Find and Disable Specific ModSecurity Rules

In this article, I’m going to discuss how to find and disable specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing how to go in and find what rules are getting triggered and how to disable them can be handy.

This article is going to assume that you already know how to enable a ModSecurity configuration file for your domain which is discussed in my previous article about how to disable ModSecurity for a domain. However, when you get to the part talking about using SecRuleEngine Off you won’t want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity, in this article we’ll discuss using the SecRuleRemoveById setting instead to only disable one specific rule.

In order to follow along with this guide, you’ll need root access to either your VPS or dedicated server so that you have full access to modify your Apache configuration, and to create the ModSecurity configuration file.

Find ModSecurity Rules Getting Triggered

Following the steps below I’ll show you how you can use the Apache error log in order to determine what ModSecurity errors are being triggered on your websites.

1. Login to your server via SSH as the root user.
2. Run the following command to determine what ModSecurity rules are being triggered:

   grep ModSecurity /usr/local/apache/logs/error_log | grep "\[id" | sed -E -e 's#^.*\[id "([0-9]*).*hostname "([a-z0-9\-\_\.]*)"].*uri "(.*?)".*"#\1 \2 \3#' | cut -d\" -f1 | sort -n | uniq -c | sort -n

   This will give you something back like this:

   129 990011 example.com /feed/
4668 950004 example.com /wp-content/themes/drone/jquery.cookie.js
29070 950004 www.example.com /wp-content/themes/drone/jquery.cookie.js
   
   So we can see that the ModSecurity rule ID 950004 has been triggered at least 33,738 between example.com and www.example.com when trying to request the /wp-content/themes/drone/jquery.cookie.js file.

3. In order to disable just the specific ModSecurity rule for the 95004 rule, run the following command:

   echo "SecRuleRemoveById 950004" >> /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf

   Note that when we use >> this is going to append the rule to our ModSecurity configuration file, so we don’t overwrite any previous rules we’ve allowed as well. If you don’t already have your ModSecurity configuration file included in your Apache configuration, be sure to follow my guide on how to enable ModSecurity include and create a configuration file which covers this.

   It’s also important to remember you can’t have the SecRuleEngine Off rule still in your ModSecurity configuration file if you’re just disabling specific rules, as it will completely turn off ModSecurity.

   
   
4. Restart Apache.

Depending on your needs, it may be helpful to change the audit log level for cleaner logging.

You should now know how to locate what ModSecurity rules are being triggered, and how to individually disable those specific rules to stop triggering 406 ModSecurity errors on your website.