Support

Admin Tools

#13337 Auto blacklist multiple failed login attempts

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 21 August 2012 14:41 CDT

Tuesday, 21 August 2012 11:52 CDT

user54774
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the tickets before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: 2.5.6
PHP version:5.2.17
MySQL version: 5.1.63-cll
Host: (optional, but it helps us help you)
Admin Tools version: 2.3.2
Description of my issue:

I was checking the logs last night, and found that someone had made over 700 attempts to login in as admin. All attempts were made from the same IP address and were made within a 5 minute time span. I have manually added the users to the ban list, but isn't this something that AdminTools should catch? How do I configure AdminTools to automatically add the IP to the ban list in a case like this?

Tuesday, 21 August 2012 11:53 CDT

nicholas
There is already something to cater for that. Check the "treat failed logins as errors" checkbox and set up the automatic IP banning in the Configure WAF page.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 August 2012 12:20 CDT

user54774
Thanks for the superfast response. I am very greatful that I changed the admin user to something other than admin. <sneaky grin> So I was a bit shocked when I saw 600 attempts to login as 'admin'. I just had a couple of follow up questions.

1. Block after x attacks in y minutes. -- What is considered an attack? I don't want to set it so low that someone who just can't rememer their password and is trying several different ones to get banned. What would you recommend. I was thinking of something like 3 in 2 mins.

2. Is there a way to redirect a blocked IP to a "special" page?

.

Tuesday, 21 August 2012 12:52 CDT

nicholas
1. An attack is everything that raises a security exception in Admin Tools and gets logged in the Security Exceptions Log. Your hunch about a proper value being 3 in 2 minutes is quite close to what I'd use (3 in 1 minute). This filters automated attack scripts but not flesh and blood humans with bad memory :)

2. No. You just show them the special message. That's as much as you can do.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 August 2012 13:51 CDT

user54774
Thank you Nicholas.

I would like to submit a couple of Feature / Enhancement requests, then.

1. Allow the admin to specify an optional redirect page for anyone IP on the blacklist. I would like to be able to redirect those on the IP blacklist to a specific page, giving them information, and maybe even display a form, giving them oppurtunity requesting that an IP Ban be lifted. It does happen from time to time, someone moves, changes providers, and is assigned an IP that has been already blocked because of the actions of the person who had the IP address before. I ran into that same experience when I recently changed hosting providers, and had to have the IP address removed from the "spammer" lists, because of the person who had the IP address before.

2. I know that I can specify that I want to 'autoban repeat offenders'. I would like a bit more granularity in the the ability to specify how long that IP is blacklisted for. You could even allow for the URL on suggestion 1, to be a default and allow a seperate page to be defined for each level which would override the page defined in my first suggestion. :) You could either allow the admin to add as many as they wanted, or pick a static number between 3 to 5. For Example:

Interval between bans before reset: 3 months
(meaning that if that IP is not banned for 3 months, the previous history is cleared from consideratons.).

1st Ban: 15mins (optional: http://ymydomain.com/youwereabadboy.php)
2nd Ban: 1 day
3rd Ban: 1 week (optional: http://ymydomain.com/youwereaverybadboy.php)
4th Ban: Permament (optional: http://ymydomain.com/youwerearenotwelcome.php)

In any event, thank you for your responses. You can close this ticket, you have given me all the information I need right now. I would have closed it myself, but I wanted to be sure that you saw my suggestions, and was afraid you'd miss them if I closed it.

Thanks Again for your help.
Daniel

Tuesday, 21 August 2012 14:21 CDT

nicholas
1. That would only work if you redirect someone to a static HTML page. If you try using a page within Joomla! it would enter an infinite loop. The first page would send them to the error page, but loading the error page figures out that the user is blacklisted and redirects him back to the error page, i.e. itself, which does the loop all over again, and again, and again... until the browser calls it quits. And that's exactly why I do not allow you to do redirects and only allow you to type a message. A message which can contain contact information or a link to a static HTML page :)

2. No way. When an IP is blacklisted any attempt to access Joomla! from that IP skips loading Joomla! (actually: anything running after the onAfterInitialise phase of the application), displays the message and quits immediately. The automatic IP ban is also triggered depending on how many security exception log entries the IP has caused over the last X time frame. In order to implement your suggestion we'd have to make the check very complex (ergo: make each and every page load of your site ultra s--l--o--w, having all search engines penalise your site) and we'd have to raise a security exception every time a blocked IP tries to access Joomla!. This would not only cause yet another email to be generated (leading to your email inbox or outbound email server crashing at some point) but would also fill up your database (a very nice Denial of Service chance for hackers over here), consume a lot of your server's CPU (another DoS chance) and would overall offer no additional benefit. You really don't want me to implement that :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 August 2012 14:35 CDT

user54774
Thank you for the indepth explanations.

Tuesday, 21 August 2012 14:41 CDT

nicholas
You're welcome! I always try to explain why I do or do not accept a feature request :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!