question

dimkhannaITaly-0725 avatar image
1 Vote"
dimkhannaITaly-0725 asked YuhanDeng-MSFT commented

Could not set variable “USER.user_false_counter” as the collection does not exist in ModSecurity logs Apache (Windows OS)

We are using apache module for our web server(windows OS). We need to prevent unsuccessful authentication attempt by the user. Hence we thought to use Mod Security module. I uses this standard configuration setting in "modsecurity-minimal.conf" as below SecStatusEngine On SecRule IP:bf_block "@eq 1"
"id:'2000004',phase:4,deny,
logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}' SecRule USER:bf_block "@eq 1"
"id:'2000005',phase:4,deny,
logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'

 SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
     SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"                
     SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}
        
        
 SecRule RESPONSE_STATUS "401" \
     "phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"        
     SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300
    
 # Check for too many failures for a single username, blocking 30 seconds after 3 tries
 SecRule USER:user_false_counter "@ge 2" \
             "id:'2000020',phase:3,t:none,pass,\
             setvar:USER.bf_block,\
             setvar:!USER.user_false_counter,\
             expirevar:USER.bf_block=30"
    
 # Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
     SecRule IP:ip_false_counter "@ge 2" \
             "id:'2000021',phase:3,pass,t:none, \
             setvar:IP.bf_block,\
             setvar:!IP.ip_false_counter,\
             expirevar:IP.bf_block=300"      

However when I see the modsec_debug.log, I get following error.

Could not set variable "USER.user_false_counter" as the collection does not exist.

Could not set variable "IP.ip_false_counter" as the collection does not exist.

Please help me how to resolve this issue.


windows-10-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I would like to check if the issue has been fixed? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.

Best Regards,
Danny

0 Votes 0 ·

Hi,

I would like to check if the issue has been fixed? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.

Best Regards,
Danny

0 Votes 0 ·

1 Answer

YuhanDeng-MSFT avatar image
0 Votes"
YuhanDeng-MSFT answered

Hi,
I did some research but I didn’t find any official documents about this issue.
Since log analysis and debug check is actually not within the forum scope, I would suggest that you raise a MS support ticket. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below.
Global Customer Service phone numbers:
https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

Thanks for your time.
Best regards,
Danny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.