Support

Admin Tools

#14270 System admin locked out by firewall because of DFISHield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 05 December 2012 04:54 CST

Wednesday, 05 December 2012 02:54 CST

olafos

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Manual
Joomla! version: 1.5.26
PHP version: 5.2.17
MySQL version: 5.1.52-cll
Host: (optional, but it helps us help you)
Admin Tools version: Pro Admin Tools 2.2.10

Description of my issue:

The system administrator of the actual site, got locked out after trying logging in back end. She got a hang at her computer, and had to restart. After this, the site got locked.

I tried to whitlist her IP - didn't help.

The firewall log says the reason for blocking the site for her IP was DFISHield

What to do?

 

Best regards

Olav Fosså (superadmin for site)

Wednesday, 05 December 2012 03:29 CST

nicholas

Hi Olav,

DFIShield means that Admin Tools blocked the request because the request contained an absolute or dotted relative path to an existing file on the server. But here's the strange part. You said that this happened after trying to log in the back-end. DFIShield does not run on requests trying to access the back-end of the site. In fact, only the IP blocking features (whitelist, blacklist, automatic IP blocking, GeoBlock), the two factor authentication and the administrator secret URL parameter features do run for back-end requests. Can you please paste here the Referer URL from the log so that I can understand what happened?

Now, as far as the unblocking of your client is concerned, please read this: https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html You need to follow the instructions under the "Automatically banned IP address" header.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 05 December 2012 03:45 CST

olafos

Thanks so far, Nicholas

The user tried to log in four times before locking (as set up i firewall). The URS are:

http://site.no/index.php?option=com_jce&task=plugin&plugin=imgmanager_ext&file=imgmanager&method=form&cid=20&273760eadbf9a1c301f7d6d7a9ec58fb=55e0a249a50bf4d4018d1a09bd4f4fe9

http://site.no/index.php?option=com_jce&task=plugin&plugin=imgmanager_ext&file=imgmanager&method=form&cid=20&273760eadbf9a1c301f7d6d7a9ec58fb=a792e7300f75bb5625466b197f9bd4e5

http://site.no/index.php?option=com_jce&task=plugin&plugin=imgmanager_ext&file=imgmanager&method=form&cid=20&273760eadbf9a1c301f7d6d7a9ec58fb=a792e7300f75bb5625466b197f9bd4e5

http://site.no/index.php?option=com_jce&task=plugin&plugin=imgmanager_ext&file=imgmanager&method=form&cid=20&273760eadbf9a1c301f7d6d7a9ec58fb=a792e7300f75bb5625466b197f9bd4e5

I will do the unlocking procedure mentioned in https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html later today.

 

Wednesday, 05 December 2012 04:05 CST

nicholas

Hi Olav,

Ah, I know what this is. This is the JCE image manager triggering the DFIShield protection. JCE is a legitimate component, so we have to add an exception for it.

Go to Admin Tools, Web Application Firewall, WAF Exceptions. Add a new exception where the Component is set to com_jce and the other fields left blank. Now you will no longer get blocked because of JCE's media manager.

FWIW, the WAF Exceptions feature was added over a year ago when we discovered that JCE was triggering DFIShield. It used to be a hardcoded rule. After a while we saw a few other components (mostly file management components) being affected in a similar fashion and we upgraded this to the full-fledged exceptions feature.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 05 December 2012 04:49 CST

olafos

Hi Nicholas

You wrote " JCE is a legitimate component, so we have to add an exception for it." Do this mean you will make an update for Admin Pro, or do I have to apply this settings to all my websites (all are using JCE and Akeeba Pro)?

Anyway - thanks so much!

Wednesday, 05 December 2012 04:54 CST

nicholas

No, I won't make an update. If you read the last paragraph of my previous reply you'll see that this is what I used to do many versions ago, but it was a dead end approach. You have to add this exception to all of your sites which are using JCE's media box plugin.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!