GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg

Artifact [a1dc2fada8]

Artifact a1dc2fada8e58e00dcf73ab5f25b11b3e6ea285656d251e0ec1db79d704fddc6:

  • File — part of check-in [a7de0f8780] at 2022-10-21 22:50:25 on branch trunk — comment fixes (user: mario size: 4332)

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.


  • You can install this package locally or on a server:

    pip3 install modseccfg
  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2

Start options

  • To run the GUI locally / on test setups:

  • Or with sshfs remoting directly to the servers filesystem:

    modseccfg root@vps5:/

A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Be aware of the implicit ~/mnt/ point, if connecting as root.

Alternatively there's also slow X11 forwarding (ssh -X vps modseccfg) or xpra --start ssh:vps5 --start=modseccfg to run it on on the server.


You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count (→[info] button to see docs).
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or →Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also: usage remoting, or preconf/recipe setup, or the "FAQ".


  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
  • File→Install packages are Debian-only
  • Reporting scripts also require Ruby

from project import meta

meta info
depends python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs
compat Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux
compliancy xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, mallard, man, sshrc, !netrc, !http_proxy, !nobackup, !releases.json, !doap, !packfile
system usage opportune shell invokes (sshfs, find, cat, dpkg, xdg-open)
paths ~/mnt/, ~/backup-config/, ~/.config/modseccfg/
testing few data-driven assertions, only manual UI and usage tests
docs minimal wiki, yelp, news
activity burst, temporary
state beta
support None
contrib mail, fossil DVCS (create an account or send bundles)