Passbolt Modsecurity

Hello, everyone!

Does Spiderlabs Modsecurity WAF works along with Passbolt?

Best regards,
Gustavo.

@GustmaX hello, did you encounter any issues with it?

@remy Hello!

Thank you for your reply.

I did not configure modsecurity, afraid of breaking any Passbolt functionalities.

I was hoping that someone has made that test to improve passbolt security as well as testing the compatibility.

I need to use passbolt on a cybersecurity company. With that in mind, I personally hardened the passbolt S.O., which is a Ubuntu 20.04 LTS core.

We could, additionally, add modsecurity to further improve its security.

Regards,
Gustavo.

Im in the process of testing. I have put modsecurity on my server today and on default settings with no configuration it broke passbolt.

First test, I added:

SecRuleEngine DetectionOnly

To /etc/apache2/sites-enabled/passbolt.conf

To turn modsecurity off entirely for the passbolt virtual host, and then passbolt worked normally. So on default settings modsecurity certainly breaks things.

Second test, using the instructions from here, ModSecurity Configuration for Passbolt | Michael A. Mead. I added,

<Location "/auth/verify.json">
        SecRuleRemoveById 200004 942100
</Location>

<Location "/import/resources.json">
        SecRuleRemoveById 942100
</Location>

<Location "/resources.json">
        SecRuleRemoveById 942100
</Location>

<LocationMatch "^/resources/.*">
        SecRuleRemoveById 911100 980130 942100
</LocationMatch>

<LocationMatch "^/users/.*">
        SecRuleRemoveById 911100
</LocationMatch>

<LocationMatch "^/setup/completeRecovery/.*\.json">
        SecRuleRemoveById 980130 911100 949110
</LocationMatch>

To /etc/apache2/sites-enabled/passbolt.conf

then restarting apache2

sudo systemctl restart apache2

and at the moment passbolt is still working as expected…

And if i try to be nasty, its 403’ing as it should

image]

need a 403 page for passbolt though

and with custom 403 page, passbolt is refusing naughty connections so it appears to all be working.

Passbolt has its own 404 page, but no other error pages which would probably be a good idea.