Support

Admin Tools

#14093 WAF Auto-ban Repeat Offenders not working in Admin Tools version 2.4.2

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 12 November 2012 09:33 CST

Monday, 12 November 2012 06:49 CST

nemmar

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Some of them.
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.8
PHP version: 5.3.15
MySQL version: 5.5.24-cll
Host: dedicated server
Admin Tools version: 2.4.2
 
Description of my issue:

I have noticed after upgrading AT Pro that the WAF Auto-ban Repeat Offenders is not working in Admin Tools version 2.4.2

I have attached a screenshot of my WAF settings for the auto-ban and it's set to block IPs after only 3 attempts in 3 hours. However, I haven't had any IPs auto-banned since I upgraded to the latest version of AT Pro. I am getting many emails from the same IPs in a short period and none are getting auto-blocked.  For example, I received the following security exception alert email over 25 times in less than 3 hours (sometimes 5 emails sent at the same time) for this IP.

We would like to notify you that a security exception was detected on your site, XXXXXXXXXXX, with the following details:

IP Address: 207.46.119.86 (IP Lookup: http://ip-lookup.net/index.php?ip=207.46.119.86)
Reason: tmpl= in URL

If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

This is happening with other IPs also and none are getting auto-banned. I know I can add the IPs to the Site IP Blacklist. But I would like to know how to get the auto-ban feature working again since it saves me the trouble of having to login to manually add IPs to the Blacklist.

Thanks for any advice!

Monday, 12 November 2012 07:08 CST

nicholas

I am pretty sure it does work for the following reasons:

  • I didn't touch its code before releasing the new version. It can't spontaneously change its behaviour.
  • It works on our site. Just today it blocked a Turkish hacker who's stupidly trying to brute force his way into the administrator page the past two months. Therefore it's tested to be working by me.
  • Just yesterday I had two tickets from people who blocked themselves because the IP auto-blocked kicked in. Therefore it's tested to be working by other people.

And this brings us to the pre-requisite for this feature working: "Log security exceptions" must be enabled in the Configure WAF page. If it's disabled (set to No) then you do receive an email but Admin Tools no longer keeps tracks of when and which IP raised what kind security exception, therefore there's no way the auto-block can work. Maybe that's the change you did to your configuration?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 12 November 2012 09:10 CST

nemmar

Nicholas,

I didn't realize that turning off the Log Security Exceptions would disable the auto-ban feature. So that was the cause of the missing auto-ban emails. I disabled the Log Security Exceptions because I had over 100 pages in the security exceptions log feature of alerts.

Is there a way to easily delete tons of pages of alerts in the log section? I tried using the "Show All" feature of display option but that won't work when you too many alerts to display and then delete. I guess Joomla locks up when the lists are too long. So the only option was to delete 100 log alerts at a time which takes a while when you have too many.

Is there an easier way to clear out the log alerts in the WAF? For example, is it better to use phpMyAdmin to clear out the log alerts table when it gets too big? I have DB Replacer Pro so I guess that's another option, unless you think it could create problems with AT Pro.

Monday, 12 November 2012 09:33 CST

nicholas

Right now there is no feature to periodically clear the log. I will implement something like that in a future version of Admin Tools.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!