Support

Admin Tools

#17931 Geo Blocking Not Working

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 24 October 2013 02:31 CDT

guardiansolutionsllc
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.514
PHP version: 5.3.24
MySQL version: 5.0
Host: godaddy
Admin Tools version: 2.5.8

Description of my issue:
Geo Blocking is not working. I have 116 pages of security exceptions from the Ukraine and Russia. I have clicked update Go and nothing works. This is a persistent attack and I just want to block the country. Please help

nicholas
Akeeba Staff
Manager
First make sure that the GeoIP database is up to date. Go to Admin Tools, Web Application Firewall, Geographic Blocking and click on "Update GeoIP.dat". If the automatic update does not work please follow the manual instructions in our documentation under "Getting or updating the IP database". Then please make sure that Ukraine and Russia are selected in the Countries list in the Geographic Blocking page of Admin Tools.

Please note that some user login related security exceptions will still show up in your log from geoblocked countries. These security exception are triggered by the user login events which can be processed by Joomla! before triggering the main application initialisation complete event which is captured by Admin Tools and used to run the rest of its security checks. In layman's terms, the login related exceptions are processed before anything else. This means that you may get several (even thousands) of security exceptions regarding failed user logins. This is nothing to worry about; even if the hackers did guess the correct login information the GeoBlock would then kick in and block them from accessing your site – and they would still have no idea that they found the correct login info to your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

guardiansolutionsllc
I am seeing the user name these attackers are trying so they are getting beyond the blocking. This isn't just logging hits from other countries because they are trying different user names. They wouldn't be able to enter a user name if they were blocked properly to begin with. Send me an email at my registered email and I can give you creds to look. Thanks.
Sincerely
G

nicholas
Akeeba Staff
Manager
As I explained in my previous reply, which you should please read very carefully, login attempts are triggered BEFORE the Geographic IP blocking.

One very important thing you seem to be oblivious of. You do not need to be able to see the login form / login page to perform a login attempt against a site. In fact, you do not even need to have a site with a publicly visible login page or form. All you need to know is which URL to submit the form to. This URL is fixed and very easy to determine if you know or guess that the site is using Joomla!. This means that an attacker can do blind login attempts, hoping to hit the correct username / password combination. There is no human sitting in front of a computer in Russia typing usernames and password. No, sir. It is a bot (a computer program with a specific purpose) running on a machine located in Russia, trying to log in to your site with a list of typical usernames and passwords. As I explained very thoroughly, the login event (which is caught by the failed login security exception handler of Admin Tools) is triggered by Joomla! before the onAfterInitialise event (which,among other things, runs the GeoBlocking in Admin Tools). As a result these bot's failed login attempts show up in your log. Even if the bot manages to guess the username and password the attacker will still not know they hit the jackpot as Admin Tools' GeoBlock will be immediately triggered.

I know this is way over your head. Can you please at least trust me that I understand how Joomla! works and know how to build a solid security extension? If you get too anxious about those security exceptions just turn off the option to log failed logins as security exceptions. See? Nothing now goes past the GeoBlock. BUT! Now the attacker knows when they have found a correct username / password combination as Joomla! will happily send them a login cookie before GeoBlock has the chance to kick in. Your site is pwned, but you get to feel "safe" as you don't see the warnings. Is this what you want? It's exactly what I tried to prevent with the introduction of the feature that treats failed logins as security exceptions.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

guardiansolutionsllc
Nicholas, do you take every ticket personally and attack your clients when questioned? I get that you are good with Joomla. How good of a skydiver are you? I am an expert. How good of a snowboarder are you? I am an expert. How good of a mountain climber are you? I am an expert. However, I do not become condescending when someone asks me about these things. I certainly would not become so condescending and hostile to my paying clients.
G

nicholas
Akeeba Staff
Manager
I suck big time at all sports. I'm not just "not an expert", I am even less than a complete newbie. When someone tells me how skydiving, snowboarding or mountain climbing works I take their word for it. I will never double guess my instructor because I know what I don't know. My motto is what Socrates said in his Apology: "Ἅ μὴ οαΌΆδα, οὐδα½² οαΌ΄ομαι εαΌ°δΞ­ναι" ("What I don't know, I don't think I know it either").

You misjudged my intentions. I was trying to explain to you exactly what is going on from receiving a request to handling it. I also tried to explain exactly why I made certain decisions while building this software. You thought I was condescending. I apologise. So let me rephrase my reply. Here is my revised reply, to be read in lieu of my previous post:

Please refer to the second paragraph of our previous reply. It sufficiently explains why what you are experiencing is normal and does not indicate any malfunction in the Geographic Blocking feature. If you do not wish to receive such security exceptions you can disable the "Treat failed logins as security exceptions" in the Web Application Firewall page, therefore leaving only the features running during Joomla!'s onAfterInitialise (IP-based blocking features being the first to run). This is done at the expense of your site's overall security as Admin Tools is no longer able to mislead malicious users trying to log in to your site by posting data blindly to Joomla!. The consequence is that they will be able to understand when they have found a correct username/password combination. However, in no case do they see the login page or are able to proceed past a successful login because the Geographic Blocking is already enabled and working properly.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!