Saturday, 26 November 2011

mod_security disable - how to disable mod_security for a user.



I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall – it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you ‘save’ something on a website’), and displays a 406 error for anything controversial.

The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:



<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

In case if this didn't work, then create a conf file and disable mod_security for the domain. Follow the steps below



You have to create a individual rule for that domain. You can see the conf via Apache.



-----------

 Include "/usr/local/apache/conf/userdata/*.conf" Include "/usr/local/apache/conf/userdata/*.owner-root" Include "/usr/local/apache/conf/userdata/std/*.conf" Include "/usr/local/apache/conf/userdata/std/*.owner-root" Include "/usr/local/apache/conf/userdata/std/2/*.conf" Include "/usr/local/apache/conf/userdata/std/2/*.owner-root"

-----------  



Now create a customized file to disable mod_security for that domain alone.



# cd /usr/local/apache/conf/userdata/std/2/ # mkdir USERNAME (e.g domain name is google.com and the username is goog then create a directory as goog)



# cd goog/ # mkdir google.com # cd google.com # touch mod_security2.conf # vi mod_security2.conf   Now, add these lines in that file



<ifmodule mod_security2.c>
SecRuleEngine Off
</IfModule>

save and exit

Then restart apache
/etc/init.d/httpd restart

No comments: