Support

Admin Tools

#13012 email notification

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 24 August 2012 18:00 CDT

Sunday, 22 July 2012 08:27 CDT

user52972
In admin tools 2.2.9 waf is working fine but my site is getting hit by a script coming from different IP addresses trying to login as admin.

When these attacks are occurring I'll get a flood of 100 or so messages letting me know that it happened and was blocked.

Is there any way to throttle down the email notifications? Such as send a single email that says "You had 100 attempts to login to administrator in the last 5 minutes"


?

BTW, thanks for a great software package!!

-jay


---------------------------------
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (unknown)1.5.x
PHP version: (unknown) 5.2
MySQL version: (unknown)
Host: (optional, but it helps us help you)dedicated
Admin Tools version: (unknown) 2.2.9

Description of my issue:


Sunday, 22 July 2012 10:38 CDT

nicholas
Hello Jay,

no, that's neither possible nor desirable. The idea behind email notifications is to know that you're being attacked in real time. What happens if you set it to wait for 100 hack attempts in X minutes and the hacker guesses the correct password on the 99th attempt? That's the entire point. I understand that the emails are annoying at times like this. You can always log to your site's back-end and disable Admin Tools' emails by clearing the relevant email fields in Admin Tools' Web Application Firewall configuration page. After a while you may re-enable those emails.

Alternatively, you may try more strict auto IP blocking rules. You may set an IP block for 90 minutes if an IP throws 3 security exceptions within 10 minutes. This will gradually block all IPs involved in the attack, unless you are being hit by a very big botnet. In the latter case I'd be more worried about the resource depletion involved with such a large scale attack than the volume of emails received.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 22 July 2012 21:43 CDT

user52972

You my friend are great. . . I have never used a service where the developer / owner was so involved.

I did a poor job of explaining the problem. Most of my email floods are coming from Geo-IP address blocks.

Would you consider some type of filtering for them?

-jay

Monday, 23 July 2012 07:20 CDT

nicholas
Hello Jay,

It's not possible to stop emails from GeoBlocking, but there are three alternatives to that.

The first alternative is the IP auto-ban I already mentioned. Once an IP gets auto-banned you won't receive emails about it for the duration of the ban.

The other alternative is disabling all email notifications except for failed and successful back-end logins. In order to do that you have to go to the Configure WAF page and remove the email address from the "Email this address on security exceptions" box.

Now, we have the third alternative: email filters. All mail clients –desktop or web-based– allow you to create email filters. If you observe Admin Tools' emails you'll see that there is a "Reason: something" mentioned in each one of them. It's easy creating email rules based on that string. Such rules could, for example, immediately delete all GeoBlocking notifications and keep receiving other emails. I've found that with a creative use of email filters you can do some crazy stuff impossible with me adding code to Admin Tools. For example I have it so that if someone logs in from an IP different than my regular static IP the email notification is forwarded to another email address which sends an SMS to my mobile. All you have to do is be creative with your email filters :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 25 July 2012 04:14 CDT

user52972
Question:

I have geo-ip blocks at two levels: 1) I block all continents except for the US and 2) I have checked individual countries all except for the US.

I seem to get two kinds of messages for similar IP addresses located in China (see examples below):

Example 1 seems to indicated that the firewall is processing the request before checking whether the IP is in a blocked country. Example 2 looks like it's the geo-ip/country block.

With Geo-IP blocking shouldn't Example 1 never happen?

-jay


Example 1
Subject: Security exception on Davie Florida Home Rentals

We would like to notify you that a security exception was detected on your site, Davie Florida Home Rentals, with the following details:

IP Address: 180.76.5.142 (IP Lookup: http://http://ip-lookup.net/index.php?ip=180.76.5.142)

Reason: Geo Block

If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.



Example 2
Subject: Automatic IP blocking notification for 180.76.5.175 on Davie Florida Home Rentals
We would like to notify you that the IP address 180.76.5.175 is now blocked from accessing your site, Davie Florida Home Rentals, until 2012-07-26 09:01:04 GMT.


