Support

This is correct. The sleep() is executed when a blocked IP is trying to access your site again. This is done in order to stall hacking scripts attacking your site. The longer the request takes, the more likely is that they will abandon whatever they're trying to do in a shorter period of time. This doesn't have anything to do with 504 errors you might get in legitimate requests.

Legitimate requests are not blocked and this part of Admin Tools' code does not run. Of course, if you do generate a lot of security exceptions for a particular IP (e.g. because of false positives) then it will get auto-banned as per your IP auto-ban settings and this part of Admin Tools code will run for all requests coming from this IP. Even if it didn't, you'd still get a message that this IP is banned (as per your configuration, of course). So the real problem you have to look into is why those IP addresses end up being banned. Look in the Security Exceptions Log and find out why.

You have to make sure that you follow our instructions to the letter:

Go to Components, Admin Tools, Web Application Firewall and click the Exceptions Log button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the Auto IP Blocking Administration button. Select the record showing your IP address and click on the Deletebutton to delete the block.

As you can see there are two locations you have to check:

1. Security Exceptions Log. If your IP is there, it will get auto-banned despite it being in the whitelist.
2. Auto IP Blocking Administration. If your IP is blocked in there, it will continue receiving 504 errors.

Remember that your IP will never end up automatically in the IP Blacklist. The IP Blacklist is where you can manually put IPs or IP ranges to block. I believe this is where you were looking previously, right?

If this doesn't help, please try disabling the Bad Behaviour integration in Admin Tools' Configure WAF page. Bad Behaviour runs on a hair trigger and it's just too keen to block your request. False positives are the norm and when it does block something it runs its own, very long sleep() command.

You are that man :) Thank you very much as I had did all except very the auto block - doh

No worries :) It's the most common mistake when someone tries to unblock himself.

While I have you attentionm I have another question. When using GEO blocking some support comes from a country that I have on the GEO block. I add there ip to the whitlist and they are still refused access. What am I doing wrong on this? or should i just not use geo blocking and let the fw just be a guardian?

It has to do with the order individual features are executed. GeoBlock is the first thing to be executed, long before whitelists are even loaded.

I would recommend turning off the GeoBlock feature. It's really not a security feature. It can stop Joe Average coming from Country X from visiting your site, but that's about it. A clever hacker would just use a free proxy to circumvent this protection. The only reason that feature is still included is that some misguided people swear by it despite my warnings. It doesn't cost me anything to maintain it (the GeoIP library would be included anyway, it's used to determine the country shown in the security exception emails) so I just left it there to mute those misguided, but very vocal users :)

You're welcome!