Support

Admin Tools

#17671 Security Exception Questions

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by deeno on Monday, 30 September 2013 06:17 CDT

Friday, 27 September 2013 03:59 CDT

deeno
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.11
PHP version: 5.3.21
MySQL version: 5.0.90
Host: (optional, but it helps us help you)
Admin Tools version: 2.5.6 Pro

Description of my issue:

Hello, I was wondering:

1. When is a good time to act / block an IP? (see list at the bottom)
2. How can I be safe this is not a SEbot? (yes i checked http://chceme.info/ips/ , but is this up-to-date?)
3. What if I finally block an IP, could also "normal" visitors be affected? (dynamic range IPs etc.???)
4. The affected site contains a custom build AJAX-form. Could this be the issue? Can this be found out somehow? Are there any tipps / infos how to make this form safe?

04.08 IP Address: 188.143.232.31 / Reason: CSRF Shield (3x)
05.08 IP Address: 198.27.82.165 / Reason: CSRF Shield
08.08 IP Address: 198.27.82.165 / Reason: CSRF Shield
29.08 IP Address: 31.215.130.56 / Reason: CSRF Shield
05.09 IP Address: 85.25.119.122 / Reason: DFIShield (3x)
22.09 IP Address: 188.143.234.127 / Reason: CSRF Shield
25.09 IP Address: 188.143.232.103 / Reason: UploadShield
26.09 IP Address: 188.143.232.111 / Reason: CSRF Shield (3x)
26.09 IP Address: 188.143.232.31 / Reason: CSRF Shield (3x)

Thanks in advance!

Xairetismata,
Kwstas

Friday, 27 September 2013 16:24 CDT

nicholas
1. Never. It is best to use automatic IP blocking. I'd say that auto-blocking an IP for 15 minutes after 3 attack attempts in 2 minutes is enough to fend off bots without screwing real human visitors to your site.

2. If anyone could answer this question with certainty there would no longer be bots as we could block them all with great precision.

3. That's part of the reasoning behind using a short auto-blocking period. Using a hard blacklist makes no sense IMHO as it will end up blocking legitimate traffic due to dynamic IPs.

4. This cannot be answered as part of a support ticket. One would have to do code auditing and see if the form is doing input sanitisation and filtering, if it's adequately protected against CSRF, XSS and SQLinjection and then answer your question. Basically, you need code auditing to answer that question without generalities.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 30 September 2013 03:09 CDT

deeno
thanks for the quick and thorough reply!

on Q1-3:
when would YOU act and completely block a temporarily blocked IP (as suggested in the automatic email we receive from AdminTools: "If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.")
and
would you block a range or just one IP? (you can see on my list above that we get attacks from the following range: 188.143.232.XXX)

on Q4:
can you provide this service?
if yes, how much would that cost?
if not, can you suggest someone else?

all best,
kwstas

Monday, 30 September 2013 03:19 CDT

nicholas
Q1-3: I never had to do that. I would probably block an IP range for a few weeks if I'd see thousands of attacks coming from it in the course of a few days. I would do that knowing that I'm also blocking some legitimate users. So it would come down to evaluating how many potential clients I will be blocking vs how much server resources the attackers cost me. As I said, even then I wouldn't consider it a permanent ban but only a temporary measure.

Q4: No, we can't offer such a service due to lack of the necessary time (it's a VERY involving process). I don't have anyone to recommend at the moment.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 30 September 2013 06:17 CDT

deeno
thanks for all!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!