1. View ModSecurity Audit Log File.
- We need to first find the rules that are being triggered by ModSecurity on your webserver.
- Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file.
- For Apache2 servers it is located in /var/log/apache2/
- Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
- The output should look similar to this screenshot below.
- Look for Access denied with code 403 and work backwards to find the start of the rule entry based on the log entry id.
- In this case the log entry ID is –00aee77f (see marked in yellow)
- Find the GET item – in this example it is /modern-classic (see marked in blue)
- Find the ModSecurity rule that was triggered by the GET – in this example the rule id 958291 (see marked in purple)
2. Create a Local Exceptions ModSecurity rule file.
- To disable / exclude certain ModSecurity rules you need to create a local exceptions file.
- There are various places you can create this file you only need to make sure that ModSecurity loads it during startup.
- We are going to create a whitelist.conf file in the /etc/modsecurity/activated_rules/ directory as all files with .conf extension will be loaded during ModSecurity startup.
- Open the Terminal Window and enter :
sudo vi /etc/modsecurity/activated_rules/whitelist.conf
- For our example we add the location of the GET and ModSecurity rule id from step 1.
- Add the following to your whitelist.conf file and save :
<LocationMatch "/modern-classic"> SecRuleRemoveById 958291 </LocationMatch>
- You need to add the location as a regex of the directory path or file that is causing the ModSecurity rule to be triggered.
- In the following example we add the location directly to the file that triggers the ModSecurity rule.
<LocationMatch "/wp-admin/update.php"> SecRuleRemoveById 981173 </LocationMatch>
3. Restart Webserver.
- To the changes to take effect you need to restart you webserver.
- For Apache2 servers, open the Terminal Window and enter :
sudo service apache2 restart