Support

Admin Tools

#13747 Auto Ban based on Username

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by user49054 on Tuesday, 09 October 2012 11:19 CDT

Monday, 08 October 2012 23:30 CDT

user49054
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes, multiple, regarding this issue mainly page "https://www.akeebabackup.com/documentation/admin-tools/web-application-firewall.html"
Joomla! version: (2.5.6)
PHP version: (5.2.5)
MySQL version: (5.5.25a)
Host: (siteground)
Admin Tools version: (2.4.0)

Description of my issue:
Requesting the ability to auto ban IP's that try to login with username "admin" or any set usernames. I receive 100+ attacks a day on average and the current setup does not prevent these attacks very often. I do not have a user "admin" so being able to auto ban anyone that trys to login with that username would eliminate a lot of attacks and email's in my inbox.

I have set the "CSRF/Anti-spam form protection (CSRFShield)" to Advanced but it has not had ANY effect.

Tuesday, 09 October 2012 04:57 CDT

nicholas
No, there is no such feature in Admin Tools. Even if there was, you'd still get an email telling you that someone attempted to log in with one of the forbidden usernames. What you actually need to do is set the "Treat failed logins as security exceptions" to Yes and also set up the automatic IP ban. I would recommend setting it as: auto ban after 3 failed attempts in 1 minute, for 15 minutes. This is a nice balance between not auto-blocking users who forget their password –but insist on trying the wrong password– and blocking bots which try to log in to your site with inexistent / invalid credentials.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 09 October 2012 10:59 CDT

user49054
Thanks for the quick reply.

I know there is not a feature such as I requested, thats why I am asking it be looked into for the future.

I have set the auto ban based on security exceptions, however after I did that a month ago the bot got smarter, now it only attacks 2 times every 30 minutes. I can not set the auto ban below 5 MAYBE 4 because the website is a volunteer website with a lot of older volunteers who continuously forget their password or type it wrong.

Further, I believe there should be more control over the security exceptions, either separated into different categories (admin query string and login failure) or be able to set one (such as admin query string) to be worth 2 or 3 or 4 or whatever amount of exceptions per incident. For example, one attempt at the wrong admin query string should be worth 3 exceptions while a failed login is only worth 1, this would allow Admin Tools to auto ban persons trying to access the back end faster.

I love Admin Tools, it has saved me a few times, however I believe it still is missing a few important features to prevent attacks.

Tuesday, 09 October 2012 11:09 CDT

nicholas
The login username feature is more complicated than you might imagine. Joomla! makes it easy to get a notification when a login is failed or successful. It is impossible to figure out what the username is unless you restrict such a feature to working ONLY with the core Joomla! login module and com_user. If you have a third party login module you would have to modify Admin Tools' code to make it work. This will never happen and will be consistently reported as a bug. Therefore I cannot implement something which I know will be broken and unfixable.

Regarding fine control of automatic blocking, this is also not a wise thing to do. Really! Let's forget the fact that it would be a 4 by 25 grid which is extremely tough for a human to understand and borderline torturous. It would also be excruciatingly slow to check. It would also be outright impossible to figure out WTF someone is / is not blocked. Please watch what you are wishing for. It's easy for me to implement this monstrous feature but it would be impossible to use or understand. Would you really want an impossible to understand black box to have the final say on who gets blocked from your site? Or would you end up filing dozens of support requests every month which would require me 30-60 minutes each to reply, resulting in me pulling out this monstrosity? There you have it.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 09 October 2012 11:19 CDT

user49054
Ok, I will look into a modification of my own.

Thanks.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!