Could not set variable “USER.user_false_counter” as the collection does not exist in ModSecurity logs Apache (Windows OS)

Question

We are using apache module for our web server(windows OS). We need to prevent unsuccessful authentication attempt by the user. Hence we thought to use Mod Security module. I uses this standard configuration setting in "modsecurity-minimal.conf" as below SecStatusEngine On SecRule IP:bf_block "@eq 1"
"id:'2000004',phase:4,deny,
logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}' SecRule USER:bf_block "@eq 1"
"id:'2000005',phase:4,deny,
logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'

SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
    SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"                
    SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}
    
    
SecRule RESPONSE_STATUS "401" \
    "phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"        
    SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

# Check for too many failures for a single username, blocking 30 seconds after 3 tries
SecRule USER:user_false_counter "@ge 2" \
            "id:'2000020',phase:3,t:none,pass,\
            setvar:USER.bf_block,\
            setvar:!USER.user_false_counter,\
            expirevar:USER.bf_block=30"

# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
    SecRule IP:ip_false_counter "@ge 2" \
            "id:'2000021',phase:3,pass,t:none, \
            setvar:IP.bf_block,\
            setvar:!IP.ip_false_counter,\
            expirevar:IP.bf_block=300"      

However when I see the modsec_debug.log, I get following error.

Could not set variable "USER.user_false_counter" as the collection does not exist.

Could not set variable "IP.ip_false_counter" as the collection does not exist.

Please help me how to resolve this issue.

Answer 1

This is a very complicated rule set (Is it taken from the ModSec Handbook?) and it may take hours to debug it. So it is not likely you will get the right support here.

What I can see immediately, is that you are not always initializing the collection and there is a chance rule 2000015 hits without the initialization. That is when a browser requests a resource without basic auth, the server responds with 401, then your rule 2000015 hits and only on the subsequent request would the browser request the same URI with the basic auth header.

So it looks to me as if your logic / rule architecture was garbled.

When I write complicated rule sets like this, I log every rule and I write and test them step by step and only if every rule works on its own, then I start to put them together, then I optimize them and then I put most of them to nolog.

This may take some time, so be warned.