We are using apache module for our web server(windows OS). We need to prevent unsuccessful authentication attempt by the user. Hence we thought to use Mod Security module. I uses this standard configuration setting in "modsecurity-minimal.conf" as below SecStatusEngine On SecRule IP:bf_block "@eq 1"
"id:'2000004',phase:4,deny,
logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}' SecRule USER:bf_block "@eq 1"
"id:'2000005',phase:4,deny,
logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'
SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}
SecRule RESPONSE_STATUS "401" \
"phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"
SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300
# Check for too many failures for a single username, blocking 30 seconds after 3 tries
SecRule USER:user_false_counter "@ge 2" \
"id:'2000020',phase:3,t:none,pass,\
setvar:USER.bf_block,\
setvar:!USER.user_false_counter,\
expirevar:USER.bf_block=30"
# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
SecRule IP:ip_false_counter "@ge 2" \
"id:'2000021',phase:3,pass,t:none, \
setvar:IP.bf_block,\
setvar:!IP.ip_false_counter,\
expirevar:IP.bf_block=300"
However when I see the modsec_debug.log, I get following error.
Could not set variable "USER.user_false_counter" as the collection does not exist.
Could not set variable "IP.ip_false_counter" as the collection does not exist.
Please help me how to resolve this issue.