Share via

Could not set variable “USER.user_false_counter” as the collection does not exist in ModSecurity logs Apache (Windows OS)

dimkhannaITaly 6 Reputation points
2021-06-24T11:49:19.07+00:00

We are using apache module for our web server(windows OS). We need to prevent unsuccessful authentication attempt by the user. Hence we thought to use Mod Security module. I uses this standard configuration setting in "modsecurity-minimal.conf" as below SecStatusEngine On SecRule IP:bf_block "@eq 1"
"id:'2000004',phase:4,deny,
logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}' SecRule USER:bf_block "@eq 1"
"id:'2000005',phase:4,deny,
logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'

SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
    SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"                
    SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}


SecRule RESPONSE_STATUS "401" \
    "phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"        
    SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

# Check for too many failures for a single username, blocking 30 seconds after 3 tries
SecRule USER:user_false_counter "@ge 2" \
            "id:'2000020',phase:3,t:none,pass,\
            setvar:USER.bf_block,\
            setvar:!USER.user_false_counter,\
            expirevar:USER.bf_block=30"

# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
    SecRule IP:ip_false_counter "@ge 2" \
            "id:'2000021',phase:3,pass,t:none, \
            setvar:IP.bf_block,\
            setvar:!IP.ip_false_counter,\
            expirevar:IP.bf_block=300"

However when I see the modsec_debug.log, I get following error.

Could not set variable "USER.user_false_counter" as the collection does not exist.

Could not set variable "IP.ip_false_counter" as the collection does not exist.

Please help me how to resolve this issue.

Windows for business | Windows Client for IT Pros | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-25T08:01:19.76+00:00

    Hi,
    I did some research but I didn’t find any official documents about this issue.
    Since log analysis and debug check is actually not within the forum scope, I would suggest that you raise a MS support ticket. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below.
    Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    Thanks for your time.
    Best regards,
    Danny

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.