Support

If you read the Troubleshooter (which is THE official, well, troubleshooting documentation!!!) you will see that I suggest turning off XSSShield and Bad Behaviour integration. As I have written at least two hundred times on this forum and as I clearly state in the documentation, they are OVERKILL for most sites.

I will reiterate the main points for you:
- XSS attacks make use of bad markup which the browsers manage to somehow parse and execute as Javascript nonetheless. The proper way to deal with it is having the components used in a site properly escape their output. All components from reputable developers do, therefore using XSSShield is neither required, nor recommended. The XSSShield is an architecturally incorrect solution which relies on heuristics. Heuristics, by definition, are fuzzy and are bound to throw false positives.
- Bad Behaviour is a third party library which is known to heavily err to the side of caution. This will cause many false positives. Is it worth enabling? No, unless you are being bombarded by spam bot and hack bot attacks. Most sites should not enable it.
- The other fine point is the automatic IP blocking rules. The default settings are overkill, too. I would recommend blocking IP addresses automatically if you have at least 3 security exceptions in 1 minute and block for only a short period of time, e.g. 3 to 5 minutes. This is adequate to catch bots attacking your site and if it misfires upon your legitimate users they won't have to wait a whole day or week (which turns them off).

In the end of the day, you have to decide what is the best balance between security and convenience. Admin Tools Professional can be set up to offer a level of security from completely paranoid to absolutely lax. Depending on your site, you will have to choose the features to enable to be somewhere in the middle. It's your site, it should be your choice. Other firewall software don't offer that kind of fine-tuning. They are pre-set to offer a medium level of security, usually tweaked to err on the side of convenience.

Work is underway to link to the troubleshooter from all of the official documentation. So far I have done this for the Akeeba Backup User's Guide book. I will also work to do the same thing for Admin Tools, but it's a very long, manual and tiring process which requires me to take a day off support. That's why it has been delayed so long.

Regarding the suggestions:

1. This is not possible with Joomla! 1.6 and later since we have user-defined user groups. I will try to see if it's possible to add an ACL permission which can be activated per group. I won't bother implementing that for 1.5 as I will stop supporting that in April 2012, making unworthy to spend time on writing a feature with a maximum lifespan of 6 months.

2. All error messages except the automatic IP block are standard Joomla! error pages. You can beautify them using the instructions in Joomla!'s official documentation. Perhaps I can make the other error message go through Joomla!'s error pages to allow you to format the message?

Continuing my thought re #2, I don't want to re-invent the wheel risking exposure. Having Admin Tools allow you to define your own custom error pages means that I have to provide a front-end view in com_admintools to render them. However, this view can be directly accessed by an attacker to determine if you are using Admin Tools in an attempt to find out what kind of protection you have on your site. Adding a method of fingerprinting Joomla! and Admin Tools is not something I am very keen on doing, for security reasons ;)

And this is what I suggested. If you take a look at the custom error pages documentation, you essentially get to write your own HTML error page which can be used by Joomla!. Isn't this exactly what you are proposing and without having to manually create extra HTML files in your site's root or a subdirectory of your site?

I haven't tried, but I don't think that you can do that on the message itself, due to the filtering performed. However, you can freely add anything you want on a custom error page because, essentially, you are creating an HTML page with some PHP code bites here and there to make it display info sent to it by Joomla!.

If an IP is automatically blocked, we don't use the error page and we do have a time delay before showing the error message. This is done in order to save server resources in case this is a bot causing that. The best workaround is to configure Admin Tools Pro to not block users' IPs so easily. As I said, you can try setting it up to block people for 15 minutes after 3 security exceptions in 1 minute. No regular user will raise so many security exceptions so fast. If you do have such fast users, try raising the limit to 6 security exceptions in 1 minute.

If that doesn't solve the problem, let me know so that I can redesign that feature and have it eliminate the time delay and go through Joomla!'s error page.

I will have to think about the best way to implement that in a future version of Admin Tools Professional.