Find and disable ModSecurity rule with SecRuleRemoveById

In this article we show how to find and disable ModSecurity rule that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing how to go in and find what rules are getting triggered and how to disable them can be handy.

In order to follow along with this how to you will need root access to either your VPS or dedicated server so that you have full access to modify your Apache configuration, and to create the ModSecurity configuration file.

Find ModSecurity rules getting triggered

Check your domain error_log or apache error_log file, which rule causing 406 errors on your websites.

[Sun May 28 16:33:49.331359 2017] [:error] [pid 25537] [client] [client] ModSecurity: Access denied with code 406 (phase 2). String match "wp_insert_user" at ARGS:execute. [file "remote server"] [line "-1"] [id "500032"] [msg "Malware Expert - WordPress - Marketplace - Remote Code Execution"] [hostname "Malware.Expert"] [uri "/"] [unique_id "WSrRvVQikx4AAGPBUJEAAABh"]

We found that Rule ID 500032 causing false 406 error in apache error log.

Disable ModSecurity Rule (whitelist)

Now we can disable that rule in ModSecurity, which depend your server configuration.

Open your ModSecurity or VirtualHost configuration file and add SecRuleRemoveById end your file:

<ifmodule mod_security2.c>
SecRuleRemoveById 500032

Restart apache

service httpd graceful

You should now know how to locate what ModSecurity rules are being triggered, and how to indivdually disable those specific rules to stop triggering 406 ModSecurity errors on your website.