QPS is a request inspection module for Magento 1 stores. It receives its rule sets via the API of https://mage-one.com/.
The Magento cron job needs to run in order to obtain updated rule sets.
Make sure your Magento cronjob is running.
-
Add the repository with the module:
"repositories": [ { "type": "vcs", "url": "git@github.com:mage-one-com/qps.git" } ], -
composer require mage_one_com/qps
modman clone git@github.com:mage-one-com/qps.git
Download zip file and copy the files from inside the src folder into your magento root directory
After cleaning the cache, the install scripts should run automatically to create the table for the rules. In order to see the rules page and configuration, logout and login again.
You can find the list of downloaded rules in System > Tools > Mage One QPS Rules
To use the QPS you need to add your username and key in the configuration:
System > Konfiguration > General > Quick Protection System
The rule processing must be enabled manually in System > Config > Quick Protection System > Configuration.
Rules can be automatically enabled after the hourly API sync, although we recommend enabling rules manually after testing them (this is our default setting).
Enabling or disabling rules is possible in System > Tools > MageOne QPS Rules
You have to enter a username and public key, which you can obtain from https://my.mage-one.com/qps
You can send an email once new rules have been fetched. Configure the recipient's email address and enable the notification in System > Tools > MageOne QPS Rules > Notification
Our module filters malicious requests based on rules. These rules will be provided by our API, which is part of https://mage-one.com/. Rules are usually based on regex inspections of the _GLOBALS data.
Rules will be fetched from the API every hour and only cover vulnerabilities that aren't patched with Mage One Patches yet. Therefor our extension provides the API with a list of all installed Mage One patches. Our API then decides which rules have to be returned.
After a successful installation and configuration you can enable our test rule MO-TEST and access <your-shop-url>/mageone/test/rule/?malicious=<script>. The result should be a blank page.
After this test, please disable our test rule again.
- Remove module from
composer.jsonand reruncomposer update mageone/qps - Drop the rules table:
DROP TABLE <prefix>mageone_qps_rules;
- Remove the files from your installation
- Drop the rules table:
DROP TABLE <prefix>mageone_qps_rules;
If you want to trigger the rule synchronisation manually, you can trigger the cron job via n98-magerun
php n98-magerun.phar sys:cron:run qps_getrules
Please send your contribution as a pull request against our develop branch.
This module is under development by Mage One (https://mage-one.com) a service of Paddox GmbH, Germany (https://mage-one.com/imprint)
QPS is licensed under a modified BSD 3-clause License (according to german law)
Copyright 2020 Paddox GmbH, Germany
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS". NO CONTRIBUTER SHALL BE LIABLE FOR DAMAGES ARISING FROM CAUSES OTHER THEN THE DETRIMENT TO LIFE, BODY AND HEALTH ONLY TO THE EXTENT SUCH DAMAGES ARISES FROM WILFUL MISCONDUCT, GROSS NEGLIGENCE OR THE CULPABLE VIOLATION OF A FUNDAMENTAL CONTRACTUAL OBLIGATION ON THE PART OF THE CONTRIBUTOR OR ANY VICARIOUS AGENTS. ANY FURTHER LIABILITY FOR DAMAGES SHALL BE EXCLUDED, ESPECIALLY LIABILITY FOR THE LOSS OF DATA AND THE RECOVERY OF THIS DATA IF THIS LOSS COULD HAVE BEEN AVOIDED BY THE SOFTWARE USER THROUGH APPROPRIATE PRECAUTIONARY MEASUERS, IN PARTICULAR BY CREATING DAILY BACKUPS OF ALL DATA. THE PROVISIONS OF THE GERMAN PRODUCT LIABILITY ACT AND OTHER MANDATORY LEGAL STATUTES SHALL REMAIN UNAFFECTED.