25th Anniversary Savings | 25% Off Dedicated Servers*Shop Now
25th Anniversary Savings | 25% Off VPS Hosting* †††Shop Now
Limited Inventory: High-Performance AMD-Powered Servers Now Available.* Shop Now >
Dedicated Hosting Deals | From $99/moShop Now

When Mod Security Attacks

Posted on by Patrick Hawkins
Reading Time: 2 minutes

One component of Liquid Web’s Server Secure service is an Apache module called Mod Security (often shortened to just “modsec”). Modsec monitors all incoming HTTP requests for malicious behavior and does not complete requests that meet certain criteria. These criteria are spelled out in what are called “rules” or “rulesets”.

In an ideal world, only malicious requests would be caught in modsec’s trap. Unfortunately, there are some instances where legitimate requests are stopped as well. How do we determine that this is what happens, and what can we do about it?

Modsec errors usually appear on a web page as either 400- or 500-level HTTP status codes. If you see a such an error on your site, the next step is to search the server’s error logs for more information on which rule is blocking the request. This command will give you all the modsec errors in Apache’s main error log:

grep -i modsec /usr/local/apache/logs/error_log | sed "s/$/\\n/"

Each line of the error is rather lengthy. The information logged includes the HTTP request that was sent, the line number and ID # of the modsec rule that was triggered, and the IP address of the computer that sent the HTTP request.

When modsec is triggered by a piece of code that performs a legitimate function of your site, it is best to have that code rewritten so as not to trigger modsec. Each of modsec’s rules catches attacks, so if modsec is treating your site code like an attack, the problem is almost always with what the site code is doing.

If you are not developing a site with your own code, and you use a reputable 3rd-party vendor for your code, you may have to resort to turning off the specific modsec rule that the site triggers. If you choose this route, it is best to restrict this whitelisting to only the one domain, rather than the entire server. While whitelisting modsec rules are beyond the scope of this article, Liquid Web’s Heroic Support team is available 24/7 to assist you with any modsec errors you come across.

===

Liquid Web’s Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:
Toll Free 1.800.580.4985
International 517.322.0434
support@liquidweb.com
https://manage.liquidweb.com/

About the Author: Patrick Hawkins

Patrick Hawkins is a former Test Engineer and Managed WordPress admin with Liquid Web

Refer a Friend
Get 33% off the first 3 months on a new Dedicated server!
Categories
Have Some Questions?

Our Sales and Support teams are available 24 hours by phone or e-mail to assist.

1.800.580.4985
1.517.322.0434

Latest Articles

Tutorials

How to Edit the PHP Memory for Your WordPress Site via WP Toolkit

Read Article
Hosting Basics

What is CGI-Bin and What Does it Do?

Read Article
Featured Articles

Top 10 Password Security Standards

Read Article
Security

Top 10 Password Security Standards

Read Article
WHM + cPanel

How to Use the WP Toolkit to Secure and Update WordPress

Read Article