Support

Admin Tools

#16134 Admin IP Whitelist: constant attacks from innocent IPs

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 23 May 2013 15:27 CDT

Tuesday, 21 May 2013 02:12 CDT

user40075
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? N/A
Joomla! version:2.5.11
PHP version:latest
MySQL version:latest
Host:Rochen
Admin Tools version:2.5.5

Description of my issue:

Hi Nikko!

My qustion is not strictly technical.

I am having multiple attacks every day against my Admin Whitelist as shown in the Security Exceptions Log. The IPs are all from one country, Turkey. These are all innocent IPs according to Stop Forum Span and Project Honey Pot. There have been hundreds of them, a dozen or more every day. This has been going on for two months.

I have been regularly blacklisting them but what is the point?

I also increased the WAF blocking time to 35 days after 2 incidents in five minutes.

I cannot think of a rational reason for these persistant attacks, other than perhaps the attacker's wish that I might put up a country block for Turkey.

I have a couple legitimate registered users from Turkey.

I don't have a good answer but perhaps you could suggest something.

Best,

Lowtech

Tuesday, 21 May 2013 02:24 CDT

nicholas
"Innocent" is a relative term. IPs which are dynamically assigned to xDSL users are neutral. They are mostly used by innocent people but they can be temporarily assigned to wannabe hackers. I know exactly what you mean. Remember that I am a Greek with a Cypriot company so I'm naturally fair game for Turkish hackers (bloody geopolitics...).

Anyway. You should not manually blacklist IPs. Like, ever. That's what the automatic IP block feature of Admin Tools is for. You only want to stall them for a few minutes/hours until they decide to screw off and find someone else to attack. The blocking time you have is too much. I'd recommend lowering it to 2-3 hours after three attempts in 1 or 2 minutes. That's enough to stall the hacking scripts.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 May 2013 03:22 CDT

user40075
Thanks, Nikko!

I will follow your advice. Point by point.

I do have a series of articles on my site attacking Islamic fanaticism. Hmm. : )

Take care,

Lowtech

PS

Would you be so kind as to change my user name to correspond with my signature here? Profile editing does not allow this change. : )

Tuesday, 21 May 2013 03:26 CDT

nicholas
You're welcome!

I cannot change your username because there's another account with the username "lowtech". The email address is in the wagnercolumbus.com domain. Is it your account by any chance?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 May 2013 03:42 CDT

user40075
Wagner Columbus is the parent of my website. Same person. different hat.

PS.

I'm not using the Secret URL Paramenter.

Do you recommend it?

I think I may have tried it once a long time ago but it didn't change anything, as I recall.

Thanks,

Lowtech

Tuesday, 21 May 2013 06:32 CDT

nicholas
I highly recommend the secret URL parameter. It prevents brute force attacks for your super admin password to receiving any indication of success or failure from the hacker's end (which is great, because they have no clue what's going on). It won't stop the barrage of attacks, it only neutralises the threat. Think of it like Enterprise's shield. It won't stop Klingons from firing photon torpedoes, it prevents the torpedoes from doing any damage to the ship.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 May 2013 09:26 CDT

user40075
Nikko,

I just activated Password Protection but nothing happened. I believe that was my previous experience, too, now that I think back. No message. No change in log in. Nothing.

Any suggestions?

Best,

Lowtech

Tuesday, 21 May 2013 10:08 CDT

nicholas
Try from a different browser or clear your browser's password cache. Browsers cache the username/password instead of prompting you every single time. Also note that this only works on Apache servers. If you are on NginX, Lighttpd, Litespeed, IIS or another web server technology then yes, the password protection has no effect.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 May 2013 16:13 CDT

user40075
Well, Nikko, I've tried everything I can think of.

I have purged cookies, active logins and cache. No help.
Deleted saved password for admin backend.
Turned off three rememeber-me plugins in backend.

Tried IE and Chrome.

I have no ideas.

Best,

Lowtech

PS

Server is Apache (Rochen)
Could it be them? They love to say "no." : )

Wednesday, 22 May 2013 01:29 CDT

nicholas
When you say "password" do you mean what I understand, i.e. Administrator Password Protection? Or are we talking about different things?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 22 May 2013 12:56 CDT

user40075
Hi Nikko!

OK.

Say I added "parmenides" as the Secret URL parameter.

I can log in with mysite.com/administrator?parmenides

Or

I can log in as usual with mysite.com?administrator/index.php.

I am not forced to use "parmenides" so I question whether it is working.

Best,

Lowtech

Wednesday, 22 May 2013 13:30 CDT

nicholas
Is your IP address in the white list or any of the safe IPs lists in the Configure WAF page?

Also, heads up! You are posting to a public ticket. All information you post here is visible by everyone with an Internet connection.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 22 May 2013 15:14 CDT

user40075
Hi Nikko!

It was in the Configure WAF=> Auto Ban Repeat Offenders=>never block these IPs:

But it wasn't in the IP Whitelist (It changes from time to time.)

Now it is added to the IP Whitelist.

Best,

Lowtech

Wednesday, 22 May 2013 16:05 CDT

nicholas
If your IP is in the "never block these IPs" you get a free pass. No security measure will apply to you, including the secret URL parameter. Corollary: if you try accessing your site from another IP, e.g. your phone connected over 3G, you'll see the blocking in action.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 23 May 2013 12:51 CDT

user40075
Hi Nikko!

I don't have another IP to work from or a mobile device, so I decided to remove my IP from Admin tools and see if I could log into the backend.

I could not. I could not log into the front end either. I was denied access as a security risk.
So I went and deleted the URL password. I then got a 500 error message everywhere.
I then went to plugins/system/admintools/admintools/main.php and turned it off.

Once I did that, everything was working again.

Then I deleted the .htaccess file.

Then I turned on main.php.

Then I got an internal server error 500.

So I turned off main.php.

Then I did a system restore from 12 hours ago. Turned main.php back on.
Got another internal server error 500. Turned off main.php


I am running now without protection.

Any suggestions appreciated.

Best,

Lowtech

Thursday, 23 May 2013 14:11 CDT

user40075
Nikko,

I think this is resolved. I deleted the .htaccess file. When the new empty file was auto generated, I copied .htaccess.admintools into it.

Now all is working well.

I couldn't find the PDF with the instructions about replacing the .htaccess file so I was sort of faking it from memory. I would like to put that on my desktop if you happen to have the URL. : )

Much thanks,

Lowtech

Thursday, 23 May 2013 15:27 CDT

nicholas
You're welcome!

I couldn't find the PDF with the instructions about replacing the .htaccess file so I was sort of faking it from memory.

I'm not sure what you mean. Are you talking about https://www.akeebabackup.com/documentation/troubleshooter/athtaccessexceptions.html

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!