Support

Admin Tools

#25301 Failed Logins with none standard Login Component?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 10 July 2016 17:20 CDT

Friday, 03 June 2016 05:24 CDT

paurray
Hi Akeeba

I am having some trouble understanding the “Treat failed lo- gins as security exceptions” options as outlined on page 66 of the Admin Tools manual!

On the Joomla Hardening Options page I have “Treat failed logins as security exceptions “ set to YES.
I note that I have a message that says:
“User registration on your site is disabled, therefore Admin Tools can't deactivate users.”
I am guessing that this refers to the standard Joomla Registration options!?!
And I note that I can not edit “Deactivate user after“ fields.

When I go to the Logging and Reporting Section section I note that in the “Deactivate user after” there is no reference to “Login Failure”

I can definitely register on my site here:
http://www.finalbug.net/network
The thing is that I use Easy Social:
http://stackideas.com/easysocial

Is there a way to get Admin tools to log failed Easy Social Logins automatically Deactivate a Easy Social User after X failed attempts in X time?

thanks

Paul

Helping you learn beyond your finalBUG

Friday, 03 June 2016 06:33 CDT

nicholas
Here's the thing. When you ask Admin Tools to deactivate user accounts after multiple failed login attempts it applies to all accounts, even Super Users. This would allow someone to lock you out of your site forever if they knew your username, by trying to login multiple times with an obviously fake password.

In order to prevent that, Admin Tools doesn't just block the user account, it also tells Joomla! to send a user account activation email to the blocked user. This way the affected user can click on a link received by email which will re-enable the account. No database editing necessary.

The drawback is that this only works when you have set User Registration to Self in the Options of Joomla!'s Users page. If this is not enabled Joomla! cannot send these emails. Even if it could, it wouldn't accept the account to be activated this way.

So just go to the back-end of your site, Users, Options and set User Registration to Self.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 06 June 2016 04:27 CDT

paurray
Hi Nicholas

Thanks for your response.
I understand what you are saying about not getting locked out as a Super User.
It is a security feature for a security feature ;-)
i.e. preventing a hacker hacking a super admin out of his own website.

Am I looking here in the right place?
(Please see the screen shot)

New User Registration Group: has no Self option.

New User Registration Group: is set to Self.

The Easy Social Registrations seem to also turn up here in the Joomla User Data base even though:

Allow User Registration to No but I guess the Easy Social People do something at their end so that this works this way.

Please advise how to proceed

thanks

Paul



Helping you learn beyond your finalBUG

Monday, 06 June 2016 05:17 CDT

nicholas
Yes, you are looking at the right place. First option ("Allow User Registration") must be set to Yes and fifth option )"New User Account Activation") must be set to "Self".

I understand why the first option is set to Yes by the Easy Social Registrations. They want to prevent people from creating a user account that's not linked to a social media profile. However, due to the internal workings of Joomla!, you cannot have an account reactivation email work without this option being Yes.

The other alternative for us would be resetting your password but that's extremely dangerous: someone who has compromised your email could use such a feature to force a password reset (through the email account they've compromised) and gain control of your site. So between security and convenience we chose to implement security.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 10 June 2016 03:35 CDT

paurray
I am seeing the Login button now.
I need to check this again next week.
i have some very simple "Denkfehler" thinking mistake!

Helping you learn beyond your finalBUG

Sunday, 10 July 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!