Support

Admin Tools

#19012 Deluge of Email Notifications about Security Exceptions

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 05 February 2014 01:51 CST

Monday, 03 February 2014 11:13 CST

user76079
I have recently loaded Admin Tools into a few sites that I have created and maintain for clients.
It works great.

I am however having a hard time with 2 sites in that I keep getting dozens of security exception notifications per day for each site. It's exhausting. Most of them are coming from IP addresses designated as: 10.0.87.xx -on both sites. This is interesting in that isn't that an internal network IP address range? I am wondering if that is a normal thing and might be tied to something within Joomla? Or if this is indicative of something more sinister?

the sites are: www.theportabletrainer.com and www.mbfsolutions.com

MBF is a VERY simple site and I don't think that these 2 have anything in common, as far as extensions go that could explain why it's just happening on these two so much.

The other part of this question is that even though I have "automatically block repeat offenders" selected, it is only notifying me and not adding those addresses to the blacklist. I have to put those in manually myself. Why is that no working?

Here are a couple of the "Target URL" locations listed on the security exceptions log when I go in there:
IP address = 10.0.87.20 - http://74.220.215.82/~daylesfi/theportabletrainer-com/administrator/index.php?option=com_installer&view=database
IP Address = 10.0.87.20 http://daylesfitness.com/theportabletrainer-com/administrator/index.php?option=com_installer&view=database

Monday, 03 February 2014 12:16 CST

nicholas
If you are seeing internal network IPs it means that your web server is not set up properly. Namely, that you have a CDN or reverse proxy in front of your site which does not set the X-Forwarded-For HTTP header, meaning that your server (and by extensions PHP, Joomla! and Admin Tools itself) do not receive the real visitor's IP. Please contact your host for assistance on this issue. This is a problem at the hosting level, far before our code has any chance of executing.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 03 February 2014 16:51 CST

user76079
Thanks. And what about the problem of repeat offender IP addresses not getting automatically blacklisted? I have other real IP offenders that I want it to auto stop, but it's not. Why could this be so?

Tuesday, 04 February 2014 01:34 CST

nicholas
> And what about the problem of repeat offender IP addresses not getting automatically blacklisted?

This depends on your settings. Remember that the settings tell Admin Tools to ban a repeat offender for X amount of time if Y number of detected attacks from the same IP are detected within Z time period. If there are less than Y number of detected attacks in the Z time period, or if they come from different IP addresses, nothing will be blocked. Also, please remember that you must make sure that this feature is enabled to begin with! Just setting these limits (X, Y and Z) won't result in any action being taken against repeat offenders unless you also enable the feature.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 04 February 2014 12:24 CST

user76079
Ok. I will doublecheck those time-frame settings.

Now, back to the other issue of too many 10.0.87xxx hits against my site. Why would this be SO many and why is it specifically that IP range. Isn't that weird/coincidental?

Tuesday, 04 February 2014 13:08 CST

user76079
Also, I have quite a few sites using hostmonster for hosting my Joomla sites but am only receiving this deluge of security exception emails (re: 10.0.87.xx) on these 2 sites. ??
When I call them, if I tell them what you told me in your response, will they understand what I'm talking about if I just read them what you told me?

Wednesday, 05 February 2014 01:51 CST

nicholas
> When I call them, if I tell them what you told me in your response, will they understand what I'm talking about if I just read them what you told me?

If they don't, ask them to escalate your issue and let you talk to a server technician (as opposed to underpaid generic support staff that may not really know the difference between a server and a golf club).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!