Support

Admin Tools

#10065 Admin Tools Notification

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Chacapamac on Tuesday, 01 November 2011 22:34 CDT

Sunday, 16 October 2011 08:53 CDT

user44935
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the forum before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: (Version 1.5.23)
PHP version: ( 5.2.9 )
MySQL version: (5.0.45)
Host: (optional, but it helps us help you)
Admin Tools version: (Admin Tools Professionnel 2.1.10)


Description of my issue:
I'm always notify by Admin tools that a security exception was detected but i don't really understand what these security exception mean:

> IP Address: xxxxxxxx
> Reason: Bad Behaviour (User-Agent was found on blacklist)
or > Reason: XSSShield

What XSSShield mean exactly?

Also, when I'm notify regarding the security exception, I always add the IP Address for this security exception in my Black list... is it good idea?

Apologize for my english and thank in advance.

Michel

Sunday, 16 October 2011 09:00 CDT

nicholas
Hi Michele,

Bad Behaviour is a third party library. You can read more about it here. Please note that Bad Behaviour has several sub-cases. The one you posted (User-Agent was founf on blacklist) means that the visitor tried to use a forbidden user agent string, e.g. a hacking program or am otherwise innocent utility which is frequently used for hacking purposes. However, Bad Behaviour throws a lot of false positives, so you needn't take it too seriously.

Likewise, the XSSShield tries to protect you from cross-site scripting attacks, i.e. someone trying to post malicious Javascript code with the intent to lure your site visitors to a malicious page. However, it is not fool-proof and can lead to a lot of false positives.

I would recommend against putting IPs in the black-list for these two specific reasons. By doing that, you are most likely blacklisting legitimate users who were misfortunate enough to get hit by a false positive! Furthermore, IPs are dynamic and what belongs to a hacker now, may belong to a legitimate visitor in 3 hours. You don't want to block these IPs forever. Just use Admin Tools' automatic IP blocking which automatically manages a temporary ban of IPs which cause repeated security exceptions in a short period of time. These are most likely caused by hackers and it's a good idea to block them for a short cool-off period. Around 30 minutes is more than enough.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 04:53 CDT

user44935
Thank you Mr Nicholas for your answer...
As you I'm french and my english is not so perfect...

If i understand, you said that when I get a notification for example:
IP Address: 88.190.242.31
Reason: XSSShield

or
IP Address: 88.190.242.31
Reason:Bad B...(Header 'Connection' contains invalid values)
That mean someone trying to post malicious Javascript code in my website, right?

Tuesday, 18 October 2011 05:05 CDT

nicholas
Pretty much, yes, this is what it means. Please note that XSSShield and Bad Behaviour are known to throw a lot of false positives. I mean, they sometimes block a legitimate request because it "looks like" a hacking attack, even if it's not. No automated scanning tool is perfect.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 05:15 CDT

user44935
Ok thank you very much for your help.

Tuesday, 18 October 2011 05:18 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 01 November 2011 22:34 CDT

Chacapamac
If we know the IP can we keep those on and just put the ip in the “Never block these IPs” list

By the way can we use range in the ip address there e.g : 123.456.*

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!