The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing how to go in and find what rules are getting triggered and how to disable them can be handy.
Following the steps below I'll show you how you can use the Apache error log in order to determine what ModSecurity errors are being triggered on your websites.
1. Login to your server via SSH as the root user.
2. Run the following command to determine what ModSecurity rules are being triggered:
grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -nThis will give you something back like this:
129 990011 example.com /feed/
4668 950004 example.com /wp-content/themes/drone/jquery.cookie.js
29070 950004 www.example.com /wp-content/themes/drone/jquery.cookie.jsSo we can see that the ModSecurity rule ID 950004 has been triggered at least 33,738 between example.com and
www.example.com when trying to request the /wp-content/themes/drone/jquery.cookie.js file.
3. In order to disable just the specific ModSecurity rule for the 95004 rule, run the following command:
echo "SecRuleRemoveById 950004" >> /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.confThank you,
