• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Disable rules by id for Mod security with Atomic rules

O

Oto Tortorella

Basic Pleskian
Hello there,

I've mod_security active with the Atomic Ruleset and I need to disable some rules using their ID.
I go to "Web Application Firewall" into the website overview page and i put the rule ID into the field "Switch off security rules" -> "Security rule IDs" but nothing happens. The rules remain active and continue to be used to block the event.

If i try to search in the field below, "Tags", nothing shows up.

Does this interface work for the Atomic ruleset?
If not, why is it enabled?

Cheers
Oto Tortorella
 
You can do this from the command line (assuming you are using ASL)

you would use the asl command with one of the following flags

-dr --disable-rule Disable modsec rule(s) by signature ID
Usage: -dr 123456[,123457,...]

-drv --disable-rule-vhost Disable modsec rule(s) by vhost(s)
Usage: -drv 123456[,123457] foo.bar.com[,bar.foo.com,...]
Each rule id will be disabled on each vhost



Then restart httpd
 
Yes thanks, but how can the customer disable a problematic rule?
I was confident that the web interface to the rule management was functional.
Atomic rules are very well done and infrequently cause problems, but sometimes they do.
 
Honestly allowing the customer (end user) to disable rules is a bad idea in my mind - they could disable something truly intended to protect the server and provide critical functionality. I would recommend that you manage the rules and if they require something have them contact you.
 
I have experieced resellers and they are perfectly able to manage this kind of things. The server is their so they should be able to manage that.
The other point is that if the web managing interface is present it should work or should be disabled when Atomic is selected.
The way it works now seems buggy to me.

Thank you for your reply.
 
Completely agree with you Oto, this interface should be disabled if it does nothing, right now it causes confusion where you expect a rule to be disabled and nothing happens.
 
I though I was having this same issue. I found that putting the ID in the Security rule IDs box and clicking Apply did not cause the rule to be instantly disabled. Something needed restarting (not sure if it was apache, or nginx, or something else). By switching that domain to Detection Only and then right back to On, the rule was disabled for that domain.
 
I also find that, recently, it started to work. Putting a rule ID in the box disables the rule even if you are using Atomic.
Cheers!
 
You must log in or register to reply here.

Similar threads

brother4
Question Custom rules for Mod Seruity 3.0 Nginx - WordPress protection
Replies
2
Views
268
brother4
brother4
Q
Issue mod security settings for nextcloud works only fo several hours
Replies
0
Views
1K
Quit96
Q
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
993
MarkM
MarkM
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
3K
The 8th
The 8th
F
Resolved Web Application Firewall Security Rules Not Deactivating
Replies
2
Views
2K
FizzyDev
F
Back
Top