Support

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the tickets before posting? yes
Have I read the documentation before posting (which pages?)? yes 
Joomla! version: 2.5.9
PHP version: 5.3.13
MySQL version: 5.1.39-log
Host: (optional, but it helps us help you)
Admin Tools version: 2.4.4

Description of my issue:

Hi Nicolas.

I have many attempt to get access to the backend of my site. It is protected by an Administrator secret URL parameter. But those attempt are not banned by the auto ban ip offender. In AT-PRO, the "IP blocking of repeat offenders" is configured at YES and the max number of attempts is 5 in an hour (I got more than 20 in less than a minute). But the ip of the offender does not get into the black list. I don't even see it in the security exception log. But I get a warning email !

Is there something that I missed ?

Thanks for your help.

Hello Nicolas, thanks you for answering on a Sunday, but Impossible or not, I have strange things happening. First, the database tables are there:

admintools_acl
admintools_adminiplist
admintools_badwords
admintools_customperms
admintools_filescache
admintools_ipautoban
admintools_ipblock
admintools_log
admintools_redirects
admintools_scanalerts
admintools_scans
admintools_storage
admintools_wafexceptions

but admintools_ipautoban is empty and admintools_wafexceptions is also empty

admintools_log is not empty, but the last entry dates from 2012-05-04 05:38:39 (and has the id 1000) 

And I received around 900 mails of failed attempt on admin in the last 2 days. I enabled the auto ban ip yesterday and since then I received 200 more messages. And there are no IP automatically banned.

One thing that I am wondering though is that my website is accessible through multiple url names (via mirroring) but its the same website & database. But maybe that could cause a problem ?

Hi Nicolas, I checked, and no I am using the right table. There is only one database with only one instance of joomla (meaning that there are no other prefixes) in this server. Additionaly we removed some log entries (from the back end) and checked that the log table reflect the entries we removed. It does. 

What I find strange is that this table had 1000 entries. If I recall properly, at somepoint you had a parameter somewhere to limit this table to a specific number of entries (I set it on as I didn't want that to totally fill) But I can't find this parameter now.

Also I just did a test from a different IP address and if I fail the admin secret password, I see the log table filling (we removed some entries manually at the beginning of our test). And now it is banning the ip automatically. 

So the problem seems linked to the maximum logging capabilities, which is strange as I can't find anything in the table or your code that seems to check that and limit the number of entries...

-Tom

Thanks, I see where is the parameter now. And yes, it says to limit it to 1000 entries

The date of the oldest entry in the log is actually: 2011-12-14 19:20:18 why ?

Well,

The site is live since 2011 and that is also when I installed AdminTools. In the logs I see that it stopped logging on 2012-05-03 (or removed entries after that, I can't tell). So there are entries in the log from december 2011 up to 2012-05-03. And the log was full at 1000 entries. Today we manually removed the last 10 entries. And now its logged a few during our test. 

I just did some test and created some admin query string errors from another location. I saw the log filling up to 1001 entries, then I accessed the front end and saw the log being trucated to 1000 entries. But, I was expecting the oldest entry to disapear (the one from 2011) and its still there...so its another one that got removed. not the oldest. Still looking for it though.

And the message I get reads:

We would like to notify you that a security exception was detected on your site, {mysite}, with the following details:

IP Address: 82.197.130.141 (IP Lookup: http://ip-lookup.net/index.php?ip=82.197.130.141)
Reason: Admin Query String

If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

Best regards,

Strange, it actually remove the entries by the top (meaning the bigger id's) instead of removing the entries by the bottom (lowest id's).

I see that in your code (plugin/system/admintools/admintools/pro.php Line 3239), the query is 

private function removeOldLogEntries() { 

...

$query = $db->getQuery(true)

->select($db->qn('id'))
->from($db->qn('#__admintools_log'))
->order($db->qn('id'));

...

I tried it in my db by writing sql and not adding default sorting. And it sorted lowest id's first = oldest entries 1st. 

But then I see that the setquery you have after has an offset corresponding to the max number entries in the log:

$db->setQuery($query, $maxEntries, 100);

So if I understand correctly, that would retrieve the last 100 entries. Meaning the most recent entries, not the oldest one, right ?

I think that the order in the query should be DESC and not with the default ASC.

What do you think ?

-Tom.

Thanks a lot Nicholas,

I downloaded and installed this new version. Unfortunately, I don't think that this will fix the problem of limits (that I reported in my previous answer). I checked the function removeOldLogEntries() in pro.php and there still seems to have the same sorting and offset that causes it to delete the last entries, not the oldest.

By the way, I didn't had a chance to thank you for all this software, its great stuff and is really helping a lot setting up a secure,solid and well backed up site.

-Tom

Hi Nicholas, I did the test and yes, changing line 3311 from 

->order($db->qn('id'));

to

->order($db->qn('id').' DESC');

Works perfectly. The oldest entries are removed first. Not the newest entries

The resulting query is:

$query = $db->getQuery(true)

->select($db->qn('id'))
->from($db->qn('#__admintools_log'))
->order($db->qn('id').' DESC');

Hope that helps.

-Thomas

Fantastic !

Thanks.

-Tom