Support

Admin Tools

#32646 I am blocked even if it is not my IP ("too many login/password errors")

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by woluweb on Thursday, 12 March 2020 11:54 CDT

Wednesday, 11 March 2020 04:18 CDT

woluweb
Hi,

It is very weird : it is the 3rd website this week where I am blocked (well, I think the whole world is blocked bc even when I use my VPN I am still blocked) EVEN IF the blocked IP is not mine :)

The 3 websites where I have had the issue are all at SiteGround (while less than 50% of my sites are with them, so it means maybe that there is something happening there, maybe linked to their change of server ?)

Let's give today's example : today suddenly I get
There have made too many login/password errors from your IP address 109.199.120.202. Therefore you have been temporarily blocked. Please be sure of your login/password and try again in fifteen minutes or more. In case of emergency, just call your webmaster :)


So I temporarily rename the Admin Tool folder so that I get access to the backend, disable the Admin Tools plugin... rename correctly my Admin Tool folder... and get access.
And there I see the big red button to "unblock" my IP.
But curiously, this IP is not mine :
https://tools.keycdn.com/geo?host=109.199.120.202
says
Country Bulgaria
IP address 109.199.120.202
Hostname ip-109-199-120-202.siteground.com


So how comes that Admin Tools would block me (and the rest of the world) bc of a single IP which is blocked ?

Wednesday, 11 March 2020 05:21 CDT

nicholas
Component, Admin Tools, Web Application Firewall, Configure WAF. Find the "Enable IP Workarounds" and set to Yes.

Please consult the documentation to understand what happened and why you had to enable this setting.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 March 2020 05:33 CDT

woluweb
Txs a lot Nicholas !

Here is the link to the corresponding documentation for those reading us :
https://www.akeebabackup.com/documentation/admin-tools/web-application-firewall.html#waf-configure

So I have changed the setting for those 3 sites already.

But I was surprised I had never faced such an issue in 8 years on any site.
So could this indeed be linked to the fact that SiteGround has changed very recently their server/configuration (as you know too well :D) ?

Wednesday, 11 March 2020 07:23 CDT

woluweb
Hi again Nicholas,

Sorry to bother you again, but
1. I had set "Enable IP workarounds" to YES right after your message this morning
2. but even so the the problem arises again !

Here is the Security Exceptions Log :

2020-03-11 13:02:46 CET 109.199.120.202 Login failure https://www.XXX.be/administrator/index.php
2020-03-11 13:02:46 CET 109.199.120.202 Login failure https://www.XXX.be/administrator/index.php
2020-03-11 13:02:45 CET 109.199.120.202 Login failure https://www.XXX.be/administrator/index.php

So again I have clicked on the red button "unblock my IP" and this has emptied the Security Exceptions Log of Today.

But I am afraid that again the blocking will arise as it just did 5 minutes ago...

Is there some other configuration change I should make ?

Txs

Marc

Wednesday, 11 March 2020 07:35 CDT

nicholas
Contact your host (SiteGround). Point them to this ticket. It appears that they are running a proxy in front of your site which does NOT pass the visitor's real IP address in the HTTP X-Forwarded-For header. As a result, your server only sees the internal IP address 109.199.120.202 as the only source of each and every request to your server, regardless of where it actually originates. Unless they address that server configuration there is nothing you can do.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 March 2020 08:29 CDT

woluweb
Hi Nicholas,

See the answer of SiteGround below.

If I understand correctly, this issue arises
1. bc of the server migration
2. AND bc I had not adapted yet my A record in my DNS

So I change my A record in my DNS now.

Does this mean that actually can revert the "Enable IP Workarounds" to its initial setting, namely "auto" ?

------

Hello,

Thank you for contacting our Help Desk!

Can you please confirm that the issue you are referring to is related to the healthcareinbelgium.be domain?

Additionally, I would like to clarify that since the recent migration of the server to a new infrastructure, the old IP address 109.199.120.202 has its traffic forwarded to the new IP address 35.214.205.99.

Due to these traffic forwarders, there are many entries through the old IP address, or what was referred to as "proxy" in the provided link.

To avoid these issues, please go ahead and make sure to change the IP addresses of your websites to the new address, as from what I checked in your cPanel, there area 3 domains that are currently loading through the old IP address.

Once the changes propagate, the issues will be resolved.

Best regards,

Wednesday, 11 March 2020 09:52 CDT

woluweb
Additional note : these 3 sites are hosted at SiteGround... but with a domain name which is managed elsewhere. So that is why there is this ip-forwarding which blocks all the visitors bc all visitors have the same IP if I understand correctly how their server migration works...

Thursday, 12 March 2020 08:27 CDT

nicholas
OK, that makes perfect sense and your additional note is correct, you do understand how their server migration works.

SiteGround moved your site between servers. The old server has IP address "X" and the new server has IP address "Y".

If your site's DNS was managed by SiteGround that's all there is to it. Their server migration process also updates the DNS on SiteGround's nameservers so that your site's A record points to the new IP address.

However, you manage your DNS externally. Incidentally that's also what we do; we use Amazon Route 53 because it's faster to boot and propagates much faster to Google Public DNS, CloudFlare DNS, Quad9, Cisco OpenDNS etc (these are the services most network admins and power user tend to use anyway).

If you manage your own DNS but do not change your A record your traffic hits the old server (IP "X") which acts as a proxy to the new server, i.e. it forwards the traffic to the new server's IP address ("Y"). However, the old server does not set an X-Forwarded-For HTTP header, meaning that all proxied traffic appears to be coming from a visitor with the IP address of your old server ("X") which is what causes the problem. This is the point where I strongly disagree with SiteGround's handling of the migration. Since the old server is now set up as a proxy it should definitely set an X-Forwarded-For HTTP header. What they're doing right now affects very few people, like us, but it's really annoying and disrupting :/

Since you've changed your DNS A record to point to the new server's IP address ("Y") you can and must disable the Enable IP Workarounds settings. The way SiteGround servers are set up you don't need it and leaving it enabled when you don't need it can open you to certain types of attack.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 12 March 2020 11:54 CDT

woluweb
Txs a lot for everything Nicholas.

I hope the present case can help other users of Admin Tools who will face the same issue the next 10 days (afterwards, if they have not changed their A record at their DNS, their website will be down... so that they will be aware the issue finally :D)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!