Support

Admin Tools

#9802 WAF Question

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 26 March 2011 16:38 CDT

sackerman
I already have mod_security with rules from ASL installed on my webserver. Is there any performance penalty by having the WAF in Admin Tools Pro? and if so could you provide (in future releases) a method for turning the WAF off?

nicholas
Akeeba Staff
Manager
WAF does add a slight overhead (a mere 0.05 seconds per page load) but offers a completely different kind of protection than Apache's mod_security. It is a web application firewall, not a web server firewall. I recommend using both of them, as well as sane administrative techniques, to keep your site protected.

Example: Turning off WAF and having mod_security will not stop an attacker from brute-forcing your Super Administrator password. They will simply write a script to fetch http://www.yoursite.com/administrator/index.php page, parse the token, submit your username with a random password and let it run for a few days. With WAF enabled you will be protecting access to that URL through a secret key. If the attacker tries a few times to crack that secret key, you can auto-ban his IP for a few hours. Effectively, a brute force attempt would now have to take several hundred of years to complete instead of a few hours to a couple of days. IMHO, the 0.05 seconds per pageload tradeoff is very well worth this added protection! Want some proof? This site. It uses both mod_security and Admin Tools Professional.

If you want to disable WAF anyway, there are two ways to do that:
1. Go to WAF Configuration and turn everything off.
2. Unpublish the System - Admin Tools plugin from Joomla!'s plugin manager. In this case you lose all features of Admin Tools, including URL redirection, scheduling of maintenance operations and the SEO and Link tools.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

slaes
fyi, you can already turn all parts of waf off. from my personal experience i have never seen any kind of performance issues at all. if anything they would be very slight.

in additional waf has many features far different from mod security.

on another note, i have personally allot of experience with the asl rule set and i would say its ok. however may i suggest you take a look at the atomi corp rules, they are the S&it.

maybe nicholas has some input on that.

slaes
since your running your own box, mod sec, admin tools and CSF firewall are a must. CSF is awesome and even has a GUI in whm for those who cant use ssh. it'll do eveything + more as far a box firewall goes.

sackerman
Nicholas: thanks for the info it was very helpful. I will not be disabling the WAF in Admin Tools Pro.

slaes:
Thanks for the lead on CSF, I was using Shorewall but this morning installed and configured CSF and it is indeed very thorough.

nicholas
Akeeba Staff
Manager
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!