Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Is It Safe To Have Mod_Security Disabled Rate Topic   - - - - -

 
  • maxam
  • Junior Member
  • Members
  • Join Date: 20-Apr 11
  • 56 posts

Posted 27 June 2011 - 12:49 PM #1

Hi,

Is it safe to have mod_security disabled on my server, my host can only have it abled or disabled.

maxam

 

Posted 27 June 2011 - 01:58 PM #2

Hello Maxam,

It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the "PCI Compliance" page of our website: https://www.cs-cart....compliance.html

---
Pavel Zyukin
CS-Cart Support team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 

Posted 27 June 2011 - 02:39 PM #3

Hello Maxam,

It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the "PCI Compliance" page of our website: https://www.cs-cart....compliance.html

---
Pavel Zyukin
CS-Cart Support team


I strongly suggest that it is ENABLED at all times. The ability to use CS-Cart is null if the server isn't protected in any case. These type of suggestions will have your users disadvantaged overtime.

J.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 

Posted 28 June 2011 - 05:26 AM #4

Hello,

We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.

---
Pavel Zyukin
CS-Cart Support team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • Flow
  • Super Duper and Amazingly Sexy Senior
  • Members
  • Join Date: 13-Oct 10
  • 2146 posts

Posted 28 June 2011 - 09:05 AM #5

I'm running CS-cart fine with the mod security enabled. Don't know how or why, but it's working great :)

When life hands you lemons, bring on the Tequila baby!


 

Posted 28 June 2011 - 01:22 PM #6

Hello,

We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.

---
Pavel Zyukin
CS-Cart Support team


Hi Pavel,

In that case,

Have the users install the following addon:
ConfigServer ModSecurity Control via http://www.configserver.com/cp/cmc.html

Use the following values to be whitelisted against the domains:
950006
959007
950904
950906
990011

This will rectify a large number of issues when using CS-Cart.

Regards,
J.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 

Posted 28 June 2011 - 01:34 PM #7

Hello JesseLeeStringer,

Thank you very much for the provided information. I have forwarded it to our engineers so that they can use it in their investigation.

---
Pavel Zyukin
CS-Cart Support team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • maxam
  • Junior Member
  • Members
  • Join Date: 20-Apr 11
  • 56 posts

Posted 03 July 2011 - 07:06 AM #8

Here are some other threads about mod-security on the forum that may be useful. I would really like to know what settings give best server side security with best cs-cart function.

Blocks problems:

404 error on blocks

It may be a mod_security block. Ask your hosting provider to add exclusions for your domain for rule ID's:

950904
950906
959007

And try it then. mod_security can see certian actions as a SQL injection attack. I hope this helps!

http://forum.cs-cart...ead.php?t=14648


Can’t add products to Block:

http://forum.cs-cart...6564#post116564

These rules should be disabled from the default mod_security ruleset

950006
959007
950904
950906
960032

maxam

 

Posted 04 July 2011 - 08:09 AM #9

Hello Maxam,


Thank you for the provided information.

I have forwarded it to our engineers so that they can use it in their investigation.

---

Anastasiya Kozlova
CS-Cart Support team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4363 posts

Posted 17 July 2012 - 03:03 PM #10

Any CS cart answer to this Post.
Thanks
JOhn

Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 

Posted 18 July 2012 - 08:56 AM #11

Hello John,

Thank you for your message.

In order to make CS-Cart compatible with mod_security on your server we suggest that you should configure mod_security according to the following recommended requirements:

http://sourceforge.n...e_Configuration

We have tested CS-Cart with these requirements and it worked successfully without any problems. Also please let me add that the architecture of the current CS-Cart version (3.0.1) has changed to make CS-Cart more compatible with mod_security by default.

---
Anastasiya Kozlova
CS-Cart Support team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 

Posted 22 January 2013 - 09:08 PM #12

Simply whitelisting the rule ID 390588 worked for me in upgrading from 2.2.4 > 2.5.5 >3.0.4 - prior to that I received a 404 error on the 2.2.5 upgrade and a weird SQL error on the 3.0.4 upgrade.

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 12 November 2014 - 03:11 PM #13

We installed Mod_Security on our server with version 4.2.3 in an effort to stop/slow down the attacks or garbage bots but we still seem to have an issue. There are "some" products that we are unable to change and save without getting the 404 "Well Shucks" message. We also installed the "ConfigServer ModSecurity Control" and we Whitelisted all of the suggested rules. Has anyone ran in to any other rulesets that need to be added/Whitelisted with version 4 of CS?

So far I cannot seem to find where CS-Cart has given a final answer on using Mod_Security and all they seem to do in their instructions is give information on how to totally disable it...which kind of defeats the purpose.
Regards,
Jim

 
  • FDGWEB
  • Junior Member
  • Authorized Reseller
  • Join Date: 20-Aug 10
  • 125 posts

Posted 01 December 2014 - 11:22 PM #14

You should never have mod_security disabled.

That goes double if you run other applications within your domain, such as WordPress, etc..

Tripply [Editor's note - this is not a real word.. ] - if you run a VPS or Dedicated Server or even shared for that matter and care whether your site can get shut down by the host when you become compromised.

