• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

How do I disable mod_security?

N

nawialkair

Guest
I need to disable mod_security and mod_security2

How do I do that?
 
If you want to disable mod security you are asking to get hacked imo

If server wide removal:
RPM package : rpm -e mod-security
Manually Installed: remove it from httpd.conf - just place a # in front of the LoadModule
Code: 
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

If you are implying domain wide, I dont believe you can turn it off for just one domain, but you can disable certain rules per domain in a vhost.conf file.

Something like
Code: 
<Directory /var/www/vhosts/domain.com/httpdocs>
SecRuleRemoveByID <ruleID>
</Directory>

If your adding a new vhost.conf for the domain you may need to run
Code: 
/usr/local/psa/admin/bin/websrvmng -v -a

and then of course regardless of specific domain or server wide, restart the web server
Code: 
/service/sbin httpd restart
 
I used .htaccess file with following content in it:
SecFilterEngine Off
SecFilterScanPOST Off

but got an error
Internal server error


How do I know that mod_security is disabled?
 
I mentioned this before, You cant turn it off on a single domain as far as I know, I have never heard of anyone doing it succesfully with .htaccess files. Its either turned on server wide or its not.
 
Why would you want to turn off mod-security, if you are getting false positives then do some exclusion for the affected domain like hostingguy said, turning it off is inviting script kiddies to turn your server into a playing ground
 
HostingGuy said:
I mentioned this before, You cant turn it off on a single domain as far as I know, I have never heard of anyone doing it succesfully with .htaccess files. Its either turned on server wide or its not.
Click to expand...

You can manage most of the main mod_security settings from a .htaccess file, so you can control it down to a per-domain, per-directory and/or per-file basis, switching off individuals rules, added new ones and just turning it off.

We do it use this level of configuration all the time and it works without a problem.

However, 'SecFilterEngine Off' is correct for version 1.9.x of mod_security, but in the later versions it's now 'SecRuleEngine Off' and can still be managed by the .htaccess file.

However, you need to make sure that Apache is configured to allow these commands with the .htaccess files (on by default, so you'd have to change the configuration to change the level of control offered).
 
You must log in or register to reply here.

Similar threads

J
Issue Apache2/ mod security error
Replies
4
Views
1K
Jan Bludau
Jan Bludau
Dave W
Question Disable nag screen
Replies
3
Views
396
Dave W
Dave W
A
How can I disable wordfence database
Replies
11
Views
3K
Mark_NLD
M
M
Question How can the permission to disable or suspend a domain be removed from a client?
Replies
1
Views
289
Peter Debik
P
Hangover2
Question How to disable forced advertisement "Hire a developer"?
Replies
10
Views
6K
Tobias Sorensson
T
Back
Top