ModSecurity<\/strong> is a widely used web application firewall (WAF) that helps protect websites from common attacks such as SQL injection, cross-site scripting (XSS), and other vulnerabilities. It is commonly enabled in hosting environments managed through cPanel<\/strong>.<\/p>\n\n\n\n However, in some cases, ModSecurity rules may incorrectly block legitimate requests from a specific application, causing functionality issues. To resolve this, administrators can disable a particular ModSecurity rule for a specific domain without turning off the entire firewall, ensuring both security and application functionality are maintained. Before disabling a ModSecurity rule for a specific application\/domain, ensure the following:<\/p>\n\n\n\n If you face any mod_security issue, don’t white list the whole domain from mod_security rules. But override the mod_security settings for the domain narrowly, so that override is allowed for only particular page and particular rule. Follow the steps below to trouble shoot mod_security issues.<\/p>\n 1) Tail the apache error logs and find the error.<\/p>\n \u00a0<\/p>\n 2) Every rule has an Id and URL causing the mod_security issue. So overriding them alone will solve the issue. Check the sample aoache logs below.<\/p>\n ++++++++++++++++++++++++++++<\/p>\n [19:37] [Tue Sep 06 19:31:22 2011] [error] [client 203.197.151.138] ModSecurity: [file “\/usr\/local\/apache\/conf\/modsec_rules\/30_asl_antispam.conf”] [line “116”] [id “300023”]<\/strong> [rev “1”] [msg “Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument<\/strong> (Disable if you wish to allow 4 or more URLs in a post)”] [data “[http:\/\/domainname.com] |- | ahx || mitch schwenk || |- | almico || alfredo milani ccrestron || […”] [severity “ERROR”] Access denied with code 403 (phase 2). Pattern match “(\\\\[ ?http:\/\/.*){4,}” at ARGS:wpTextbox1. [hostname “domainname.com”] [uri “\/index.php”] <\/strong>[unique_id “TmZm@lUN67oAACO3LgMAAAAN”]<\/p>\n ++++++++++++++++++++++++++++<\/p>\n \u00a0<\/p>\n Here ID is 300023 and the URL is index.php. The error is Mutiple embedded URL used.<\/p>\n \u00a0<\/p>\n 3) To override this, create a new directory\u00c2\u00a0<\/p>\n \u00a0<\/p>\n mkdir -p \/usr\/local\/apache\/conf\/userdata\/std\/2\/username\/domainname\/<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n 4) Create mod_security2.conf file. vi \/usr\/local\/apache\/conf\/userdata\/std\/2\/username\/domainname\/mod_security.conf<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n 5) Paste the following contents in the file based on the data collected in step 2.<\/p>\n \u00a0<\/p>\n ++++++++++<\/p>\n ++++++++++<\/p>\n \u00a0<\/p>\n We are overriding the settings by URL and ID match.<\/p>\n \u00a0<\/p>\n Eg:<\/p>\n ++++++++++<\/p>\n ++++++++++<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n 6) Run the script\u00c2\u00a0<\/p>\n \u00c2\u00a0 \/scripts\/ensure_vhost_includes –user=username.<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n 7) check whether the file is included in httpd using the command below.<\/p>\n \u00a0<\/p>\n grep “std\/2\/username” conf\/httpd.conf<\/p>\n \u00a0<\/p>\n 8) Restart the apache.<\/p>\n \u00a0<\/p>\n Disabling a ModSecurity rule for a specific domain is an effective way to resolve false positives while keeping overall server security intact. Instead of disabling ModSecurity entirely, selectively turning off problematic rules ensures that your application runs smoothly without compromising protection.<\/p>\n Proper monitoring and testing after making changes are essential to maintain a secure and stable hosting environment.<\/p>\n \u00a0<\/p>","protected":false},"excerpt":{"rendered":"
<\/p>\n\n\n\nPre-requisites<\/h2>\n\n\n\n
\n
\/usr\/local\/apache\/logs\/error_log<\/code> or \/var\/log\/apache2\/error.log<\/code><\/li>\n<\/ul>\n\n\n\nIMPLEMENTATION<\/h2>\n\n\n
SecRuleRemoveById ruleId<\/p>\n
SecRuleRemoveById 300023<\/p>\nConclusion<\/h2>\n