It would be very helpful if the Security Exceptions Log had a Blacklist selected option for the IP ADDRESS's I'm currently cleaning up one of my websites after a botnet brute force attack.. the website didn't get compromised but there was over 25000 entries in the SEL and there are 100's if not 1000's of different ip address's that I'm trying to block.. doing them 1 by 1 takes a long time.
#18789 Feature Request
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by nicholas on Monday, 13 January 2014 14:54 CST
Monday, 13 January 2014 12:21 CST
pyrovespin
Monday, 13 January 2014 14:54 CST
nicholas
Akeeba Staff
Manager
This has been asked before (repeatedly) and I have explained that permanently blocking IPs is a Very Bad Idea. You will end up bogging down your site (too many IP blacklist rules take ungodly amounts of time and memory to process) and blocking legitimate users (a hacker used 25000 compromised machines to attack you, these IPs do NOT belong to hackers, they are dynamically assigned and will end up being assigned to legitimate users with non-compromised machines). You are essentially asking me for a machine gun to shoot your feet. Sorry, I too care too much about you and my other clients to do that. It would be irresponsible.
What is responsible and sane is auto-blocking repeat offenders. That's what the automatic IP ban does. If the attacker used a big bot network to launch too few and irregular attacks from each IP you can do nothing about it. The best thing you can do is blocking the malicious requests –which Admin Tools did– and make sure that you are using strong passwords and all protection settings in Admin Tools to prevent them from successfully brute forcing your administrator password.
Please stop obsessing with IP blacklisting. It is an architecturally incorrect way to handle security. IP blacklisting must be reserved for persistent attacks over a long period of time (over 12 hours) and should be revised (in plain English: deleted) every month at most. In any other case you do end up shooting yourself in the feet. Take this from the author of the security solution you are using, who has exactly 0 manually blacklisted IPs in his list across all of his sites.
What is responsible and sane is auto-blocking repeat offenders. That's what the automatic IP ban does. If the attacker used a big bot network to launch too few and irregular attacks from each IP you can do nothing about it. The best thing you can do is blocking the malicious requests –which Admin Tools did– and make sure that you are using strong passwords and all protection settings in Admin Tools to prevent them from successfully brute forcing your administrator password.
Please stop obsessing with IP blacklisting. It is an architecturally incorrect way to handle security. IP blacklisting must be reserved for persistent attacks over a long period of time (over 12 hours) and should be revised (in plain English: deleted) every month at most. In any other case you do end up shooting yourself in the feet. Take this from the author of the security solution you are using, who has exactly 0 manually blacklisted IPs in his list across all of his sites.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!