In this article I'm going to discuss how to find and disable specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing how to go in and find what rules are getting triggered and how to disable them can be handy.

This article is going to assume that you already know how to enable a ModSecurity configuration file for your domain which is discussed in my previous article about how to disable ModSecurity for a domain. However when you get to the part talking about using SecRuleEngine Off you won't want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity, in this article we'll discuss using the SecRuleRemoveById setting instead to only disable one specific rule.

In order to follow along with this guide you'll need root access to either your VPS or dedicated server so that you have full access to modify your Apache configuration, and to create the ModSecurity configuration file.

Find ModSecurity rules getting triggered

Following the steps below I'll show you how you can use the Apache error log in order to determine what ModSecurity errors are being triggered on your websites.

  1. Login to your server via SSH as the root user.
  2. Run the following command to determine what ModSecurity rules are being triggered:

    grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

    This will give you something back like this:

    129 990011 example.com /feed/
    4668 950004 example.com /wp-content/themes/drone/jquery.cookie.js
    29070 950004 www.example.com /wp-content/themes/drone/jquery.cookie.js

    So we can see that the ModSecurity rule ID 950004 has been triggered at least 33,738 between example.com and www.example.com when trying to request the /wp-content/themes/drone/jquery.cookie.js file.

  3. In order to disable just the specific ModSecurity rule for the 95004 rule, run the following command:

    echo "SecRuleRemoveById 950004" >> /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf

    Note that when we use >> this is going to append the rule to our ModSecurity configuration file, so we don't overwrite any previous rules we've allowed as well. If you don't already have your ModSecurity configuration file included in your Apache configuration, be sure to follow my guide on how to enable ModSecurity include and create a configuration file which covers this.

    It's also important to remember you can't have the SecRuleEngine Off rule still in your ModSecurity configuration file if you're just disabling specific rules, as it will completely turn off ModSecurity.

You should now know how to locate what ModSecurity rules are being triggered, and how to indivdually disable those specific rules to stop triggering 406 ModSecurity errors on your website.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Related Questions

Here are a few questions related to this article that our customers have asked:
Are the IMH modsecurity rules compliant with apache 2.4.6?
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-02-28 8:58 pm

Hi I have a setup with modsec but it wot disable rules that I need to disable to allow directory listing (Indexes). Come across this before?

This is in my /etc/modsecurity/modsecurity.conf file

SecRuleRemoveById 970011SecRuleRemoveById 971200SecRuleRemoveById 971201SecRuleRemoveById 971202

Staff
15,484 Points
2014-02-28 9:35 pm
Hello Anon,

Since I can't see your account, I am unable to determine if you have the permission to change the Modsec rule - you would need to have root access. If you're finding that you are unable to make the changes, make sure that the file permissions allow you to change it, if you're still having the problem, then contact our technical support team through email/phone/chat.

The technical support team may need to make the change for you, if you have a hosting account with us.

Regards,
Arnel C.
n/a Points
2014-04-07 4:55 am

I have problem with this on my site http://villasdiani.com/ can you halp me with that? :-( For me it realy sounds like chinese:-(

Staff
7,748 Points
2014-04-07 12:47 pm
Hello Martina,

Thank you for contacting us. Since your website seems to be hosted with Network Solutions we do not have access to your server.

We are still happy to help you, but will need more information. What are you trying to accomplish?

Are you having problems, or getting errors? Can you provide the errors?

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
Staff
15,897 Points
2014-04-07 12:47 pm
Hello Martina,

We are happy to help. At what part of the process are you getting stuck? Be sure you have root access in order to begin.

Kindest Regards,
Scott M

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

5 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!