Support

Admin Tools

#28181 Never blocking admin user with dynamic IP

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 26 August 2017 17:17 CDT

Wednesday, 26 July 2017 15:21 CDT

user54774
I have a request / suggestion.

I am forced to use a dynamic IP with my internet provider. a static IP is not an (affordable) option. Hence i was blocked today, because of login issues (caps was on). I did not realize that my IP address had changed again. A dynamic IP address, as has been stated before, is a recipe for frustration and baldness.

I have a suggestion that I think would achieve the goals of both, retaining security and 'automagaically' update an administrators IP exception.

1. Keep the existing, do not block these IP addresses list.

2. Add a new option which would allow you to create a list of IP address for a specific admin user say, up to 3 Ip addresses. When that user logs in to the administrator panel, and is properly authenticated., IF they are in the list of white-listed users, AND their current IP address does not appear in the list, they will be given the option of either adding that IP to the list, (so long as there is an entry available) or replacing an existing entry.

I think this would achieve the goal, of both allowing a user to update their IP, and maintain security. Unless a user goes to whatismyip.com on a daily basis, they may not know their IP has changed until they get blocked.

Thank you for considering my idea.

Thursday, 27 July 2017 01:28 CDT

nicholas
No, your proposal actually diminishes security in subtle ways. Explaining that would require an essay. Just trust me when I say that I see at least four different ways an attacker could exploit that to hack your site.

I understand that your biggest problem is the "dammit, I got locked out again by accidentally triggering a site protection". Typically this requires you to use FTP, rename a file, unblock yourself etc. This is cumbersome. In the next release we have added a new (opt-out) feature called Rescue Mode. When you get locked you receive an email. The email has a magic, temporary, single use only link which lets you bypass Admin Tools for logging into the backend of the site and unblocking your IP. Another button there disables Rescue Mode and you're back to normal. Your security single point of failure becomes your email which can be secured (e.g. two factor authentication in GMail) in a way that it's acceptable for typical business cases.

Finally, I would argue that if you are getting blocked on a daily basis you have not set up something right on your site. What is that gets you blocked all the time? This is what you need to address.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 26 August 2017 17:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-08-26 17:17 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!