Support

 As a new user I would also like to understand blocking attacks and permanently banning IPs.

The system is set up with the defaults - to block after 3 attacks - and to permanently block IPs or "Autoban" after 3 repeated attack offenses.

Would it be better to block hackers after just 1 attack (within an hour) - i.e. straight away, so as to minimize the number of opportunities to compromise a website?

Additionally, giving a hacker 3 chances before their IP is permanently blocked (Autobanned) - if you could explain the reasoning behind this and what would be a likely recommendation?

Is it because an attempt at site access can be mistaken for a hacking attack? Could hacking ever be a mistake ? I hope to understand...thanks for your time.

Regards,

Peter

Peter,

Generally speaking, hackers don't use their own IP addresses, so you are not banning the hacker, you are banning some unknown user somewhere in the world who may someday be a user of your site. When you ban one IP address, the hacker just moves on to another one or another proxy server. The real object is not to ban him - you can't - the object is to slow him down and make it more trouble than it's worth. So if you ban the IP for an hour or a day, it makes the hacker use another one, then the ban clears and if the real owner of the IP comes along, there isn't a problem. If the hacker uses the same IP over and over, it may actually be worth banning the IP permanently. Most of these attacks are automated scripts, not humans, so they just try the vulnerabilities they are programmed for and move on. You still see scripts trying to exploit a JCE vulnerability from the Joomla! 1.5 days. You see WordPress hacks tried against Joomla! sites. There's no intelligence there, just blind programming.

As far as multiple chances go, take if from a guy who can't type his own password, it is necessary. The tighter you make your security, the more innocent users you will catch in your net. How you set it up depends greatly on how your site works. If you have front end users logging in, you can't ban on a single bad password. You can afford to make it tighter if your pool of people who may innocently get banned is small.

Thanks. That is a pretty great and easy to understand explanation (compared to some i have received from other organizations over the years - again thanks).

Also, one other question.
Joomla eventually times-out when logged in as an admin. Of course, in Joomla I have set the session life time for a longer period, but I do not want to set it for too long a time.

Two or three times now when i have tried to log in again after my Joomla session had expired, the Admin firewall banned my IP. What would be the best way to prevent this happening - given I do not have a fixed IP address, and I am the administrator of the site. Whitelisting so many non-fixed IP addresses is not really that helpful, especially when I do not know each time what they will be?

Actually, I think I even tried to whitelist one of my IP addresses initially, but was still banned after multiple Joomla session time-outs, and subsequent attempted re-logins??

Regards,

Peter

There is really no way to whitelist a dynamic IP address. The address changes, you have to add the new IP to the list and take off the old one. If you're getting banned, you need to loosen up your autoban settings a little bit.

You can protect your administrator login with the secret URL parameter (on the first tab of the Configure WAF page). That requires that you call your administrator login in the format www.mysite.com/administrator/index.php?secret. If they can't find the login page, they can't attack the password.

Another tool in your toolbox is the /administrator folder password protection. That will pop up a box where you need to enter an additional user ID and password before you get to the admin login screen.

You can use either of these techniques or both to protect the login. That makes up for loosening the autoban a bit.

To explain. I received this email from Admin - see below:

We would like to notify you that a security exception was detected on your site, CLS Private Consulting, with the following details:

IP Address: 120.xx.xx.xx (IP Lookup: IP Lookup) (Please note: I removed the actual IP address)
Reason: Admin Query String

URL: https://www.clsprivateconsulting.com.au/administrator/index.php

If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

Best regards,

The CLS Private Consulting team


What has happened here, given:

The offending IP address is my dynamic one?
I havent created a security exception.
I made sure this time I logged out of Joomla.
I am using the www.mysite.com/administrator/index.php?secret option.

Clearly, i do not need to ban myself.

Regs

Peter

One possibility is your browser. Those little thumbnails of your recent visits that Chrome shows, and I think Firefox does the same thing. When the browser opens the URL to do the screen shot, it can cause the security exception. The browser only uses the URL, not the parameter. That would be my first guess.

ok - thanks - hope thats it.

You're welcome! Have a good weekend, or in your case the rest of the weekend, right?

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.