Disaabe rule by ID in modsecurity on apache
Question
I put ModSecurity for a web server and works fine. But some of the cases it blocked and giving Access Denied page. Below shows unwanted rule IDs which are getting from after reading log file.
950109 950901 958291 960024 973338 981172 981173 981231 981242 981243 981245 981246 981248 981257 981260 981318 981319 981320
Some of the article says those IDs are frequent false positives . So I want to disable those IDs.
2 answers
solution1
1 2018-07-17 18:38:31
That is a valid approach, but a bit coarse. The tutorials at https://netnea.com/apache-tutorials explain the details.
Besides, you are using an outdated version of the Core Rule Set. You should go and check out https://coreruleset.org . Update to CRS3 and 90% of your false positives will be gone.
solution2
0 ACCPTED 2018-07-17 10:27:43
After searching, I found a solution for disable those rule IDs. This is how I disable those IDs.
Add this on end of the /etc/apache2/mods-available/security2.conf
<IfModule mod_security2.c> SecRuleRemoveById 950109 SecRuleRemoveById 950901 SecRuleRemoveById 958291 SecRuleRemoveById 960024 SecRuleRemoveById 973338 SecRuleRemoveById 981172 SecRuleRemoveById 981173 SecRuleRemoveById 981231 SecRuleRemoveById 981242 SecRuleRemoveById 981243 SecRuleRemoveById 981245 SecRuleRemoveById 981246 SecRuleRemoveById 981248 SecRuleRemoveById 981257 SecRuleRemoveById 981260 SecRuleRemoveById 981318 SecRuleRemoveById 981319 SecRuleRemoveById 981320 </IfModule>
then restart apache. service apache2 restart .Now its working fine.
This can also type in a one line.
<IfModule mod_security2.c> SecRuleRemoveById 950109 950901 958291 960024 973338 981172 981173 981231 981242 981243 981245 981246 981248 981257 981260 981318 981319 981320 </IfModule>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.