How many of you have this enabled on your shop? I didn't have it enabled on my last server, I believe I disabled it because it's supposed to come turned on but I don't remember. I ask because since being moved to this new server I have had to disable 8 rules all relating to saving things to the database. The rules are
SecRuleRemoveById 211190 <--A mod I made where I was trying to save a path to htaccess
SecRuleRemoveById 211230 <-- and the rest related to https://www.opencart.com/index.php?rout ... %20manager I don't know if it was specifically because of this refreshing the mod, or simply refreshing the mod in it of itself.
SecRuleRemoveById 212270
SecRuleRemoveById 212300
SecRuleRemoveById 212340
SecRuleRemoveById 212890
SecRuleRemoveById 211030
SecRuleRemoveById 210580
The host is trying their best to dissuade me from disabling the whole thing to be rid of this annoyance. I remember seeing a post where Paul pretty much called it a POS. So I'm curious how many recommend it for their OC install.
On the admin side it can be a pain (not a POS) because the activities required on the admin side are bound to trigger rules which you do not want but do want on the catalog side.
So we use this directive for the admin directory
That will still put warnings in your logs if a pattern is detected and a rule is triggered but no blocking.
Then again, our admin side is fixed ip secured and we have full control of the server config and therefore do not use htaccess files.
I don't know if your provider allows you to control mod_security from htaccess and to what extend.
So we use this directive for the admin directory
Code: Select all
<IfModule security2_module>
SecRuleEngine DetectionOnly
</IfModule>
Code: Select all
ModSecurity: Warning. Pattern match "(?:(?<!\\\\w)(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:product_description[2][meta_description]. [file "security-crs/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "205"] [id "950005"] [rev "3"] [msg "Remote File Access Attempt"] [data "Matched Data: .htaccess found within ARGS:product_description[2][meta_description]: .htaccess"] [severity "CRITICAL"]
I don't know if your provider allows you to control mod_security from htaccess and to what extend.
Yep I still think it causes too many problems to be of any use.
We were going to write a blog article about exactly why at some point.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Legendary Member
ModSecurity can be helpful for securing your site, but it can also cause a lot of headaches, especially with OpenCart's admin-side operations. Here's an overview of how to handle it effectively:
Understand ModSecurity's Impact
ModSecurity rules are designed to protect against common attacks, but they can interfere with legitimate admin-side operations. For example, saving data to the database (like product descriptions or paths) can trigger false positives in ModSecurity.
The rules you’ve disabled, like:
...are likely blocking requests that involve certain patterns (e.g., .htaccess or SQL-like strings).
Use Detection Mode for Admin
To reduce interference while retaining ModSecurity's benefits, you can set it to DetectionOnly mode for the admin directory. This will log potential issues without blocking requests.
Add this to your .htaccess file or server config for the admin directory:
This ensures ModSecurity still flags potential problems in your logs but doesn't prevent legitimate actions like saving data.
Check Logs for Problematic Rules
Review your server logs to identify which specific ModSecurity rules are being triggered. Here's an example of a log entry:
The log entry provides the rule ID, the matched pattern, and the severity level. Once identified, you can remove specific rules using:
When to Disable ModSecurity Completely
While it’s generally not recommended to disable ModSecurity entirely, there are cases where it might be necessary:
If you’re facing frequent false positives that disrupt your workflow.
If your admin side is already protected with additional security measures (e.g., IP restrictions, strong passwords, SSL).
If you disable it, ensure you have alternative security measures in place.
Communicate with Your Host
If your host discourages disabling ModSecurity, request their help in customizing the configuration to suit your OpenCart installation. Many hosts will work with you to fine-tune the rules.
Understand ModSecurity's Impact
ModSecurity rules are designed to protect against common attacks, but they can interfere with legitimate admin-side operations. For example, saving data to the database (like product descriptions or paths) can trigger false positives in ModSecurity.
The rules you’ve disabled, like:
Code: Select all
SecRuleRemoveById 211190
SecRuleRemoveById 211230
Use Detection Mode for Admin
To reduce interference while retaining ModSecurity's benefits, you can set it to DetectionOnly mode for the admin directory. This will log potential issues without blocking requests.
Add this to your .htaccess file or server config for the admin directory:
Code: Select all
<IfModule security2_module>
SecRuleEngine DetectionOnly
</IfModule>
Check Logs for Problematic Rules
Review your server logs to identify which specific ModSecurity rules are being triggered. Here's an example of a log entry:
Code: Select all
ModSecurity: Warning. Pattern match "(?:(?<!\\w)(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:product_description[meta_description].
Code: Select all
SecRuleRemoveById <RuleID>
While it’s generally not recommended to disable ModSecurity entirely, there are cases where it might be necessary:
If you’re facing frequent false positives that disrupt your workflow.
If your admin side is already protected with additional security measures (e.g., IP restrictions, strong passwords, SSL).
If you disable it, ensure you have alternative security measures in place.
Communicate with Your Host
If your host discourages disabling ModSecurity, request their help in customizing the configuration to suit your OpenCart installation. Many hosts will work with you to fine-tune the rules.
Who is online
Users browsing this forum: Semrush [Bot] and 13 guests
