1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

How do I disable mod_security?

Discussion in 'Plesk for Linux - 8.x and Older' started by nawialkair, Dec 11, 2007.

  1. nawialkair

    nawialkair Guest

    0
     
    I need to disable mod_security and mod_security2

    How do I do that?
     
  2. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    If you want to disable mod security you are asking to get hacked imo

    If server wide removal:
    RPM package : rpm -e mod-security
    Manually Installed: remove it from httpd.conf - just place a # in front of the LoadModule
    Code:
    LoadModule security2_module modules/mod_security2.so
    LoadModule unique_id_module modules/mod_unique_id.so
    
    If you are implying domain wide, I dont believe you can turn it off for just one domain, but you can disable certain rules per domain in a vhost.conf file.

    Something like
    Code:
    <Directory /var/www/vhosts/domain.com/httpdocs>
    SecRuleRemoveByID <ruleID>
    </Directory>
    
    If your adding a new vhost.conf for the domain you may need to run
    Code:
    /usr/local/psa/admin/bin/websrvmng -v -a
    
    and then of course regardless of specific domain or server wide, restart the web server
    Code:
    /service/sbin httpd restart
    
     
  3. nawialkair

    nawialkair Guest

    0
     
    I used .htaccess file with following content in it:
    SecFilterEngine Off
    SecFilterScanPOST Off

    but got an error
    Internal server error


    How do I know that mod_security is disabled?
     
  4. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    I mentioned this before, You cant turn it off on a single domain as far as I know, I have never heard of anyone doing it succesfully with .htaccess files. Its either turned on server wide or its not.
     
  5. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    Why would you want to turn off mod-security, if you are getting false positives then do some exclusion for the affected domain like hostingguy said, turning it off is inviting script kiddies to turn your server into a playing ground
     
  6. jonathanjab

    jonathanjab Guest

    0
     
    You can manage most of the main mod_security settings from a .htaccess file, so you can control it down to a per-domain, per-directory and/or per-file basis, switching off individuals rules, added new ones and just turning it off.

    We do it use this level of configuration all the time and it works without a problem.

    However, 'SecFilterEngine Off' is correct for version 1.9.x of mod_security, but in the later versions it's now 'SecRuleEngine Off' and can still be managed by the .htaccess file.

    However, you need to make sure that Apache is configured to allow these commands with the .htaccess files (on by default, so you'd have to change the configuration to change the level of control offered).
     
Loading...