Support

Admin Tools

#34467 Auto blocking of users after failed logins

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Wednesday, 31 March 2021 20:17 CDT

Wednesday, 03 February 2021 08:12 CST

jjst135

Hi!

We noticed on one of our sites that some users get 'deactivated' (I think by Admin Tools) after they try to login with wrong credentials. While this is probably a good security measure, in this case it's also a bit user unfriendly, at least in the way it is set up now.

We have a website that syncs users with an external application. Users can not register on the website themselves. This is why we have 'user registration' disabled.

When we go to the WAF settings in AdminTools we see the option 'Treat failed logins as a reason for blocking the request'. This is set to YES. So this is probably why Adim Tools disables users when the login incorrectly. Right?

Below this there is an option 'Deactivate user after'. This was set to 0 failed logins in 1 hour. But the setting was 'disabled' because : "User registration on your site is disabled, therefore Admin Tools can't deactivate users."

My questions:

Does (can) AdminTool deactivate users when 'User registration' is turned off? If not, then I am not sure how the users get deactivated...

If AdminTools DOES deactivate users, does it use the settings from 'Deactivate user after? In that case I would need to adjust this (to let's say to 5 failed logins every minute) to make it less strict? In order to do this we need to turn on 'user registration', change the values in the WAF setting and the turn user registration back off. Correct?

Hope you can clarify this for me.

Kind regards,

Jip

 

 

 

 

 

 

 

 

 

 

 

 

 

Wednesday, 03 February 2021 10:26 CST

tampe125

Hello,

Admin Tools doesn't deactivate the user if user registration is not enabled:

$userParams = ComponentHelper::getParams('com_users');

// User registration disabled or no user activation - Let's stop here>
if (!$userParams->get('allowUserRegistration') || ($userParams->get('useractivation') == 0))
}
   return;
}

Does this happen only when a user fails to login with username and password?

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Edited by tampe125 on 2021-02-03 10:28 CST

Wednesday, 03 February 2021 10:36 CST

jjst135

OK, well then something else is happening. I don't think Joomla itself would deactivate users. Except of course when a admin does this manually. But this is not the case. It could be that our sync is doing this, but I need to check this with our developer.

What would you suggest we do to somehow keep track of this? I would really like to know why these users have been deactivated. 

I assumed this was because of failed logins (wrong passwords). But I am not 100% of this. But that would be the most plausible explanation I think.

Is there a AdminTools log we can check to see if it did actually deactivate users? Or can we enable such logging to see if any actions like these are performed by AdminTools?

 

 

 

 

 

Thursday, 04 February 2021 02:53 CST

tampe125

Well, first of all let's double check that the problem is indeed caused by Admin Tools.
Let's ask Admin Tools to keep a debug log, you can find such option inside the Configure WAF page, in this way Admin Tools will dump every security exception to the log folder.
When this happens again, please ask your customer to report the IP address he is using, then take a look at the Blocked Request Log. Can you find such IP in the list? If you take a look at the debug log, is there anything interesting inside it? What's the reason for the block?

Finally, if this doesn't give you any significant result, please disable Admin Tools system plugin for few days and keep an eye on it. Do you still have deactivated users? If so, it means that the problem is not caused by Admin Tools, but by another tool.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 04 February 2021 02:59 CST

jjst135

We will try to log and research. We have 4 sites with about 500 users that regularly log in. But we are not the 'day-to-day' managers of the website so we don't always get notified about issues with user that are disabled. But we do have access to the site and we will try to retrieve IP's of users that get blocked. Hope we can figure out what happens. Thanks so far!

Thursday, 04 February 2021 05:07 CST

tampe125

You're welcome! Keep me updated when you have new findings.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 01 March 2021 07:27 CST

jjst135

We have been monitoring this for a while now and we do see that login failures result in users getting deactivated. I think only Admin Tools can do this and not Joomla?

So this would mean AdminsTools is blocking users even when 'user registration' is disabled on the website? Or can you think of any other reasons why users might get deactivated (other then by Admin Tools)?

 

 

 

Monday, 01 March 2021 08:02 CST

tampe125

Honestly, no. First of all I'd say to run with Admin Tools deactivated for a few days, or at least find a consistent way to replicate the issue. As soon as we can replicate the issue with 100% of accuracy, we can start debugging it; otherwise it's like shooting in the dark

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 01 March 2021 08:33 CST

jjst135

I don't feel really comfortable disabling Admin Tools on a site with a lot of privacy sensitive information. Besides, the deactivation of users only happens one in a while. So we will never be sure when we disable Admin Tools caused the deactivation of users when no users are be deactivated in that period of time. 

I think we will leave it at this for now on our side. We'll just check periodically if users are deactivated and activate them again.

 

 

 

Monday, 01 March 2021 09:19 CST

tampe125

Ok. At this point I think I'll close the ticket. Feel free to open a new one when you'll want to dig inside the issue any further.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 31 March 2021 20:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!