Support

Admin Tools

#41225 WAF - Can we block Hosts?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.14
PHP version
8.3.12
Admin Tools version
7.6.1

Latest post by nicholas on Monday, 21 October 2024 09:17 CDT

cf_web

Hi there,

is there a way to block at host level with WAF?

I'm getting lots of login failures from different IP addresses in different countries which all belong to some hosts like datapacket . com or bunny . net.

--> "If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user." <--

It would be very convinient to block them at host level without the need to add all these IP addresses manually or use CIDR.

A real visitor would never use these hosts to browse my sites from.

Best regards

Carsten

nicholas
Akeeba Staff
Manager

You can do so directly with Apache (.htaccess), see the Require not host .example.com notation from mod_authz_host.

There are three major reasons for which we did not implement this as an Admin Tools feature. From least to most important:

  1. This is not a common enough need to warrant its own feature. Think about getting one question for this every four to five years.
  2. It will make your site be perceived as slow because at least the first request will need to wait for the DNS system to complete the whole reverse DNS look-up before deciding whether to process the request. A reverse DNS lookup can take anywhere from 100 to 2000 msec.
  3. Using a very heavy hand when blocking hosts like that may be counter-productive. You may think "AWS should never need to access my site directly" and go ahead and block it... thereby blocking search engines from indexing your site, or payments solution providers from letting you know if a transaction went through, and so on and so forth.

Now that you know the risks you can take a fully informed decision on whether to proceed.

 

 

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

cf_web

Hi Nicholas,

thank you for this well-founded and detailed answer.

The performance thing is the dealbreaker.

I probably shouldn't think about it any further and just block the most common IP addresses manually.

Best regards.

Carsten

nicholas
Akeeba Staff
Manager

Yes, the performance impact is very much a deal-breaker for this kind of thing.

I had not mentioned another option previously. Please keep in mind that this option can be a dangerous overkill for your use case.

You could use CloudFlare in front of your site and have it block entire ASNs (example). CloudFlare can do that as they are a network provider themselves, therefore they get the BGP tables. This allows them to correlate IPs to ASNs virtually instantaneously. That's a deeper level of insight that anyone below the level of an ISP simply does not have access to, period. This is an oversimplifications of what is going on, but it works well enough for the purposes of explaining this feature.

Be very careful if you decide to go the ASN filtering route. I only recommend it when you are under heavy, sustained attack (DoS, DDoS), and only as a temporary measure while the attack is in progress – that's the only context I ever use that feature. I would not recommend this as a general purpose blocking method. It's the networking equivalent of being granted genie wishes: you always get exactly what you asked, never what you actually meant.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!