Remove and Uninstall or Disable ModSecurity (mod_security)
ModSecurity is an open source embeddable web application firewall, or intrusion detection and prevention engine for web applications. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure, by operating as an Apache Web server module mod_security or standalone, and thus increase web application security. However, misconfigured or overly strict rule sets, ModSecurity may cause your website to return various errors such as HTTP 403 Forbidden error or access denied error, login problems, or HTTP 412 Precondition Failed error, or HTTP 406 Not Acceptable error and other false positive symptoms.
To make matter worse, the configuration of ModSecurity rules and filters have to be done manually. Although there are free predefined certified rule set which can be used with ModSecurity out of the box, however the rule sets may be not suitable for each and every environment and may interfere with the operation of websites or blogs, and customizing and modifying the rules may be too sophisticated or complicated for some users. And for some websites that hosted on shared hosting service, the mod_security may be enable by default without options. So in this case, the best solution or workaround for mod security related issues is to disable mod_security filtering and rules.
If you’re using Apache web server (which mostly do), mod_security can be disabled by adding a specific in .htaccess file. Locate the .htaccess file in Apache web root directory (public_html or /var/www/ or others), if it does not exist, create a new file named .htaccess, and add in the following code:
SecFilterEngine Off
SecFilterScanPOST Off
The above entries in the .htaccess will disable the ModSecurity (mod_security) module for the domain.
Uninstallation of ModSecurity (mod_security) from Apache module
The easiest way to remove and uninstall mod_security is to comment out or delete the related mod_security entries from httpd.conf Apache configuration file. The lines that should be removed include:
AddModule mod_security.c
LoadModule security_module modules/mod_security.so
Include “/usr/local/apache/conf/modsec.conf” This line may be different depending on what variant of Linux or Unix you used and the installation location
Save the httpd.conf and restart the Apache. ModSecurity will not be loaded and as if uninstalled.
If you’re using WebHost Manager (WHM), uninstallation is even simpler. Just scroll to cPanel section, and click on Addon Modules. Then scroll to module named modsecurity. It should be checked Install and Keep Updated currently. Just click on Uninstall to remove the mod security feature from Apache web server.
Related Articles
- How to Disable (Remove and Uninstall) Windows Defender in Vista
- How to Disable (Uninstall and Remove) Windows Media Center in Vista
- How to Remove and Disable IE8 (Uninstall Internet Explorer 8) from Windows 7
- Disable, Remove and Uninstall U3 Launchpad
- Workaround to Disable and Remove OGA Office Not Genuine Notifications (Uninstall KB949810)
- Disable, Uninstall and Remove Skype Add-On Call This Phone Number on Web Page and Toolbar Plugin Menu in IE
- Workaround to Manually Uninstall, Remove or Delete Firefox Addon With Add-Ons Uninstall Button Disabled
- Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header
- Hack to Remove/Uninstall Symantec Norton Antivirus (SAV) Client without Password
- Uninstall and Remove Multiple Database Instances of Microsoft SQL Server 2005
Entries (RSS)
May 6th, 2009 15:30
I had this issue and apparently my host had a specific block in place that prevented the .htaccess modification from taking effect.
The solution to remove the module might not be a good idea since it’s a server wide change, there is apparently a whitelist file that you can modify to allow specific domains from being exempt.
Just SSH into the server as root using PUTTY or something similar.
Type the following
nano usr/local/apache/conf/modsec2/whitelist.conf
This will give you a flat screen editor that you can use to modify the file, just add the following line, once for each domain you wish to exempt.
SecRule SERVER_NAME “example.com” phase:1,nolog,allow,ctl:ruleEngine=Off
no need to replace Server_name with your actual server name, only need to replace example.com with the domain.
Apache will then need to be restarted.
November 30th, 2008 02:32
Mich würde mal eher interessieren, ob man mit mod_security2 auch Mails verschicken lassen kann?
November 21st, 2008 15:25
Awsome, slightly different in the apache i’m using on windows, i just commented out this line:
#Include conf/Suite-extra/mod_security.conf
Thanks now i can work on my intranet again owe you big time
November 12th, 2008 14:11
[...] if i remeber right, this can be disabled from .htaccess Check the following links for further info: Remove and Uninstall or Disable ModSecurity (mod_security) My Digital Life How to disable mod_security in .htaccess file Disabling mod_security mod_security Guide and [...]
October 26th, 2008 06:05
Just like Flanger, it doesn’t work for me. Adding that two lines seem to block more and it doesn’t resolve the error 500 error that was returned by ModSecurity.
October 20th, 2008 18:58
it doesnt work for me unfortunately
if I add these two lines to my .htaccess file to the root,
the whole domain is blocked, else if I make .htaccess file
in custom directory and add these lines only that dir is locked
and server gives me Http error 500 internal server error…
June 29th, 2008 23:47
Cheers, just what I needed, worked first time
April 17th, 2008 17:13
Thanks alot! It works!
February 2nd, 2008 00:51
Exactly what I was looking for, thanks
July 7th, 2007 00:16
A BIG Thanks to You!
It really works! Thanks You!