.conf for the domain<\/p>\n

vim \/var\/www\/vhosts\/<DOMAINNAME>\/conf\/vhost.conf<\/p>\n

Step 2) Add the LocationMatch for the rule to exclude.<\/p>\n

<LocationMatch \/foo\/bar.php>
\u00a0 <IfModule mod_security2.c>
\u00a0\u00a0\u00a0 SecRule REMOTE_ADDR “@pmFromFile \/path\/to\/your\/custom\/whitelist_for_this_application” “nolog,phase:1,allow”
\u00a0 <\/IfModule>
<\/LocationMatch><\/p>\n

Step 3) Create your custom whitelist and add IP to \/etc\/asl\/whitelist<\/p>\n

echo “10.11.12.13” >> \/path\/to\/your\/custom\/whitelist_for_this_application<\/p>\n

Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.
[edit] Customizing a rule<\/p>\n

If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:<\/p>\n

If you had an original rule like this:<\/p>\n

\u00a0SecRule REQUEST_URI “\/foo” “t:normalisePath,id:9000000,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block \/foo'”<\/p>\n

And you want it to block “bar” instead of “foo”, then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID.<\/p>\n

\u00a0SecRuleRemoveById 9000000
\u00a0SecRule REQUEST_URI “\/bar” “t:normalisePath,id:9999999,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block \/foo'”<\/p>\n

These are the reserved ranges:<\/p>\n

\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 200,000-299,999; reserved for rules published at modsecurity.org.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 300,000-399,999; reserved for rules published at gotroot.com.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 400,000-419,999; unused (available for reservation).
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 420,000-429,999; reserved for ScallyWhack.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 430,000-699,999; unused (available for reservation).
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 700,000-799,999; reserved for Ivan Ristic.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 900,000-999,999; reserved for the Core Rules project.
\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0 1,000,000 and above; unused (available for reservation).<\/p>\n

 <\/p>\n

Apache ModSecurity – IP Whitelist
Add this rule to ModSecurity rules:<\/p>\n

SecRule REMOTE_ADDR “^192\\.168\\.2\\.15$” phase:1,nolog,allow,ctl:ruleEngine=off<\/p>\n

It means the IP 192.168.2.15 will be ignored by ModSecurity.<\/p>\n

Don’t forget to restart Apache after adding new rule.<\/p>\n","protected":false},"excerpt":{"rendered":"

1 Disabling Mod_Security Globally 2 Disabling Mod_security per domain 3 Disabling Mod_security per domain for an IP address 4 Disable Mod_security on a global URL 5 Disable Mod_security for an IP address 6 Whitelist an IP 7 Disable a rule for a single domain 8 Disable Mod_security rule for a specific application in a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1542"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1542"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1542\/revisions"}],"predecessor-version":[{"id":1545,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1542\/revisions\/1545"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}