Support

Admin Tools

#24113 Unable to log GeoIP address block

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 05 February 2016 17:20 CST

emeryjay
 I'm getting login dictionary attacks at the rate of about every two minutes from IP addresses in the Russian Federation. I am assuming it is a bot judging from the frequency. I'm getting email notifications. This has been going on for about 24 hours.

I'm reasonably sure that Admin Tools is deflecting the attacks.

I'm using the secret word to protect the admin directory. I'm the only user. The IP address I use to access is the site whitelist.

The attacks are coming from a different IP address each time and I am unable to track the IP owner (not suprised either)

I thought it might be a good idea to log the IP addresses even though I am reasonably sure Admin Tools is blocking them. However, in the section of WAF configuration where it shows do not log the reasons, it shows Do not log GeoIP. When I uncheck that option in both places and save the configuration, nothing happens. It still shows that Admin Tools is not logging attacks from IP addresses in the GeoIP database even though Admin Tools is repelling the attacks.

I use the GeoIP database, but the assessment you made in the docs is correct. It doesn't stop the attacks.

Am I missing something here? Is there something else I should be doing?
Emery

dlb
Not logging the GeoIP blocks is a default setting. There could be thousands of these blocks, telling Admin Tools to log them has the potential to act as a denial of service attack on your site. The site is so busy logging GeoIP blocks that it doesn't have time to service legitimate visitors. The size of the log file could be a negative side effect as well.

I agree with your assessment that it is a bot. It is rotating the IP addresses just to avoid the auto IP ban. Generally speaking, hackers don't use their own IP addresses so not being able to track them is not unusual.

If you are seeing the attempts in the Security Exceptions Log, then they were unsuccessful. There are three reasons why they can't log in. They don't know the secret parameter, they don't know the password and they come from the wrong country. I believe that Admin Tools checks the secret password before it checks the GeoIP, so you are always going to see the admin login attempt blocked.

You can't prevent them from trying to hack your site, you can only prevent them from succeeding.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

emeryjay
Yes, the originating IP address shows in the exception logs. To be on the safe side I limit the log length to 100 entries and Admin Tools rolls them at 100 so I always have the older logs.

In many previous incidents, I can track the IP owner via http://ip-lookup.net, but that only identifies the owner of the IP address, not always who is using it. I do file abuse reports when the the attacks come from US companies. Sometimes it works, sometimes not. Amazon Web Services is death on hackers using their services. They usually shut them down within minutes of filing an abuse report.

I figure hackers are only renting or leasing IP space w/o a domain name.

This is mostly annoying, but it has its upside,I've learned way more about security just working with Admin Tools.
Emery

dlb
I think that in even more cases hackers are using "stolen" IP addresses of compromised computers or websites. If they are paying for IP addresses then there has to be some profit motive for cracking the sites. I guess we all have expensive hobbies that we are willing to pay for but paying to set a bot loose trying to crack sites doesn't float my boat.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!