The Blacklist management page
This page allows you to manage the IP Blacklist, defining the list of IPs or IP blocks which do not have access to your site. The management is done using the standard Joomla! toolbar buttons. Clicking on an entry, or checking its box and clicking onwill allow you to edit the entry. Clicking on the button allows you to add an IP/IP range. Checking one or several items in the list and clicking on will remove them from the list.
Contrary to popular belief, you should not manually blacklist every single IP which appears to be attacking your site. This will have unintended consequences which work against your site and offer no additional protection.
First of all, not all detected attacks are actual attacks. Keep in mind that Admin Tools' Web Application Firewall, like every other WAF solution out there, is using a set of rules to determine the probability of a request being part of an attack and block it if it crosses a certain threshold. This means that there are a few cases of legitimate requests being mistakenly treated as attacks (false positives). This can happen when, for example, a user's browser keeps inserting the wrong password in the login form and the user not noticing and keep retrying to log in until they get blocked. You don't want to permanently blacklist that client of yours, now, do you?
Furthermore and most importantly the IP an attack to your site seems to come from is most likely not the IP address of the attacker himself. Even a semi-decent, wanna-be hacker would never use his home's Internet connection to launch an attack. That would be the equivalent of a burglar leaving his driver's license in the house he robbed. Instead, hackers use hacked devices (from a PC to a smart lightbulb and everything in between) of innocent people to launch their attacks from. Therefore the IPs you see attacking you and are tempted to block are innocent people. These are your potential clients. You don't want to block them.
Moreover, IPs are seldom static. They are dynamic. Most ISPs own a bunch of IP addresses. When your router connects to the Internet it is assigned a random address from that bunch. Many ISPs push that further, allocating an IP address for a short time period (usually 1 to 12 hours) and assign you a different, random IP when that allocation expires. This is done for several performance and business reasons, but what you should remember is that the IP that attacks you today will most likely be assigned tomorrow to your potential client. You do not want to block them!
Finally, there's the performance aspect of IP blocking. Every time someone connects to your site, on every single page load, Admin Tools has to check their IP address against each and every entry of the blacklist. Every entry of the blacklist adds a bit of processing time on every page load. In most cases 50 to 100 blocked IPs will not have a severe impact on your page loading speed. Anything above that threshold has a measurable impact on your site's performance. Your site loads slower for everybody. Search engines pick that up and penalize your slow site by burying it dozens of spots lower in search rankings.
Essentially, the more blacklisted IPs you add the more potential clients you lose.
This leaves us with the question of why this feature exists and how you should deal with IP blacklisting.
There is a small, but large enough to be annoying, percentage of attacks originating from wanna-be hackers who use the same IP address to attack you over and over again. Usually they're running a dumb script with no error handling. Therefore even when Admin Tools blocks them automatically they keep trying and trying. The best thing you can do is, of course, blacklist their IP. Luckily, Admin Tools can do that for you! Just make sure that you enable the automatic IP banning and the permanent IP banning of repeat offenders in the Configure WAF page. Admin Tools will first issue a temporary ban against IPs which seem to be attacking your site. If they are persistent it will add them to the blacklist. This automatic management yields the best results for both performance and security.
So why do we have the IP blacklisting feature, again? Mostly to manage the automatically blacklisted IP addresses and to allow power users to add their own IPs which they do not want to access the site for reasons beyond security. So do yourself a favor and do not manually blacklist IP addresses! Managing blacklisted IPs manually is a Terribly Bad Idea.
The Edit/Add page looks like this:
The Blacklist editor page
You current IP address is displayed right above the edit box. Make sure that you do not include it so that you do not lock yourself out of your site's administrator area!
In the IP Address Range box you can enter an IP or IP range in one of the following ways:
A single IP, e.g. 192.168.1.1
A human readable block of IPs, e.g. 192.168.1.1-192.168.1.10
An implied IP range, e.g. 192.168.1. for all IPs between 192.168.1.1 and 192.168.1.255, or 192.168. for all IPs between 192.168.0.1 through 192.168.255.255.
A CIDR block, e.g. 192.168.1.1/8. If you don't know what this is, forget about it as you don't need it.
A Subnet Mask notation, e.g. 192.168.1.1/255.255.255.0
Do note that Admin Tools supports IPv4 and IPv6 (if your server supports IPv6).
You can use the Save & New to quickly add multiple entries without having to go back to the administration page and click on New all the time.
If you want to unblock someone who got their IP inadvertently blocked you will have to remove all records belonging to their IP address in FOUR (4) places: Site IP blacklist, Security Exceptions Log, Auto IP Blocking Administration and Auto IP Blocking History.