When Mod Security Attacks

Posted on September 14, 2012 by Patrick Hawkins | Updated: August 21, 2023

Category: Common Fixes | Tags: Apache, Command-line, Modsec, Security, Server

Reading Time: 2 minutes

One component of Liquid Web’s Server Secure service is an Apache module called Mod Security (often shortened to just “modsec”). Modsec monitors all incoming HTTP requests for malicious behavior and does not complete requests that meet certain criteria. These criteria are spelled out in what are called “rules” or “rulesets”.

In an ideal world, only malicious requests would be caught in modsec’s trap. Unfortunately, there are some instances where legitimate requests are stopped as well. How do we determine that this is what happens, and what can we do about it?

Modsec errors usually appear on a web page as either 400- or 500-level HTTP status codes. If you see a such an error on your site, the next step is to search the server’s error logs for more information on which rule is blocking the request. This command will give you all the modsec errors in Apache’s main error log:

grep -i modsec /usr/local/apache/logs/error_log | sed "s/$/\\n/"

Each line of the error is rather lengthy. The information logged includes the HTTP request that was sent, the line number and ID # of the modsec rule that was triggered, and the IP address of the computer that sent the HTTP request.

When modsec is triggered by a piece of code that performs a legitimate function of your site, it is best to have that code rewritten so as not to trigger modsec. Each of modsec’s rules catches attacks, so if modsec is treating your site code like an attack, the problem is almost always with what the site code is doing.

If you are not developing a site with your own code, and you use a reputable 3rd-party vendor for your code, you may have to resort to turning off the specific modsec rule that the site triggers. If you choose this route, it is best to restrict this whitelisting to only the one domain, rather than the entire server. While whitelisting modsec rules are beyond the scope of this article, Liquid Web’s Heroic Support team is available 24/7 to assist you with any modsec errors you come across.

===

Liquid Web’s Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:
Toll Free 1.800.580.4985
International 517.322.0434
support@liquidweb.com
https://manage.liquidweb.com/