ModSecurity, also known as ModSec, is a web server module that works as a web-based application firewall (WAF) to filter out malicious requests based on rule sets.
However, it can also sometimes block legitimate requests, resulting in a 406 error when trying to complete a specific action or access a web page. While disabling ModSecurity will prevent these errors, it is not recommended to do so.
Instead, the preferred solution is to disable the specific ModSecurity rule that is causing the issue. Here we cover the steps to determine and disable a ModSecurity rule that is inhibiting website functionality on your VPS or Dedicated server.
Related Articles
Enable/Disable ModSecurity In CWP
Check Apache Error Log
Disable ModSec Rule For a Domain
IMPORTANT: This solution will require root access. If this needs to be obtained, follow the guide on requesting root access.
- Log into CWP Admin
-
Expand the Security drop-down and click Mod Security
-
Select the Logs tab and review the logs for a line similar to the following example
[Wed Nov 13 xx:xx:xx.xx xxxx] [:error] [pid 27189] [client xx.xx.xx.xx:xxxxx] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Operator GE matched 1 at TX:brute. [file "/etc/apache2/conf.d/imh-modsec/40_wordpress.conf"] [line "27"] [id "13052"] [msg "POST to wp-login.php without redirect_to"] [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "domain.com"] [uri "/wp-login.php"] [unique_id "Xcw0ipq6HORiGQf95hXF2gAAAAs"], referer: https://domain.com/wp-login.phpTIP: The search can be narrowed by entering an IP address and selecting a domain from the drop-down list.
-
Locate the ID
EXAMPLE: In the example log entry from step 3, the information we are looking for is [id "13052"]. -
Select the Domains tab and click on Edit rules
-
Enter the rule ID and click on Add
-
Navigate to the Dashboard and look for the Services Status section
- Restart Apache Webserver by clicking on Restart
Comments
0 comments
Article is closed for comments.