GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg

All Top-level Files

Files in the top-level directory in any check-in

  • *.log.fmt
  • dev
  • html2mallard
  • logfmt1
  • manpage
  • modseccfg
  • test
  • Makefile
  • NEWS
  • pytest.ini
  • requirements.txt
  • tox.ini

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.


  • You can install this package locally or on a server:

    pip3 install modseccfg
  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2

Start options

  • To run the GUI locally / on test setups:

  • Or with sshfs remoting directly to the servers filesystem:

    modseccfg root@vps5:/

A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Be aware of the implicit ~/mnt/ point, if connecting as root.

Alternatively there's also slow X11 forwarding (ssh -X vps modseccfg) or xpra --start ssh:vps5 --start=modseccfg to run it on on the server.


You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count (→[info] button to see docs).
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or →Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also: usage remoting, or preconf/recipe setup, or the "FAQ".


  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
  • File→Install packages are Debian-only
  • Reporting scripts also require Ruby

from project import meta

meta info
depends python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs
compat Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux
compliancy xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, mallard, man, sshrc, !netrc, !http_proxy, !nobackup, !releases.json, !doap, !packfile
system usage opportune shell invokes (sshfs, find, cat, dpkg, xdg-open)
paths ~/mnt/, ~/backup-config/, ~/.config/modseccfg/
testing few data-driven assertions, only manual UI and usage tests
docs minimal wiki, yelp, news
activity burst, temporary
state beta
support None
contrib mail, fossil DVCS (create an account or send bundles)