Support

Admin Tools

#10150 Automatic blocking of failed admin logins

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 19 December 2011 02:32 CST

Tuesday, 13 December 2011 14:38 CST

wbaccus
Feature suggestion: allow automatic blocking after a certain number of failed admin logins.

About once a week, I'll hit my email and notice that I have hundreds of unread messages from people trying to guess the password. I would love it if I could autobahn after 5 attempts.

Tuesday, 13 December 2011 14:40 CST

nicholas
All you have to do is to set up the automatic IP block feature. Failed back-end login attempts count towards the security exceptions which trigger this feature.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 13 December 2011 14:41 CST

nicholas
And, of course, it would make perfect sense to also add an administrator secret word so that hackers CAN NOT access the administrator login page in the first place. This is the entire concept of that feature ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 13 December 2011 15:24 CST

wbaccus
Hmm....Is that controlled via the Bad Behavior filter? I had to turn that off a while back because of false positives. I do have auto-blocking turned on. Attaching a screenshot of my settings in the Web Firewall

Tuesday, 13 December 2011 15:29 CST

wbaccus
Wait... "Treat failed admin logins as security exceptions"

I'm betting that's my issue.

Also, I tried the secret key, and that didn't have any affect. It still lets me in via /administrator

Could that be something in my .htaccess blocking that from working?

Tuesday, 13 December 2011 15:38 CST

nicholas
Um, many questions. Let's get to each one of them:

1. No, nothing to do with Bad Behaviour

2. Based on your settings, after 4 failed logins the IP will be banned. This means that you are going to receive at least 4 emails per IP before it's blocked.

3. "Treat failed admin logins as security exceptions" is what makes ATPro to trat failed admin logins as security exceptions and this is exactly what causes the emails to be sent out and, of course, the auto IP ban to work.

4. You are allowed to log in without the secret word because your IP is added in the "Never block these IPs" box. This means that all WAF options do not apply to your IP.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 13:17 CST

user6500
Dear Nicholas,

Regarding this topic, about every other week I have a Russian bot which tries to log in and gives up only after 600 tries, with six hundred messages from ATPro that they tried so to do. Though I have 'yes' on the 'Treat failed logins as security exceptions'( see attached), the attacks go on for another 596 tries.

I'm sure it is me. Have I left something set or unset?

Thanks in advance for any insight.

--Ed

Sunday, 18 December 2011 13:19 CST

nicholas
Is it always using the same IP address or does it spread its attacks among various IPs? According to your settings, it should be blocked after the third try, but only if all attacks come from the same IP address.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 13:27 CST

user6500
Nicholas,

Thanks for the quick reply. It's the same IP for 600 tries. If I catch them at it soon enough, I do the emergency shutdown. Interestingly enough, the Russian attackers do not appear on the Security exceptions log.

I am also using the Jsecure module with a zillion character codeword to keep the Russians guessing. I manually add the Russian attackers IP to Jsecure's blacklist.

--Ed

Sunday, 18 December 2011 13:33 CST

nicholas
Ed,

I do not think that you get an email from Admin Tools regarding the failed login because you have not set up this feature. Could it be that the login is intercepted by jSecure instead? In this case, Admin Tools would not block the IPs because the login is already blocked by another plugin and Admin Tools never runs.

As a side note, you can replicate jSecure's functionality with Admin Tools. Just use an administrator secret key and Admin Tools' IP black list feature. This would allow Admin Tools' automatic IP blocking to also kick in with the repeat failed login attempts.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 13:59 CST

user6500
Dear Nicholas,

Thank you for the quick reply. I think I will go with disabling Jsecure and inserting the Jsecure functionality by inserting my code word in the field for 'Administrator secret URL parameter'.

This should then activate the 4 log-in lockout of the Russians.

A double layer of security could be added by allowing only the whitelisted IPs to log into the back end.

Do you concur?

Thanks for the quick replies, and the good advice.

Best,

Ed

Sunday, 18 December 2011 14:00 CST

nicholas
Yes, this sounds like a very good plan! This is pretty much how I've configured my own sites :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 16:12 CST

user6500
Ah, the efforts of mice and men. I put in, as my code word, akeeba9Rmx01HHe4o9p1sx73wWv5Ncc5m82, and now I am locked out of the administrator. This really shouldn't have an effect, since my IP is on the white list, but locked out I am.

Any suggestions?

Thanks,

Ed

Monday, 19 December 2011 02:32 CST

nicholas
Ed,

When you're locked out, there's always the documented workaround to get back in. Don't worry, it's a very common thing to happen and has happened to me too, more than once :D

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!