If this is your own IP address, please use an FTP client to rename plugins/system/admintools/pro.php or plugins/system/admintools/admintools/pro.php -depending on your Joomla! version- to pro.php.bak, login to your site's back-end and use the Auto IP Blocking Administrator button in Admin Tools' Web Application Firewall panel page to remove the auto ban on your IP. Also remember to clear any Exceptions Log entries with your IP so that you don't get blocked again. Then, rename pro.php.bak back to pro.php and try accessing your site.



Wednesday, 25 July 2012 04:22 CDT

nicholas
Example 1: the IP is not blacklisted. It goes through the firewall and gets caught by the GeoBlocking feature. It emails you telling you that the GeoBlocking feature intercepted the access attempt.

Example 2: The IP address triggered the firewall repeatedly. It now became automatically blocked. You will not receive notifications about it until 2012-07-26 09:01:04 GMT when the ban will be automatically lifted. When Admin Tools sees that IP until 2012-07-26 09:01:04 GMT it will prevent it from accessing your site BEFORE it is processed by the rest of the firewall rules.

I mean, think about it. If an IP is blocked it would be stupid to waste our time checking it against the firewall rules. It's blocked. It must not be allowed to proceed. What good would it make having it go through the firewall and its GeoBlock feature?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 25 July 2012 04:30 CDT

user52972
Nicholas,

I assumed that any IP on the Geo-IP list was the equivalent of being IP blocked.

It seems like a waste of cycles analyzing the behavior of an IP address if it's already on the geo-ip block list?

Wouldn't it be more efficient to 1) check it against the deny list and then immediately check the geo-ip list?
If it's not on either, then finish processing the request.

?

Regards,


-jay

Wednesday, 25 July 2012 04:35 CDT

nicholas
I assumed that any IP on the Geo-IP list was the equivalent of being IP blocked.

Not quite. We have to read the IP, run it against the GeoIP database, determine the continent and country and check them against the list of the continents/countries to be blocked.

It seems like a waste of cycles analyzing the behavior of an IP address if it's already on the geo-ip block list?

The opposite holds true. Getting the IP is a very cheap operation. Checking it against the list of blocked IPs is also a very cheap operation. Checking it against the GeoIP database, however, is about 20-30x slower.

Wouldn't it be more efficient to 1) check it against the deny list and then immediately check the geo-ip list? If it's not on either, then finish processing the request.

Which is EXACTLY what we are doing, as I told you. If the IP is in the black list it's not being further processed.

I believe you are getting confused with how the auto-block works. After a specific IP has triggered several* security exceptions it is automatically blocked. So what happens in that case is that the request goes through the firewall, gets blocked and then the auto-ban is enforced. Since the IP is added to the deny list after it has gone through the firewall we can't go back in time and check the just updated deny list before going through the firewall. I believe that is self understood.

* User-configurable in the auto IP ban area of the WAF configuration page

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 25 July 2012 04:56 CDT

user52972
Nicholas,

Thank you for taking the time to explain this.

You should consider a non-Joomla version of admin-tools - i.e., Drupal or a php library for any platform.

I've been in the online classified ads business since 1998 (homes.com, realestate.com, classifiedads.com, isell.com, etc) and something like this would have saved me millions of dollars in CPU and bandwidth not to mention all the traffic lost from search engine algo penalties for things like duplicate content or the money spent providing customer service to someone that's been defrauded by a 419 scammer.

Bottom line is that it's a great product. Let me know if you ever need a reference.

Thanks again. . .

-jay



Wednesday, 25 July 2012 05:00 CDT

nicholas
Hi Jay,

I decided it's best to keep my business focused around Joomla!. You know what they say. The only way to be equally good in everything is being mediocre in everything. I try to make Akeeba Backup excellent and this requires a tight focus. For what is worth, I'm keeping a keen eye on Joomla! Platform's JWebApplication API and related development. I hope that in the not-so-distant future it will be possible to have a standalone version of Akeeba Backup which can back up and restore everything based on PHP and MySQL. Well, we'll see how that plan pans out :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 24 August 2012 18:00 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!