Support

 I am new to Admin Tools and the site had been hacked so Im a bit nervous about this.
After setting up Admin Tools with the Wizard I got 7 or 8 emails warning of security exceptions. Here is one:

We would like to notify you that a security exception was detected on your site, International Focus, with the following details:
IP Address: 76.113.123.28 (IP Lookup: IP Lookup)
Reason: template= in URL
If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

Firstly, how do I know that the IP address is suspect?
Secondly which part of the WAF do I put the IP address in to block it? The WAF Blacklist, The Site IP Blacklist or where else?
I added IPs to the Site IP Black list but after I enter them it says the No IPs have been added to the Blacklist yet. What am I doing wrong?

Hackers do not use their own IP addresses. So blocking IP addresses, at least on a long term basis, is a bad idea. Sooner or later you will block the IP of a legitimate visitor. What you want to do is set up the automatic IP block. When a single IP address performs x number of exceptions in y minutes/hours/days the IP will be blocked for y length of time. The x, y and z parameters are part of the setup under Configure WAF. You can also block the IP permanently if it is auto blocked a particular number of times.

What this does is takes that particular IP address out of use for some period of time, an hour or a day, for example. Then the IP is freed and if the legitimate owner visits your site, it is not a problem. If the hacker uses this IP address on an ongoing basis, it gets blocked permanently.

On the blacklist, I think you are typing the IP in the search box. You need to press the Add button first.

Keep in mind that email you're getting is telling you about an attempt to access your site that Admin Tools has blocked. You don't have to block the IP, it is already handled.

I do have Automatic IP Block all set and I've figured out the Blacklist. I have been getting many email notices as the one I mentioned. So you are saying I can ignore them because they have been blocked? I find the email notices to be disconcerting. Is it wise to turn off those notificaions?

Thanks!

You can see similar information in the Exceptions Log. You can see what is going on with either the log or the emails. The emails give you a more instantaneous picture of when your site is under attack. You have to go look at the log. There is no one right answer, it depends on what sort of notice you want to get from Admin Tools.

Thank you for pointing out the Exceptions Log. I can see some very suspcious activity there. I added those IPs to the Blacklist.

There is also a admintools_breaches.log file in your Joomla! log/logs folder that shows the Exceptions Log in super detail.

Once again, keep in mind that all of these are failed attempts against your site.