Quadru--. well, you get the point.

Most merchants/businesses do not fully understand the level of care they are supposed to take with their customers data. We do A LOT of hack recover across all systems. CS Cart has been fairly secure compared to other carts we deal with .. but it is important to remember that all systems have problems over time.

Regardless, we'd never drop mod_security for any reason...

They two rulesets that seem to have the most problems with CS-Cart (and Magento, add Zen Cart and so on ... ) are:

PCRE record limits exceeded - you can increase this 5000% fairly safely if your server has other ways of limiting flood attacks and POST.

"Generic" SQL injection match rules - these are the silly rules that will filter or 500 error content with words like "Select" "Delete" "join" etc.

Proper form programming, which CS Cart does have .. should never have to rely on the filter.

Let some half-wit programmer do some custom forms for you .. then yes...

We're happy to help anyone's VPS or dedicated systems if need some professional assistance.
FDG Web, Inc - Seattle Web Design : Custom CS-Cart Programming & Design | Toll-Free: 877.239.3083

Download Proposal Templates & Web Design Contract Samples

 
  • remoteone
  • Member
  • Members
  • Join Date: 06-Oct 09
  • 686 posts

Posted 16 March 2015 - 04:25 PM #15

Hmm, we always have problems saving content on our CSCart websites.
What we do is temporawell what we do is temporarily disable ModSec with "SecFilterScanPOST Off"
This is fine, as long as we remember to comment the line out when finished.
It would be great to have some linux script that ran from Cron Job every 30 min or so to relpace the line
"SecFilterScanPOST Off" with "# SecFilterScanPOST Off"
Sadly, thats a bit beyond my skills.
I welcome comments regarding this approach, and indeed a script to do the job...

 
  • susanpaz
  • Advanced Member
  • Members
  • Join Date: 10-Jun 15
  • 87 posts

Posted 05 November 2015 - 04:24 PM #16

I am installing V432 and it is requiring I disable mod_security. Clearly i do not want that disabled. What do i need to do? I cannot install. It just stays on install screen and the only error is The mod_security module was detected on your server. It may cause "403 Forbidden" and "Not Acceptable" errors, so it is recommended to disable it.



 
  • FDGWEB
  • Junior Member
  • Authorized Reseller
  • Join Date: 20-Aug 10
  • 125 posts

Posted 13 November 2015 - 05:58 PM #17

 

Is this on a shared server or a VPS/Dedicated?

 

Tom


FDG Web, Inc - Seattle Web Design : Custom CS-Cart Programming & Design | Toll-Free: 877.239.3083

Download Proposal Templates & Web Design Contract Samples

 
  • susanpaz
  • Advanced Member
  • Members
  • Join Date: 10-Jun 15
  • 87 posts

Posted 25 November 2015 - 01:24 AM #18

It's a VPS



 
  • ramesh
  • Member
  • Members
  • Join Date: 13-Feb 11
  • 48 posts

Posted 05 June 2017 - 06:49 AM #19

My apologies for bumping this old thread - I would appreciate help and views on a related problem.

 

We are using cs-cart V 2.1.3 on PHP 5.3.29. We were on wiredtree till now, with mod_security enabled. Recently wiredtree sold to liquidweb, and so we moved to liquidweb, retaining the PHP version. New server was CENTOS 6 with Easy Apache 3 and Litespeed.

 

After the move, In general, the site loads fast, and we could not uncover any issues in our own testing. However, we realized that at times we would get 500 server error, and our IP would be blocked.

We became concerned that genuine customers should not be facing this issue (server 500 error, and IP block), leading to loss of sale.

I have got the modsec2.user.conf , exclude.csf, whitelist.csf and modsec_audit.log files from the NEW server.

Is it possible to get these analyzed to see if there are some rules which should be whitelisted? I did contact cs-cart support, and they kindly gave a advisory file with recommendations, but I am more concerned with auditing and analysing the rules already in place, in case any of them are creating conflicts.

 

I saw MAXAM's post above, but could not locate these rules anywhere in the modsec2.user.conf file

 

950006
959007
950904
950906
960032


Warm Regards
Amit



 
  • FDGWEB
  • Junior Member
  • Authorized Reseller
  • Join Date: 20-Aug 10
  • 125 posts

Posted 08 June 2017 - 11:29 PM #20

We've fixed a few WireTree to Liquidweb issues like this... 2 different CS-Cart builds no less.

 

What does your 500 error actually say? On liquidweb it in /usr/local/apache/logs and then the individual log for your server... 

 

1) There was a lot of permissions issues on the migration we found. If you have already normalized permissions ... then move on to  .. 

 

2) You should disable the Mod_Sec entry in Configserver firewall for the itme being. There's too many problems that come up when you run PHP 5.3 (old) and the older version of CSCart. You'll wind up blocking a lot of users. Otherwise, make the value larger than the 5 default. One page load can trigger 5 hits all at once.


FDG Web, Inc - Seattle Web Design : Custom CS-Cart Programming & Design | Toll-Free: 877.239.3083

Download Proposal Templates & Web Design Contract Samples