It would be nice that we can set optional to output a 404 or 403 page instead of redirecting to frontend. This will avoid traffic and makes web analysis easier.
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Friday, 07 June 2024 06:51 CDT
It would be nice that we can set optional to output a 404 or 403 page instead of redirecting to frontend. This will avoid traffic and makes web analysis easier.
What you are looking for is called Administrator Password Protection. It's a different feature, implemented at the web server level, it resutls in a 403 when the attacker fails authentication, and it uses far less resources than the secret URL parameter.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
I'm not looking not for additional htaccess password protection for the admin directory. As first level we like to obscure the admin login with secret url to keep all those annoying automated admin calls away from the site. If we have the option of generating a 403 or 404 instead of redirecting calls to the front page, we also avoid unnecessary traffic. As second level we have automated blocking activated and as third level 2FA.
The problem you have is that by using the secret URL parameter to block brute force attacks requires your server to go through the .htaccess file, spin up a PHP thread, have PHP process several hundred of PHP files which make up the minimum Joomla! environment and system plugins, perform a number of database requests, and only then do something with the request. It doesn't matter if the result is an HTTP 40x, or a 30x. This is where the bulk of your server resources waste is, not the redirection. Even in the unlikely case you are being attacked by brute force scripts which follow redirections, implementing a 40x response would only halve the waste of server resources. Using an administrator directory password would reduce the waste of server resource by two orders of magnitude.
As you can see, I really do understand your use case and I am trying to guide you to an effective solution to your legitimate and very real problem. I can very easily add one more option to let you choose whether the secret URL parameter will be redirecting to home, or just stop with a 403 error. That's easy; a five minute job which will take me less time than writing this reply. I am not trying to avoid work, I am trying to give you a solution to your problem. If you insist, I will of course implement this feature for the next release, but do keep in mind that it won't do much to help you with your problem. The alternative solution I gave you can be applied today and it will actually solve your problem. Of course, it's your site and your choice. I just want you to know why I proposed a completely different solution. It's not because I don't want to implement your suggestion, it's because I know for a fact it won't help anywhere near as much as you think it will (I have run benchmarks with ab
, the Apache Benchmark tool, against development and real world servers, the latter always showing a bigger delta between the two solutions due to the higher iowait from other sites / VMs on the same host machine).
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
I appreciate your explanation greatly and completely agree. Every security measure taken at the server level before reaching the CMS avoids unnecessary traffic and resource strain.
We generally recommend to our clients to allow access to the backend only from defined fixed IPs. We have shifted the entire article management and editing to the frontend, so access to the backend is necessary only in very few cases.
As diverse as our clients are, so are their ideas about the usability of the website. Why some of our clients want to access the backend from mobile devices while on the go, we cannot understand for practical reasons. Or some simply do not have a fixed IP.
In the case of an additional security layer through password-protected directories, this is often perceived as "inconvenient" and "annoying." However, actual access is well secured through multi-factor authentication.
Unfortunately, we often find that brute force attacks not only come from a few IPs but often mimic the structure of DDoS attacks. In the end, the idea behind serving a 403 to attackers is to convey, "Stop it, we know who you are, and you're not getting in here." In the server log, the 403 facilitates automated analysis compared to redirecting to the frontend.
We have also considered allowing access to the backend only from German IPs, which would also prevent a large portion of brute force attacks.
We're simply trying to align the needs and requirements of our clients with our security standards. I value the opportunity to discuss our ideas here and your feedback greatly. Thank you very much!
No worries! I've already implemented your suggestion; I told you, it was a 5' job :)
Now, about backend vs frontend and protecting logins. Do remember that Joomla! allows you to connect to both frontend and backend with the same username and password. If certain frontend users have editing privileges they are almost as sensitive as users with backend access privileges -- remember that Super Users can even change some site configuration parameters in the frontend! I would definitely recommend using Joomla's Multi-factor Authentication to force the use of MFA for these user groups. Fun fact: Joomla's MFA was called Akeeba LoginGuard; I contributed it to Joomla! a couple of years ago to make sure all Joomla! users get the same high level of protection we and our clients did.
Regarding the backend, I am not sure if you are running your own servers or you're using commercial hosting. If you run your own servers you can disallow access from public IPs and limit backend connection through a VPN. The hardest part is setting up the VPN. Limiting access by IP range is very easy using .htaccess files (Apache, LiteSpeed), web.config files (IIS), or server configuration (NginX). This works far better than country geofencing which is neither perfectly accurate (you get at best 95% accuracy for both false positives and false negatives), nor does it address the use case of admin account holders traveling abroad.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Speaking of VPNs, there's always the obvious use case. You can set up a virtual machine on a VM provider (e.g. Akamai/Linode, DigitalOcean, Amazon EC2, ...) with a static IP address on the Internet and run VPN and/or proxy software on it. You can then limit access to sites' administrator only to the IP of this intermediate server (it's not quite a jump server), and have all clients VPN into it, or set it up as a proxy -- whatever works best for your use case. This automatically cuts down all the admin brute force attempts on your sites at the expense of a bit of a fuss to connect to the site's backend.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Hi Nicholas, can we get the version with the option to generate 403 or 404 instead of redirecting calls to the front page?
Please wait until Monday or Tuesday, when I am making new releases (most likely Monday).
I would've done this sooner, but the past month has been a rolling Dumpster fire for me. Between health issues affecting both myself and family members to the point they required hospitalisation, and a few disasters (yes, plural) affecting our property, I never had the time to make a release. Hopefully, nothing else will happen, and I will be able to make those darned new releases next week. I am really sorry for having you wait for so long, I just never expected five separate major mishaps to take place in the span of five weeks. This is not something I could reasonably plan against.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Don't worry, it doesn't matter if it's released next week or next month. I hope you and your family are fine, that's the most important thing.
Thank you. Thankfully, we are recovering very well.
Have a wonderful day!
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!