Why and How to Disable Mod_Security?

why-and-how-disable-mod-securityAn apache module that helps to secure your website from several attacks is called Mod_security. Commonly known exploits are blocked with mod_security by using regular expressions and rule sets. It helps in strengthening the security of your servers by potentially blocking common code injection attacks.

No doubt mod-security can be useful when properly configured but many hosting providers don’t do this job correctly leading to problems. The commonly faced problems include triggering of security protocols on standard actions which should be allowed, 403 or 404 errors, access denied error, login issues, unable to modify categories and boards or similar problems.

When a dynamic website is coded there’s a possibility of users to forget to write the code to help prevent hacks by doing things like validating input. Mod_security can help the users those don’t have security checks enabled in their code.

The above code is a simple MySQL injection where visiting this will enable the database to DROP and delete the users table from the database. But if you have enabled mod_security on your server, it will block this from running or typically you might see a 404 error. Rules can be set-up to check http requests again and find whether the threat is present.

You can recognize mod_security very easily. Any website that calls a string forbidden by a mod_security rule that gives 406 error instead of displaying the page.

If you are a Dedicated or VPS customer you can disable mod_security for the complete server too. For this, select “No Configuration” from WHM > Mod_security.

Note: Mod_security is an extra layer of security and if your disable/remove it your server will be exposed to potential risks.

Steps to Manually Disable Mod_Security on a Dedicated or VPS Server –

You might need to disable mod_security for some applications to help them function correctly. This is fine and as the set_modsec tool is available only on shared servers, disabling mode_security for a single domain is a must.

Step 1: SSH login into the server and open the httpd.conf file. Search the VirtualHost entry for that specific domain.  Uncomment out the include line that looks as below –

NOTE: This line informs the Apache to INCLUDE into the VirtualHost config ANY file ending in .config. This is an advanced step.

Step 2:  Copy the uncommented line and mkdir

Step 3: To turn off mod_security insert the rule

Step 4: Restart Apache

Below are the Steps to Disable Mod_Security Rules on Dedicated or VPS Servers

In order to disable individual mod_security rules on Dedicated or VPS servers use SecRuleRemoveById. Check the apache error log (/usr/local/apache/logs/error_log) for finding the ID to disable. The domain that is having the problem can be grep and use Mod_security to find the problem –

This code will provide a section appearing like [id “950004”] which is the ID of mod_security rule that needs to be disabled.

Now enter the following line in an applicable .htaccess file (replace the error of your matched error with  950004 example used below)

Note: Including the SecRuleEngine Off line will completely disable Mod_Security.

This entry was posted in Web Hosting and tagged , , , . Bookmark the permalink.