Support

Admin Tools

#9823 What is "Bad Behavior"

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 16 May 2011 16:36 CDT

Wednesday, 06 April 2011 10:34 CDT

erixis
I have a few questions about the algorithms used to define bad behavior from certain IPs.

If I'm getting the following error:

We would like to notify you that a security exception was detected on your site with the following details:

IP Address: 41.78.80.37
Reason: Bad Behaviour

If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

My questions are these:

What constitutes bad behavior?

How many times should I allow this IP to exhibit this before I ban them?

I'm hosting multiple joomla! installations as virtual domains on a single host account. If I have 5 joomla sites getting similar bad behavior alerts, is there a way I can ban these IPs from a single point on my server account, or do I have to add each IP separately to each Joomla! installation?

Should I share this info with my hosting company or do think they are already aware of it?


Thanks

Eric Lewis

Wednesday, 06 April 2011 15:41 CDT

nicholas
I have answered what Bad Behavior is already :)

Regarding auto-banning, there's no rule of thumb. I prefer to ban an IP if it throws 3 exceptions within 1 minute (untypical of a human, typical for a bot) and only for 30 minutes (enough to fend off a script attacking your site).

Regarding a centralized ban or notifying your host, no, that's not necessary as there is always a chance of the BB integration misfiring and throwing a false positive on a legitimate request.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 06 April 2011 15:58 CDT

erixis
Thanks for your reply Nicholas! Keep up the good work! I really enjoy using your software. Makes Joomla! 10 times more valuable!

Eric

Thursday, 07 April 2011 01:10 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 16 May 2011 16:28 CDT

user12944
Hello I am having issues with a form from iproperty giving a 403 error and stating it's due to bad behavior. Is there an exception I should add to stop this? When I add teh esception com_iproperty nothing happens. The exact error is:

403 - Access Denied
HTTP request error b40c8ddc
You can fix the problem yourself by visiting this URL and following its instructions.
Edited by user12944 on 2011-05-16 16:30 CDT

Monday, 16 May 2011 16:36 CDT

nicholas
Bad Behavior is a third party library which is supposed to offer protection against spammers and hackers by filtering the requests through some filters based on analysis of past hacking and spam attempts. All we do is to integrate it with Admin Tools Professional. I have not written it and can not debug it. If you get lots of false positives you can simply disable it from the WAF Configuration page.

That said, the explanation of this error code is "POST more than two days after GET" which means that the request dates and times do not match. This usually indicates the use of a transparent proxy on the ISP side which corrupts the HTTP headers of the request, causing Bad Behavior to trigger. Other than disabling Bad Behavior there seems to be no other way to get rid of that error.

FYI, the exact mapping of Bad Behavior's HTTP request error codes and explanation can be found at http://www.tighturl.com/project/p/tighturl/source/tree/d05777481498312b2b148f188006f152a6f44e76/bad-behavior/bad-behavior/responses.inc.php

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!