Support

Admin Tools

#26286 Admin blocking

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 13 November 2016 17:20 CST

user91397
 Hi,
I just a few days ago bought your Admin tools, I installed as shown on the video (the screenshots are out of date by the way.) I set up the URL Redirection as advised in the video.

The result was I could neither access my Live site, or my Admin site on Joomla I did try other computers for my live site with the same result. A 401 error I believe.

I got into my Hosting site and reverted the site back to its previous condition using a staging site.

Again I uploaded your Admin tools this time I set the redirect to No and also to unpublished.

At least this time the Live site still works but each time I try to get into my Joomla admin it reverts to my live site.

Again to be able to access my Joomla admin I had to revert my site back to previous condition.

Any suggestions
James Doolin

dlb
When you get locked out like that you can disable Admin Tools from outside Joomla! with the instructions here: https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html. You do not need to restore from backup.

The redirect from the admin login to the home page is caused by one of the security settings, the "Administrator secret URL parameter". You can find it under Web Application Firewall, Configure WAF, on the first tab. When that value is filled in, you need to call your admin login screen in the format www.mysite.com/administrator/index.php?secret. The first run wizard helpfully fills in that field for you and it is pretty easy to miss. There are some other options that will cause the redirect, but they are much less common.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

user91397
Hi Dale,

I reinstalled Admin Tools, found and entered WAF
There was a value already in the "Administrator secret URL parameter", as your instructions stated only "When the value is filled in" I continued to call my Admin screen, www.dr-doolin.com/administrator/index.php?secret.

Once I saved and closed everything I had the same problems.

Was I required to delete the current number and start again?

Assuming I did everything right do you have any suggestions?

James

dlb
James,

Almost... You need to substitute what is in that field in Configure WAF with the "secret" in my instructions. This security feature changes the URL of the admin login page. I'm going to have to change the way I write those instructions. If the bad guys can't find it, they can't try to log in.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

user91397
I understand now that I have to substitute the text in the WAF field.
What isn't clear at all, is what with.
Do I put the www.dr-doolin.com/administrator/index.php?secret. in the box,
Or go to that page and a number will be there, which it isn't. It's the Control Panel in Joomla no listing regarding WAF
Or do I put "Secret" in the box

I am having a great deal of trouble understanding your instructions.

dlb
I'm sorry, I'll try to do better.

The first run wizard put a random "password" in that field on the first tab. That string becomes part of the URL to call the admin login page. Instead of "secret" you would use the contents of the field. So the URL becomes:
www.mysite.com/administrator/index.php?<contents of Administrator secret URL parameter field>


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

user91397
Good Morning, Dale.

It must be difficult e-mailing guys of different levels of experience and expertise. Please let me explain this has only been a hobby (be it an interesting one) for quite some years. But with no formal training at all.
Add to that my site had been wobbly for three weeks or more, I was to the point of pulling my hair out, but I don't have any left anymore.
My site is now fixed and running correctly.
I was advised to get Admin Tools as a possible fix, because it was thought perhaps a redirect was the problem. Turns out that was not the case.

I am not completely clear why I would install Akeeba Admin Tools but I have been using your backup, with a warning about upcase in my DBase name, which from reading your info is not a good thing anyway and should be corrected. (which I will do)
I now have time to read and try and understand your services better, as my site is working.

So let me just run this by you please.

I install Akeeba first, this now has a presence on my web site server.
As I activate Admin Tools it makes a random number in the field box.
I copy and paste this number on the end of the "Path" to my Site admin and call up the page.
Akeeba then notes the number and holds it as the key to allow access to the Site admin.
I am assuming Akeeba also notes where the inquiry came from, (which computer)
That also means the field box number is not shown on the end of the "Path" rather confusing to the "Baddy"
I still need my regular username and password to enter the Site admin

This prevents some smart-arse tagging Admin on the back of my web address to try and break in, as that alone without the number on the end will not work or even take him to the page he needs. (hence the Bad person page)

If this is how it works, what happens if I try to login from a second computer, should I just add the field box number to the path for the first time? so Akeeba will now learn the second computer.

If my computer stops working, I can access a file controlling the Field box number required to enter the Site admin the way you explained earlier on, and presumably change it.

You have nothing to be sorry about by the way. Your the expert here, I'm the student.

James
Ps Sorry for the long e-mail, but I thought I should try and explain. Hope I got this right.





dlb
Hi James!

The "he knows the secret" flag is actually kept in a session cookie on your computer. So, yes, it remembers that this user knows the secret parameter. If you need to log in from another computer, you can, it simply creates a cookie on that computer as well.

You can add the secret parameter to your bookmark for the site, I guess that degrades the protection a bit. It makes the security feature almost invisible to the end user though. An increase in security without inconvenience is a rare thing.

A human attacker may realize what is stopping him and try to guess what your secret is but a bot would be stopped dead. The bot would guess that it isn't a Joomla! site because the URL doesn't take it to where it wants to go.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!