Excluding ModSecurity Rules in DirectAdmin (WAF Web Application Firewall)

Introduction

ModSecurity is a web application firewall integrated into DirectAdmin that helps protect your websites by detecting and blocking malicious requests based on predefined rules. However, sometimes these rules can trigger false positives, blocking legitimate traffic. As a DirectAdmin user, you can exclude (disable) specific rules at the domain or subdomain level to resolve such issues. This guide provides step-by-step instructions on how to identify and exclude problematic rules.

Note: Exclusions at the user level add to any global disables set by the server admin. You cannot re-enable rules that the admin has disabled server-wide.

Prerequisites

  • Access to your DirectAdmin user account.
  • Basic understanding of your website's traffic to identify false positives.
  • The ModSecurity feature must be enabled on your server (contact your hosting provider if it's not available).

Step 1: Log In to DirectAdmin

  1. Open your web browser and navigate to your DirectAdmin login page (typically https://yourdomain.com:2222 or provided by your host).
  2. Enter your username and password to log in.

Step 2: Access the ModSecurity Interface

  1. Once logged in, scroll down to the Advanced Features section on the main dashboard.
  2. Click on Web Application Firewall. This will open the ModSecurity management page, which includes tabs for Status & Disabled Rules, Logs, and possibly others depending on your setup.

Step 3: View Logs to Identify Problematic Rules

Before excluding a rule, you need to identify the Rule ID causing the issue:

  1. In the Web Application Firewall page, switch to the Audit Log tab (or similar, labeled as "Block Log" in some interfaces).
  2. Review the list of blocked requests. Each entry should include details like the timestamp, IP address, requested URL, and the Rule ID (e.g., id "930100" or simply the number like 930100).
  3. Note down the Rule ID for any blocks that seem like false positives (e.g., legitimate form submissions or uploads being blocked).

Tip: If the log is empty or you suspect a block, test your website by performing the action that triggers the issue and refresh the log.

Step 4: Exclude (Disable) Specific Rules

  1. Go back to the Status & Disabled Rules tab (or the main ModSecurity page).
  2. Look for the section labeled Disable Rules or Disabled Rules.
  3. In the input field provided (often labeled "ID" or "Rule ID"), enter the Rule ID you identified (e.g., 930100). You can enter multiple IDs separated by commas or on new lines if needed.
  4. Optionally, select the scope if available (e.g., apply to a specific domain or subdomain).
  5. Click the Disable Rule or Save button to apply the changes.
  6. The exclusion will be saved to a configuration file like /usr/local/directadmin/data/users/{your_username}/domains/{your_domain}.modsecurity_rules, and ModSecurity will restart or reload for your domain.

Note: Changes take effect immediately, but if issues persist, clear your browser cache or test from a different device.

Step 5: Enable or Disable ModSecurity Entirely (Optional)

If you need to toggle ModSecurity on or off for your domains:

  1. In the Status & Disabled Rules tab, find the SecRuleEngine option.
  2. Scroll down on the page and check which Rule is triggered, Select Exclude Rule to Off the rule.

Troubleshooting

  • Rule Not Disabling: Ensure the rule isn't globally disabled by the admin (you can't override that). Contact your hosting support.
  • No Access to ModSecurity: If the feature is missing, it might be blocked by the admin. Check with your provider.
  • Persistent Blocks: After disabling, monitor logs. If needed, disable additional related rules.
  • Advanced Customizations: For more complex exclusions (e.g., per-subdomain), you may need admin access or edit custom configuration files, but stick to the UI for user-level changes.

Best Practices

  • Only disable rules when necessary to maintain security.
  • Regularly review logs to ensure exclusions aren't allowing malicious traffic.
  • Document the Rule IDs you've disabled and why, for future reference.
  • If you're unsure about a rule, research it (e.g., search for "ModSecurity rule 930100 explanation") before disabling.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

What Is The cgi-bin

Web servers often have a cgi-bin/ directory at the base of their directory tree to hold...
When Does Bandwidth Reset For My Account

Bandwidth quotas and logging resets at midnight on the first day of every month.Your account,...
Official Complete User Guide for DirectAdmin

DirectAdmin Site-Helper https://site-helper.com/evo/sitehelper.php
What Is A Sub-domain

A sub-domain is anything that appears before your master domain in the URL, i.e....
How To Access Webmail on Directadmin using Roundcube webmail client

Webmail allows you to access your email accounts through a browser such as Firefox, Internet...