Support

Admin Tools

#9743 Project Honey Pot

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by user21438 on Thursday, 27 January 2011 17:07 CST

Sunday, 23 January 2011 17:59 CST

user21438
Hi Nicholas,

I was just wondering if you think Project Honey Pot would be a useful addition to Admin Tools? That, or maybe some sort of reverse captcha, that if triggered, denies access to the site.

Just some ideas for you (not that I want to add more work for you).

Best,

Matt

Monday, 24 January 2011 02:53 CST

nicholas
First, a little bit of background info for those who are not familiar with the concept of reverse CAPTCHAs. The idea is to add a field which is hidden from humans (usually floated -10000 pixels to the left) and doesn't receive keyboard focus. Since it's impossible to edit, humans will never fill it, but spam bots who just parse the HTML will. Programmaticaly, this is trivial to implement.

BUT: Browsers' auto-complete is too good. In order to have spambots fall for this trick, you have to use a field name which they are likely to fill in, like name2, email2, address3 or something like that. Guess what? Most browsers' auto completion also works like the spam bots and may fill in that invisible field for you, disabling your access to that site. Ouch!

That said, this feature is already on my to-do list and it'll come with a warning.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 24 January 2011 08:36 CST

user21438
Hi Nichols,

That's great to hear that it's on your to-do list. Apparently great minds think alike ;) Yes, there are definitely some inherit risks with reverse CAPTCHA. I've even read that some spam bots are attempting to parse CSS documents to attempt to potentially identify potential reverse CAPTCHA fields. The workaround in that scenario would be to hide those fields with JavaScript, but then you risk users not using JS to trigger a false positive. There's no easy solution that is 100% fool proof.

What's your opinion of Project Honey Pot? Do you think that it could be used to populate the Site IP Blacklist and then we could Disallow site access to IPs in Blacklist? Not that I'm trying to add to your to-do list ;)

Best,

Matt

Monday, 24 January 2011 08:51 CST

nicholas
Matt,

I submitted a reverse CAPTCHA approach just a few minutes ago to the SVN. It works perfectly in vitro. I will apply iy on this site and see if it can cut down the few dozens of spam registration attempts.

Regarding Project Honeypot, there's nothing which prevents you from taking their database, dump it to a CSV file and import it in Admin Tools Professional IP blacklist table. I am against over-automating potentially harmful procedures, like blindly importing a huge external IP database. If PH's IP database accidentally blocks one of your clients I don't want it to be "my responsibility" because "my" software blocked him. I want it to be your responsibility, because you chose to implement a specific IP filtering database. That will be my POV until the day when an IP address will uniquely identify a single Internet-enabled machine ;)

I guess the best I can do is to give instructions on importing PH's IP database to Admin Tools using phpMyAdmin. Would that be adequate?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 24 January 2011 09:01 CST

nicholas
A point I missed is that you can't actually import the IP database, but PH has an API which runs on top of DNS services. This is tricky to implement and would fail on most shared hosts, especially those who choose to do their own DNS caching. Since Project Honeypot's filter is also implemented in the Bad Behaviour plugin, you may want to try that first.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 24 January 2011 09:04 CST

user21438
Hi Nicholas,

That's great! I look forward to seeing the reverse CAPTCHA in action. Would this create an entry into the Admin Tools – Security Exceptions Log?

As always, your point of view is very insightful and very appreciated. I completely understand what you mean about over-automating potentially harmful procedures. That makes perfect sense to me. Documenting that process would be great, only if you have the time.

Thanks again!

Best,

Matt

Monday, 24 January 2011 09:07 CST

nicholas
Yes, all security features I am adding create entries in the security exceptions log. Moreover, starting with the next release, if you ask to be emailed on security exceptions then the email will also include the IP address of the attacker and the reason of being blocked.

I am no looking at Bad Behaviour. License permitting, I will integrate it in Admin Tools Professional :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 24 January 2011 09:22 CST

user21438
Nicholas,

That's awesome, you are the man!

Best,

Matt

Monday, 24 January 2011 10:45 CST

nicholas
OK, that wasn't half as difficult as I thought :) I just finished integrating Bad Behaviour (including FULL support for its Project Honeypot feature) in Admin Tools. The good thing is that BB is licensed under the LGPLv3 or later, so our licenses are 100% compatible. Woot!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 24 January 2011 11:06 CST

user21438
That's awesome, you are the man!


If you implement these features that fast, you're going to make it hard for me to stop suggesting others ;)

Thanks for making such an awesome extension!

Best,

Matt

Monday, 24 January 2011 11:12 CST

nicholas
Not just fast, but I also provide dev releases for each feature I implement ;) If you like to lay hands on the cake while it's still hot from the oven, try the developer's releases (you need to be logged in to see Admin Tools Professional dev releases). Any version from 150 and above has the features we discussed in this thread, in the WAF Configuration page.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 26 January 2011 10:20 CST

user21438
I'm checking out version 150 now and this looks great. I also see some other nice surprises too. Would this be safe to put into production?

Best,

Matt

Wednesday, 26 January 2011 10:43 CST

nicholas
Yes, it's safe for production use (read: "I use it on my sites and they are still on-line, but YMMV"). I have not done any funky stuff which would break existing features.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 26 January 2011 11:48 CST

user21438
I have not done any funky stuff which would break existing features.

I guess that would have been the better question to ask. Going live in 3, 2, 1...

Thanks!

Best,

Matt

Wednesday, 26 January 2011 18:36 CST

user21438
Hi Nicholas,

It looks like notify.paypal.com has been a bad boy, if you know what I mean. I just got a few emails notifying me:

IP Address: 66.211.170.66
Reason: ATOOLS_LBL_REASON_BADBEHAVIOUR

Any thoughts? Is there a way to whitelist IPs for bad behavior?

Best,

Matt

Thursday, 27 January 2011 08:27 CST

nicholas
Try developer's release 156. I have added an IP whitelisting feature. By default it's populated with the PayPal IP you mentioned. I also fixed the missing translation string issue in the log viewer.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 27 January 2011 17:07 CST

user21438
Thanks! I'm giving it a spin now.

Best,

Matt

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!