Support

Admin Tools

#15017 A few simple questions ...

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 14 February 2013 05:14 CST

Wednesday, 13 February 2013 09:05 CST

user71441

Hi,

I have a few questions about Admin Tools Pro, but since these questions are very simple - I didn't want to start new threads for each...

I've become a little paranoid after my old Joomla! 1.5 site was infected with Blackhole exploit kit and with js/redir... I don't know much about website/Joomla! security (but I am learning :D), so I need to ask you, and I apologize for bothering you again

 

1. There is an extension Encrypt configuration (http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/11519), which uses RSA to encrypt passwords or any other data you want in your component (It is necessary to have the bcmath extension...). Is it possible that this extension will cause some problems when using Admin Tools Pro - WAF, .htaccess... ? If you are not sure, then I will not use this extension :D

2. Is there a log file where I can see which IP addresses are blocked by Honey Pot and WAF generally?

3. Can "Auto-ban Repeat Offenders" ban Googlebot, and cause problems with Google and other search engines? Are there false positives (do you recommend to use this option in WAF)?

4. In Plug-in Manager  when I select type "System", System - Admin Tools is first on the list, and it has "-9999" ordering number. But, second plugin on the list also has "-9999" - is this ok for WAF?

5. Since I've become a little paranoid, I'm thinking to install one more security extension (free) which has WAF, but will this work since I already have Admin Tools Pro WAF on my site? Can be caused collision between two firewalls, and do I even need one more WAF?

 

Again, sorry for bothering you - and I apologize - my English is bad.

Thank you in advance,

Best regards,

Filip

Edited by user71441 on 2013-02-13 09:08 CST

Wednesday, 13 February 2013 09:29 CST

nicholas

1. This is a big question that normally needs about 2 pages to be adequately replied to. The executive summary is: don't do it! As long as Joomla! can read the passwords so can a hacker who has infiltrated your site.

2. For Project Honeypot no, they cannot be logged. For everything else there is: Components, Admin Tools, Web Application Firewall, Security Exceptions Log (hint: it's documented)

3. Yes it can and will ban Googlebot. If you follow my recommendations for the maximum ban time (around 15 minutes to 1 hour) you won't cause any problems with your site's indexing. Tip: submit a sitemap to Google. It will help Googlebot ignore bad URLs which could get it banned.

4. It depends on the other plugin but, generally speaking, no, it's not all right. Give System - Admin Tools a smaller number, e.g. -15000.

5. If you do that please don't ask me for support if something doesn't work. I know how Admin Tools works and I can help you with it. But I don't want to waste my time chasing a non-existent issue caused by a third party extension. The only way you will be able to ask for my support is after disabling the other extension and making sure that you can reproduce the issue. Besides, having many security extensions has never helped a site become more secure. Security extensions are tools to a purpose. Learn how to use your tool, don't use more tools.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 14 February 2013 03:23 CST

user71441

Thank you, I was thinking that you will ban me after this thread (too many questions) :D

1. Ok, I will not use that extension.

2. Ok. In Security Exceptions Log I saw many many access (visits) to "email article"...

3. By default was: Block after 3 attacks in 1 hour | Block for this long: 1 day. Now I have changed to 1 hour .

4. Ok, now System - Admin Tools plugin is the only with negative ordering number.

5. Ok, I will not do that, I will not install anoterher extension... :)

I was thinking about using your Master .htaccess, but since I do not know anything about apache configuration (and, in general, about web sites - php, js, ajax, jquery... ) - I gave up. I'm not an expert for websites, apache... I think I did the maximum, I'll update my site and extensions, I'll use one PC with PCLinuxOS for administration and, of course, that PC with LINUX will be used ONLY for Joomla! administration... and I will pray! :D

Thank you very much Nicholas, you helped me a lot.

All the best,

Filip

 

Thursday, 14 February 2013 03:33 CST

nicholas

Actually, .htaccess Maker is designed to isolate you from all that web technologies alphabet soup :) Just use it and if you see something not working on your site follow the step by step troubleshooting instructions. You don't have to understand how it all works under the hood. It's like driving a car. Yes, you need to know how to drive the car (steering wheel, gears, gas pedal, breaks) but you don't need to know how the fuel injection system works, the chemistry background of the catalytic converter's operation or how the transmission train delivers the power to your vehicle's wheels. You might want to know that your car has fuel injection (instead of a carburetor), a catalytic converter (instead of using leaded fuel) and a 5-gear manual transmission (instead of, say, a 6-gear semi-auto) but that's all. You only need to know that so that when someone asks you what kind of fuel, leaded or unleaded, you want you don't get to stare at them wondering WTF they're talking about. I hope that this latest episode of my (in)famous car analogies will help you better understand what's going on :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 14 February 2013 05:08 CST

user71441

Yes, I understand you. Creating websites (PHP, JS...), apache... are not my "area" but, believe me, I know how hard it can be when you work with people who don't know anything in specific area (for example website security)... I'm in a similar situation, but it is not about websites... :)

Sorry, my English is bad.

Again, thank you :)

Best regards,

Filip

Thursday, 14 February 2013 05:14 CST

nicholas

You're welcome, Filip!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!