Is It Safe To Have Mod_Security Disabled

Hi,



Is it safe to have mod_security disabled on my server, my host can only have it abled or disabled.



maxam

Hello Maxam,



It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the “PCI Compliance” page of our website: Product :: Feature Tour :: PCI Compliance





Pavel Zyukin

CS-Cart Support team

[quote name='CS-Cart Support team' timestamp='1309183084' post='115806']

Hello Maxam,



It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the “PCI Compliance” page of our website: Product :: Feature Tour :: PCI Compliance





Pavel Zyukin

CS-Cart Support team

[/quote]



I strongly suggest that it is ENABLED at all times. The ability to use CS-Cart is null if the server isn't protected in any case. These type of suggestions will have your users disadvantaged overtime.



J.

Hello,



We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.





Pavel Zyukin

CS-Cart Support team

I’m running CS-cart fine with the mod security enabled. Don’t know how or why, but it’s working great :)

[quote name='CS-Cart Support team' timestamp='1309238795' post='115842']

Hello,



We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.





Pavel Zyukin

CS-Cart Support team

[/quote]



Hi Pavel,



In that case,



Have the users install the following addon:

ConfigServer ModSecurity Control via http://www.configserver.com/cp/cmc.html



Use the following values to be whitelisted against the domains:

950006
959007
950904
950906
990011




This will rectify a large number of issues when using CS-Cart.



Regards,

J.

Hello JesseLeeStringer,



Thank you very much for the provided information. I have forwarded it to our engineers so that they can use it in their investigation.





Pavel Zyukin

CS-Cart Support team

Here are some other threads about mod-security on the forum that may be useful. I would really like to know what settings give best server side security with best cs-cart function.



Blocks problems:



404 error on blocks



It may be a mod_security block. Ask your hosting provider to add exclusions for your domain for rule ID's:



950904

950906

959007



And try it then. mod_security can see certian actions as a SQL injection attack. I hope this helps!



http://forum.cs-cart.com/showthread.php?t=14648





Can’t add products to Block:



http://forum.cs-cart.com/showthread.php?p=116564#post116564



These rules should be disabled from the default mod_security ruleset



950006

959007

950904

950906

960032



maxam

Hello Maxam,





Thank you for the provided information.



I have forwarded it to our engineers so that they can use it in their investigation.







Anastasiya Kozlova

CS-Cart Support team

Any CS cart answer to this Post.

Thanks

JOhn

Hello John,



Thank you for your message.



In order to make CS-Cart compatible with mod_security on your server we suggest that you should configure mod_security according to the following recommended requirements:



ModSecurity download | SourceForge.net



We have tested CS-Cart with these requirements and it worked successfully without any problems. Also please let me add that the architecture of the current CS-Cart version (3.0.1) has changed to make CS-Cart more compatible with mod_security by default.





Anastasiya Kozlova

CS-Cart Support team

Simply whitelisting the rule ID 390588 worked for me in upgrading from 2.2.4 > 2.5.5 >3.0.4 - prior to that I received a 404 error on the 2.2.5 upgrade and a weird SQL error on the 3.0.4 upgrade.

We installed Mod_Security on our server with version 4.2.3 in an effort to stop/slow down the attacks or garbage bots but we still seem to have an issue. There are “some” products that we are unable to change and save without getting the 404 “Well Shucks” message. We also installed the “ConfigServer ModSecurity Control” and we Whitelisted all of the suggested rules. Has anyone ran in to any other rulesets that need to be added/Whitelisted with version 4 of CS?



So far I cannot seem to find where CS-Cart has given a final answer on using Mod_Security and all they seem to do in their instructions is give information on how to totally disable it…which kind of defeats the purpose.

You should never have mod_security disabled.



That goes double if you run other applications within your domain, such as WordPress, etc…



Tripply [Editor's note - this is not a real word… ] - if you run a VPS or Dedicated Server or even shared for that matter and care whether your site can get shut down by the host when you become compromised.



Quadru–. well, you get the point.



Most merchants/businesses do not fully understand the level of care they are supposed to take with their customers data. We do A LOT of hack recover across all systems. CS Cart has been fairly secure compared to other carts we deal with … but it is important to remember that all systems have problems over time.



Regardless, we'd never drop mod_security for any reason…



They two rulesets that seem to have the most problems with CS-Cart (and Magento, add Zen Cart and so on … ) are:



PCRE record limits exceeded - you can increase this 5000% fairly safely if your server has other ways of limiting flood attacks and POST.



“Generic” SQL injection match rules - these are the silly rules that will filter or 500 error content with words like “Select” “Delete” “join” etc.



Proper form programming, which CS Cart does have … should never have to rely on the filter.



Let some half-wit programmer do some custom forms for you … then yes…



We're happy to help anyone's VPS or dedicated systems if need some professional assistance.

Hmm, we always have problems saving content on our CSCart websites.

What we do is temporawell what we do is temporarily disable ModSec with “SecFilterScanPOST Off”

This is fine, as long as we remember to comment the line out when finished.

It would be great to have some linux script that ran from Cron Job every 30 min or so to relpace the line

“SecFilterScanPOST Off” with “# SecFilterScanPOST Off”

Sadly, thats a bit beyond my skills.

I welcome comments regarding this approach, and indeed a script to do the job…

I am installing V432 and it is requiring I disable mod_security. Clearly i do not want that disabled. What do i need to do? I cannot install. It just stays on install screen and the only error is The mod_security module was detected on your server. It may cause "403 Forbidden" and "Not Acceptable" errors, so it is recommended to disable it.

Is this on a shared server or a VPS/Dedicated?

Tom

It's a VPS

My apologies for bumping this old thread - I would appreciate help and views on a related problem.

We are using cs-cart V 2.1.3 on PHP 5.3.29. We were on wiredtree till now, with mod_security enabled. Recently wiredtree sold to liquidweb, and so we moved to liquidweb, retaining the PHP version. New server was CENTOS 6 with Easy Apache 3 and Litespeed.

After the move, In general, the site loads fast, and we could not uncover any issues in our own testing. However, we realized that at times we would get 500 server error, and our IP would be blocked.

We became concerned that genuine customers should not be facing this issue (server 500 error, and IP block), leading to loss of sale.

I have got the modsec2.user.conf , exclude.csf, whitelist.csf and modsec_audit.log files from the NEW server.

Is it possible to get these analyzed to see if there are some rules which should be whitelisted? I did contact cs-cart support, and they kindly gave a advisory file with recommendations, but I am more concerned with auditing and analysing the rules already in place, in case any of them are creating conflicts.

I saw MAXAM's post above, but could not locate these rules anywhere in the modsec2.user.conf file

950006
959007
950904
950906
960032


Warm Regards
Amit

We've fixed a few WireTree to Liquidweb issues like this... 2 different CS-Cart builds no less.

What does your 500 error actually say? On liquidweb it in /usr/local/apache/logs and then the individual log for your server...

1) There was a lot of permissions issues on the migration we found. If you have already normalized permissions ... then move on to ..

2) You should disable the Mod_Sec entry in Configserver firewall for the itme being. There's too many problems that come up when you run PHP 5.3 (old) and the older version of CSCart. You'll wind up blocking a lot of users. Otherwise, make the value larger than the 5 default. One page load can trigger 5 hits all at once.