Support

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes - Admintool Users Guide - WAF - Blacklist
Joomla! version: 2.5.4
PHP version: 5.2.17
MySQL version: 5.5.19
Host: Linux
Admin Tools version: 2.2.5

Description of my issue:

I have a user that is being blocked by Admintools from accessing my site, but their IP is not in the blacklist, nor are any of the IP's in the output of the traceroute listed in the blacklist (nor a block of IP's). The user gets the default 'security violation' page.

I have the Blacklist feature enabled and populated with a lot of IP's and it seems to be working as intended.

I am not using Geoblocking, and all boxes are unchecked.

I have verified it is Admintools blocking the user as I can drop the WAF and the user can get to the site.

Thanks for the reply, Nicholas.

Should repeat instances be logged each time in the logs? If the user tries now, should it appear in the logs?

Hmm...it's obviously being blocked then. The user just hit the website, and nothing popped up in the Security Exceptions. Does this sound like IP spoofing to you? Anyway to tell? I can tell you this is coming from a Universities Fraternity house!

Thanks, Nicholas. I don't doubt what you say is true.

However, these are the facts:

Logging has been enabled from day one, and IS currently still enabled in WAF - other Security Exceptions are presently coming in:

2012-05-02 20:20:06 120.33.239.219
  Remove from Black List CSRF Shield http://www.xxxxxxxxxxx.org/component/comprofiler/
2012-05-03 05:42:18 78.24.221.199
  Add to Black List CSRF Shield http://www.xxxxxxxxxxx.org/component/comprofiler/

The Auto-Ban list is empty.

The WAF Exceptions tab is empty.

The users IP, or any IP on his traceroute is not in the black list.

I can send you the IP's on the Black List if you'd like to double check me, but it's somewhat long. I've sorted it numerically, checked it, rechecked, and looked at it on different days, and the IP's are simply not there.

WAF allows many others to access the site with the exception of this one particular user.

Here is the traceroute output from the users computer:

traceroute to 216.172.180.35 (216.172.180.35), 64 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 5.394 ms 13.177 ms 5.777 ms
2 10.1.10.1 (10.1.10.1) 5.389 ms 2.035 ms 3.535 ms
3 73.100.188.1 (73.100.188.1) 10.946 ms 11.799 ms 12.501 ms
4 te-0-1-0-0-ur07.seattle.wa.seattle.comcast.net (68.85.240.153) 27.779 ms 11.204 ms 13.180 ms
5 be-1-ur08.seattle.wa.seattle.comcast.net (69.139.164.134) 12.479 ms 12.475 ms 9.228 ms
6 ae-20-0-ar03.seattle.wa.seattle.comcast.net (69.139.164.129) 10.641 ms 8.762 ms 10.778 ms
7 pos-1-14-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.85) 13.718 ms pos-1-4-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209) 14.150 ms pos-1-12-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.93.93) 12.526 ms
8 be-10-pe03.seattle.wa.ibone.comcast.net (68.86.84.74) 11.924 ms 15.164 ms 13.465 ms
9 ae13.bbr01.wb01.sea02.networklayer.com (75.149.228.38) 11.599 ms 13.561 ms 26.188 ms
10 ae0.bbr01.cf01.den01.networklayer.com (173.192.18.145) 36.517 ms 38.811 ms 39.539 ms
11 ae12.bbr02.eq01.dal03.networklayer.com (173.192.18.138) 49.887 ms 51.481 ms 63.939 ms
12 ae5.dar02.sr01.dal07.networklayer.com (173.192.18.181) 50.852 ms 51.877 ms 56.107 ms
13 po2.fcr01.sr01.dal07.networklayer.com (50.22.118.133) 51.225 ms 52.381 ms 67.306 ms
14 * * *
15 * * *

The users network is using NAT and the Private Address Space. The first routeable IP address appears to be 73.100.188.1. That IP does not resolve to any host.

I don't think refreshing the users browser cache or clearing cookies will achieve anything as it was not needed when I dropped WAF and the user could get to the site - I raised WAF and the user was blocked. But I will ask the user to do that.

He get's the standard message about "403-We have detected a possible security violation...."

"Visual Fingerprinting" is on.

"Bad Behaviour Protection" is off.

"Auto Ban Repeat Offenders" is off.

"Project Honeypot Integration" is on, but "auto block suspicious IP's" is off.

Could something be coming across with the users connection that "Basic Security" is stopping?

So this is IP Spoofing, correct?

I have a feeling the reason I am not seeing his IP currently appear in the Security Exceptions Log when he hits the site, is that his 'wrong IP' is already in the black list and is being blocked. I just don't know which IP that is, and there is no way to tell unless I clear the black list.

It sounds like the user is hosed at this point, by no fault of Admintools or the website, right?

Yes, I finally found out they are IP Spoofing. We identified the users real IP by going to an online IP identifier. I find it surprising that his IP wasn't showing up in traceroute output - maybe I don't fully understand how traceroute runs.

The user's IP was in the black list. I do have a dated screenshot from the user showing the 403 error while his IP was in the black list. From what I understand you to say is that he should have been getting the "You are a spammer..." page? Do I have something not set properly for that? In the "Auto Ban.." section, the message is in the box, but the "IP Blocking of Repeat.." is NO - should that be yes so that it enables that page?

Nicholas, I want to thank you for working with me on this. I think we can call this a closed ticket.

Keep up the fantastic work, sir!

-Jay