Support

Admin Tools

#33472 'Soft' Startup of Admin Tools - Is it possible

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 28 August 2020 17:17 CDT

dunwin

I am a complete 'Newbie' to Admin Tools which we purchased with Akeeba Backup. I have installed it 3 times now and each time I have had to hack and uninstall as I keep looking myself (The admin) out each time.....very embarrassing. I went through trough the wizard turning what I thought  would be everything off. I then logged out and and could not get back in without hacking via FTP. I have uninstalled again!

I am not blaming the product, it is probably my lack of knowledge or incompetence! But is there a way we can install the product and just monitor what is going on without having to set everything up via the wizards and end up locking myself out?

We don't have a test site that I can test it on unfortunately. We are trying to replace an old version of RSFirewall with admin tools, but without any success. Can anybody advise please??

 David Unwin - London UK

dlb

There is no way to "soft start" Admin Tools, but I think I can get you through the minefield.

You have already figured out the important part - you can disable Admin Tools via FTP.  Once you can get back in, you can fix whatever is wrong.

It isn't clear if you can log in after running the Wizard, then get locked out or if you just can't log in at all.  If you log in, then get locked out, we need to look at the Blocked Request Log to see why your IP is blocked. 

If you can't log in at all, it is either the Secret URL Parameter or Password Protect Administrator.  If uninstalling works, it has to be the Secret URL Parameter.  You specify the parameter during the Wizard, then you have to call the admin login like so:

www.mysite.com/administrator/index.php?SECRET

Where SECRET is the secret parameter.



Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

nicholas
Akeeba Staff
Manager

Well, Dale is right on principle. If you need to start with a very secure site you need to go deep. But I'd argue that there is a softer start than going through the wizard. The wizard is geared towards security at the expense of a few false positives. The default settings, however, are geared towards minimising false positives, provided that you do not have extensions doing weird things. Therefore I have an alternative approach which would be a much "softer" introduction to securing your site without too many upfront headaches.

What I would advise is installing Admin Tools but do not go through the wizard. Leave the original options -- they do provide a modicum of baseline security.

Then go to Web Application Firewall, Configure WAF, Auto-ban and make the following changes:

  • IP blocking of repeat offenders: Yes
  • Email this address after an automatic IP ban: your own email address
  • Block after: 5 attacks in 1 minute
  • Block for this long: 5 minutes
  • Add persistent offenders to the IP Disallow List: No
  • Show this message to blocked IPs: something polite to display when the IP address is temporarily blocked, e.g. "Our site has temporarily limited access to it from your IP address, [IP]. Please come back in 10 minutes. We apologise for the inconvenience."

Click the Customisation tab. Make the following changes:

  • Custom message: Something polite here, e.g. "Our site detected that you are doing something potentially dangerous. Your request has been blocked."

These settings are rather conservative and will not block you out of your site as fast. When you or anyone else does get blocked you will receive an email with a Rescue URL so you can restore access without having to rename the main.php file.

If you get the Custom Message while browsing your site normally you can review what happened by going to Web Application Firewall, Blocked Request Log. You will see a Target URL and a Reason. You can look up the Reason in the List of blocking reasons documentation page to understand which feature they come from. If you are puzzled as to what is going on, no problem, just file a support request and one of us will help you figure it out.

After getting this basic security up and running you can move on to the .htaccess Maker. Things are rather simple, albeit a tad laborious, here. Disable all features and use Save and Create .htaccess to create a minimal .htaccess which only has the features Joomla itself offers in its htaccess.txt (and a bit less, to be precise). Then enable one option at a time, save & create .htaccess again, check if your site still works. Rinse and repeat. That's what I'd do, too -- with the exception of five or so settings I can tell in advance if they will work at all on a server I've built or tested a site on.

It does take time but you get to better understand how your site works and where there are opportunities to improve its security. You can't reasonably implement sensible security improvements if your site and / or your security software are black boxes to you. Fixing the black box issue takes time but it does pay dividends.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

dunwin

Wow! That is what I call great support!!!! a clear and detailed response from both Dale and Nicholas, Thank you both.

I think as a 'Newbie' I will follow Nicholas's path this time around.

I will keep this ticket open just in case I have more questions related to getting started.

Thanks again guys for the quick and detailed response from both of you, very much appreciated.

 David Unwin - London UK

nicholas
Akeeba Staff
Manager

You're welcome! We're here to help :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!