Support

 The main joomla administrators for a site have broadband with dynamic IP addressing and sometimes are on the road. When they try to login to the /administrator they get the homepage. I've used IP ranges to include their provider X.X.0.0 (yes dangerous I know) but they still get locked out. Renaming /admintools/main.php gives them access.

I'm on a fixed IP and entering that IP in Exceptions field means it works fine for me as super-admin.

Interestingly:
1. If I set the IP range for their provider in the exceptions field and clear their browser cache, they get access for a day or so.
2. When I went back to the exceptions list, it was slightly different from what I had entered

I'm also getting users blocked trying to login on the front of the Joomla site. Renaming /admintools/main.php also gives them access.

I'm also hitting problems with the Stripe account, but I'm guessing that is a need to set WAF exceptions.

At the moment the site is running with admintools disabled.

I welcome your advice.

Terry

Terry,

In the Security Exceptions Log, what is the reason your users are getting banned? What are your auto ban settings? If they are too strict, you catch a lot of folks who just can't type their own password. :-)

Dear Dale,
Thanks for your fast rerponse..
Security exceptions are primarily for Admin Query String with a much smaller number for MUA Shield and login failure.
The site is defaulting to home page before anyone gets a chance to enter user or password, i.e it doesn't show the login so they don't get chance to enter the wrong login.
Strangely there is nothing blocked in WAF Blacklist, Site IP blacklist, IP Blocking history and only one IP address in AUto IP blocking Administration and that for MUAshield.

Autoban settings are:
Auto-ban Repeat Offenders Y
IP blocking of repeat offenders Y
Block after 3 attacks, in 1minute
Block for this long 15 minutes
IP blacklisting of persistent offenders
Permanently blacklist IP after 3 automatic IP blocks

Looks ok...?

Terry

Your auto ban settings don't look like they would be causing the problem.

In Configure WAF, on the Basic Protection Features tab, what is your setting for "Allow administrator access only to IPs in Whitelist" and is there a value in "Administrator secret URL parameter' (don't post that in a public ticket)? On the Exceptions from Blocking tab, are you using the "Never block these IPs" field?

Dear Dale,

Many thanks. The settings are:

In Configure WAF, on the Basic Protection Features tab:

"Allow administrator access only to IPs in Whitelist" - NO

Is there a value in "Administrator secret URL parameter' ? - YES

On the Exceptions from Blocking tab, are you using the "Never block these IPs" field? YES

Thanks. I didn't think I was using the Admin secret parameter.

I can see that is likely the problem. I'll test. Correct. I've removed it and other admins can now login ok.

Many thanks. Have a good day.

Terence

That's what I was thinking. As long as the dynamic IP address is in the "Never block" field, everything works because WAF is turned off for that IP. As soon as the IP changes, they need the secret parameter or they get locked out.

Please let me know if that solves the problem.

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.