Support

Admin Tools

#25316 Numerous exceptions for white listed admin IP, not logged or blocked

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 09 July 2016 17:20 CDT

Sunday, 05 June 2016 22:33 CDT

allfive
In the past few days I've been notified of severak security exceptions of my super admin IP address (white listed), even when not logged in. Today, I received numerous notifications - about 30 over 12 hours - and I was logged in only the last two hours of those reported exceptions.

If I search the exceptions list, my IP is not listed. To troubleshoot, I removed my IP from white listing. My IP exceptions were still not logged, even though exceptions were being reported during that period. Furthermore, I should have been blocked automatically because the exceptions exceeded the limit I had set.

I had the WAF set to notify me of all exceptions.

Is this an Admin Tools issue or something with my IP and the server or ????

Thanks.

Monday, 06 June 2016 00:04 CDT

nicholas
Something doesn't quite add up. I believe that you are either mistaking your IP address or the site the security exceptions come from.

When an IP address is whitelisted (in the IP whitelist and the whitelist feature is enabled OR the IP is in the "Do not block these IPs" list) no security exception whatsoever will be raised for requests coming from these IPs. Please note that I am NOT talking about logging: no security exception will be raised at all. The request will not be blocked. Therefore there is no way you are receiving notifications from this site for these IP addresses.

If you are mistaking your IP address then two things will happen. First, some of your requests will be blocked. Second, depending on your options you will receive an email about this, or the security exception will be logged or both.

At this point we have to stress that if you have turned off security exceptions logging the IP address of a repeat offender will NOT be blocked. This feature requires logging to be turned on. If you are not logging the security exceptions there is of course no way for Admin Tools to know if you are a repeat offender or not, therefore it cannot know if it should block your IP.

So, as I said, something doesn't add up here. I believe you have configured Admin Tools as follows:
  • The IP whitelist is not enabled and has no effect. This is why your whitelisted IP is raising exceptions.
  • You have turned off logging but you have enabled email reporting. This is why you get emails about security exceptions but you don't see your IP being blocked or listed in the list of security exceptions.


Alternatively, one of the following unrelated issues may have occurred:

  • You are confusing the source of emails. For example you get emails from site B but you're trying to look in the exceptions log of site A. If you have recently moved your site between hosts that is most likely the case: the old host hasn't deleted the site yet and you get emails from the copy of your site on the old host (thanks to some DNS caching that makes the domain name of your site resolve to the old IP). It's happened to me when I was transferring my blog site a few years ago.
  • You are confusing the IP addresses. Most likely what you think is your IP is actually an internal IP address of your host's network or a CDN. Many servers sit behind a caching proxy and/or a CDN. By default Admin Tools will see the IP address of the caching proxy / CDN as the visitor's IP unless said proxy / CDN is configured to send an X-Forwarded-For HTTP header with the real IP address. Such a setup lacking this header will make every single request appear to be coming from exactly the same IP address. This combined with the two configuration settings I explained above would perfectly explain what you are seeing.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 06 June 2016 13:30 CDT

allfive
Nickolas,

Thanks for your quite detailed reply and my apologies if I wasn't as clear as I could have been.

I confirmed my IP address via ip-lookup.net and other online sources, like iplocation.net.

The security exceptions that are being emailed to me by Admin Tools are for Admin Query Strings by my IP address. These are not logged in the security exceptions log.

In "Configure WAF", I have the following set to Yes:

Treat failed logins as security exceptions
Include password in failed login email
Log security exceptions
IP blocking of repeat offenders
Email on failed admin logins
Email on automatic IP blocking

I don't appear anywhere in the security exceptions log. The emailed exceptions for failed log in do NOT include the password, even though the WAF is configured to send notifications.

I haven't changed the WAF settings for years. I actually didn't update my new IP in the WAF whitelist until yesterday, after checking settings to see why all the exceptions' emails were hitting my inbox.

In March this year, the host (not me) upgraded to a faster Linux server, but that did not trigger any unusual activity.

My IP did change recently after several years being the same. The only numbers that changed in the address were in the final set of IP numbers.

Several weeks after the host's server upgrade, the server admin banned this new IP (for reasons unknown), then whitelisted that new, changed IP (and the one that is triggering the security exceptions emails) because the ban had locked me out of accessing the site and emails, obviously. (This is not a large commercial host.)

The above IP banning/restoration occurred several weeks ago, however, and the spurious exceptions' emails just started over the past few days.

So the only thing that has really changed over the last several months is, first, the server upgrade, and secondly, my IP address. Why that would cause these exceptions to be triggered just over the past few days is a mystery.

Today, so far, there have been no exceptions.

This issue may have nothing to do with Admin Tools, but with a server configuration issue. I wouldn't know. Way over my head.

I will prod the host again about it, along with the CDN question you raised.

Thank you.

Monday, 06 June 2016 13:55 CDT

allfive
I should really mention one detail about the "host server" in this discussion that is important: the website where this Admin Tools issue is occurring only hosts that one website. They are not the host where I have another Admin Tools app installed, nor are they my primary host for my other sites.

Sorry to omit this earlier if that is an useful fact in the discussion.

Tuesday, 07 June 2016 02:59 CDT

nicholas
It really doesn't add up. Try disabling the whitelist in Configure WAF, removing all whitelist entries, add your static IP in a new entry (remember to click on the New button), re-enable the whitelist in Configure WAF. Moreover make sure that exceptions logging is enabled in Configure WAF.

Apart from that, the only explanation I have is that you either have the same site on multiple servers.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 08 June 2016 20:48 CDT

allfive
Thanks, again. Nicholas. The problem events have stopped but I will do as you suggest, just in case.

As always, I really appreciate your advice. Thank you.

Thursday, 09 June 2016 00:19 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 09 July 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-07-09 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!