modSecurity apache basic auth brute force attack prevent deny

modSecurity apache basic auth authentication authorisation brute force attack prevent deny

############################################
httpd.conf
###########################################

#enabling 2 modules
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule security2_module>
	Include conf/extra/modsecurity-minimal.conf    
</IfModule>

<IfModule mod_security2.c>
	SecRuleEngine On
		#SecRequestBodyAccess On
	SecResponseBodyAccess On 
		#Create/Find any dir where modSecurity will persist data e.g
	SecDataDir "SecDataDir /usr/local/apache/logs/data"
</IfModule>

##################################
Content of modsecurity configuration to prevent brute-force attack when basic auth is enabled in apache
conf/extra/modsecurity-minimal.conf    
##################################


#timer is set for 5 min(3000sec), for blocking one IP-address after 10 unsuccessfull tries, 
#user will be blocked for 30 seconds after 3 bad tries.
#USER and IP false-counters live within 5 minutes, then are being reset to 0 (so 3 bad tries per username per 5 minutes are allowed)
# (and 10 total bad tries from one IP per 5 minutes are allowed)

  # Enforce an existing IP address block
  SecRule IP:bf_block "@eq 1" \
        "id:'2000004',phase:4,deny,\
         logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}'
		 
	

	SecRule USER:bf_block "@eq 1" \
                "id:'2000005',phase:4,deny,\
                logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'

    
	SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
		SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"				
		SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}
		
		
	SecRule RESPONSE_STATUS "401" \
		"phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"		
		SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

	# Check for too many failures for a single username, blocking 30 seconds after 3 tries
    SecRule USER:user_false_counter "@ge 3" \
                "id:'2000020',phase:3,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.user_false_counter,\
                expirevar:USER.bf_block=30"

	# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
        SecRule IP:ip_false_counter "@ge 10" \
                "id:'2000021',phase:3,pass,t:none, \
                setvar:IP.bf_block,\
                setvar:!IP.ip_false_counter,\
                expirevar:IP.bf_block=300"				

I am getting these errors with these rules.
Could not set variable "USER.user_false_counter" as the collection does not exist.

Could not set variable "IP.ip_false_counter" as the collection does not exist.

Please help me resolving this issue.

Sorry, I am far away from that, right now

I'm testing it and it works perfectly, great job.

It worked here, however the block is never gone. lol

Does someone know if there is a way to unblock an IP manually? I've undone all the steps in order to "disable" the logic and checks, but it didn't work.

Funcionou aqui, porém o bloqueio nunca desaparece. lol

Alguém sabe se existe uma maneira de desbloquear um IP manualmente? Já desfiz todos os passos para "desabilitar" a lógica e as verificações, mas não funcionou.

https://malware.expert/tutorial/how-to-whitelist-ip-address-with-modsecurity/