Support

Admin Tools

#41221 No log of any attacks while under attack ??

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.x last version
PHP version
8.1.29
Admin Tools version
very last one

Latest post by nicholas on Tuesday, 22 October 2024 01:21 CDT

Chabi01

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

 

Hi :)

 

I have a question encountered on only one site (I dont see this on any other site with AdminTools).

I have attacks on this site, I received several emails about the blocked attacks.

Even if the attack are blocked by admintools, I can see something very strange : the log are empty and the graph also. I have checked the WAF configuration and just in case reinstall Admintools, but I dont have log of the attack (no stats, nothing in the log when I enter in WAF configuration).

What did I miss ? What to check ?

Thanks for your help :)

Xavier

nicholas
Akeeba Staff
Manager

Whether a request is blocked is controlled entirely by the Configure WAF options, of course. If a request is blocked, it might be logged in the database, and/or you might receive an email about it.

Whether a blocked request results in a database log line is controlled by the “Do not log these reasons” option. By default this is empty, meaning that all blocked requests are logged.

Whether a blocked request results in an email being sent is controlled by the “Do not send email notifications for these reasons” and whether there is anything in “Email this address on blocked request”. Moreover, it depends on the component's Options where you can find options for throttling emails.

With that in mind, it's likely that the “Do not log these reasons” tells Admin Tools not to log something, or your database's #__admintools_logs table has crashed, or you are looking at the wrong site. About the latter, if you have transferred your site between hosts it is possible that the old site is not deleted, and somehow traffic does get routed to it (there are several DNS and web server misconfigurations which can do that). This could end up in the “wrong” site being attacked, and you receiving email about it. The BEST way to check if this is the case is to correlate your emails with your web server logs. Do you see the requests to the Target URL at a time around the one reported in the email, and from the IP reported in the email? If yes, the email came from the “right” site. If not, the email came from the “wrong” site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Chabi01

Hi Nicholas,

I log usually all and not email me the 404 error (where it is most of the time Wordpress attacks).

The old site is deleted for a long time but I still receive emails with "Blocked request on xxx" by emails. All indicate this is the correct site sending emails.

The attack wave is not ended as I block the ip used by the user (I know, this is temporary to mitigate only). I can suppose, as the attacks quite stop after this change in Admintools it is the correct site.

So, I have obviously attacks.

How can I check the database (I have already reinstalled the extension without change). I also made a "repair and optimize tables" and checked in Joomla system the database (nothing raised here).

This is the very first time it happens, and even if this is not "dramatic", I would like to be sure to have the protection active and have the automatic blocking for repeated attacks, and as it is, I'm not sure.

To try, I have disconnect from the backend and try to connect with a wrong user and password to see if this is logged, and this is not (it should be no ?).

I cant figure out what is happening on this site (please tell me if you want to see by yourself, I will send you credentials to allow you to check if you see something wrong).

 

Thanks you Nicholas,

Xavier

 

 

nicholas
Akeeba Staff
Manager

To try, I have disconnect from the backend and try to connect with a wrong user and password to see if this is logged, and this is not (it should be no ?).

That's an oversimplification. What happens depends entirely on your configuration.

Your failed login with a username and password will be logged if all of the following conditions are simultaneously true:

  1. No other hosting-, server-, or application-level code is blocking your request such as but not limited to a CDN in front of your site, a third party or host-provided security application in front of your site, an Operating System-level firewall such as ipfilters, web server configuration, and third party Joomla! plugins.
  2. Your IP or request is not blocked immediately by any other feature such as but not limited to Administrator Exclusive Allow IP List, Site IP Disallow List, or any other Web Application Firewall issue.
  3. There is no entry in WAF Exceptions which could possibly override this check (at the time of the writing this cannot be the case for login checks, so you're safe).
  4. “Treat failed logins as a reason for blocking the request” is set to Yes.
  5. “Log blocked requests” is set to Yes.
  6. “Do not log these reasons” does NOT contain Login Failure.
  7. If “Allow administrator access only to IPs in Exclusive Allow IP List” is set to Yes: your IP address does NOT match any of the IP expressions in the Administrator Exclusive Allow IP List.
  8. Your IP address does NOT match any of the IP expressions in “Never block these IPs”.
  9. Your IP address does NOT match any of the IP expressions in “Site IP Allow List”.
  10. The hostname your IP address resolves to does NOT match any of the expressions in “Never blocked domains”.

An email will be sent if all of the above conditions are met along with all of the following conditions:

  1. “Email this address on blocked request” contains an email address which can reliably receive email.
  2. Email sending has been configured correctly and enabled in your site's Global Configuration and tested to be working.
  3. The System, Mail Templates page contains a valid template for the “Admin Tools: Blocked request” template in either your language or the default fallback language of  your site (usually en-GB).
  4. The settings in the component's Options page, Email Sending tab do not apply a throttling for emails (“Blocked request email throttling” is Off), or the throttling threshold has not been reached.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Chabi01

Hi again Nicholas,

I'm very sorry to be annoying. I have checked all what you wrote and all is set as you say. My ip can be declare as I also make the test from my phone (not on Wifi to have a different IP address).

I really dont understand as all you wrote is like you say and this is the very first time I have this issue.

Have a nice day,

Xavier

ps : and thank you for your patience and your time.

nicholas
Akeeba Staff
Manager

From your reply I do not understand if you see a logged blocked request, and if you do if it has logged your real IP address. As a result, I cannot help you any further.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!