Support

Admin Tools

#14043 Block after 'x' attacks being bypassed

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 08 November 2012 11:50 CST

Thursday, 08 November 2012 11:18 CST

chrisjclay
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes (AdminTools troubleshooting guide)
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes (WAF section)
Joomla! version: 2.5.7
PHP version: 5.3.15
MySQL version: 5.5.23-55
Host: Hostgator
Admin Tools version: 2.4.1

Description of my issue:

Hi Nicholas,

Over the last few days, I've noticed a number of attacks against my client's sites in which someone will try to log into the admin area using a dozen or more different passwords ALL WITHIN THE SAME SECOND. I assume some software must be involved since obviously a human couldn't do this by themselves... Even though I have "Block after 'x' attacks in 1 hours" set low (5 attacks on one site, 2 or 3 on others) the user isn't blocked until after they've had a chance to do a whole bunch of attacks all at once.

See the attached screen capture. You'll see 18 different admin login attempts, from the same IP address, all at 2012-11-08 12:14:54. THEN they were blocked and I received an email notice re: Automatic IP blocking.

If someone manually tries to log in with the wrong info, the setting works fine and will block them after x attempts. I'm just concerned by the discovery of these automated attacks, on more than one client site, all in the last week or so. Do you know how they are bypassing the WAF auto IP block setting by doing so many attacks all at once?

Cheers,
Chris

Thursday, 08 November 2012 11:23 CST

chrisjclay
Here's another example, from another client's site. Again, 18 attacks, all showing up in the exceptions log at the exact same time. THEN their IP address was blocked, but not before they had 18 chances to attempt to log in.

Thursday, 08 November 2012 11:33 CST

nicholas
Remember that PHP is a stateless language with very poor inter-process communication (which is why it's not used in any mass-distributed PHP-based software). This leaves us with one option: rely on the database to keep track of security exceptions. The security exceptions are committed to the database a few milliseconds (100-500) after they are blocked. It will also take a few milliseconds (anything from 50msec to 2 seconds) for the data to become available for MySQL SELECTs. Within this small time window Admin Tools can't know that many security exceptions are taking place from the same IP. That's why you see all those log entries.

As soon as the data is committed to the database and available to MySQL for SELECT operations, all subsequent requests from the same IP triggering a security exception cause the attacker's IP to be blocked. That's why you only see a bunch of attacks happening within the same second and nothing else from this IP; Admin Tools catches up and blocks the sorry bastard who's launched a parallel attack.

In this case I would be more concerned about the DoS effect of such a parallelised attack rather than the possibility of the attacker causing any other kind of harm to your site. If you observe many parallelised attacks happening very frequently you have to ramp up your security This includes anything from mod_security filtering up to null routing the attacker's IPs directly in the upstream provider. Frequent parallelised attacks may actually be a prelude to a DDoS attack.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 08 November 2012 11:39 CST

chrisjclay
Thanks for your prompt and thorough explanation. Fortunately, these automated attacks have only occurred once at the most on each site in question. I just found it odd that I suddenly observed the behaviour on multiple client websites, coming from different IP addresses. Anyway, if similar attacks continue or are repeated more than once on any particular site I'll look into the other options you suggested.

Chris

Thursday, 08 November 2012 11:50 CST

nicholas
Seeing something like that once or very infrequently is not a big deal. The way hackers work is that they first do a "scouting" to find interesting domains (e.g. domains with URLS which make'em look like they might be using Joomla!). If they're a little smarter than a doorknob they will check the IP address and then do a reverse query to see what other sites are hosted on the same IP. The chances are that there are more Joomla! sites on the same shared host. Then it's attack time. If they get blocked they usually move on to an easier mark.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!