Support

Admin Tools

#37748 admin tools shows repeated failed login attempts from IP address where there is nobody doing anything

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.2.2
PHP version
7.4.30
Admin Tools version
7.1.10

Latest post by davidascher on Saturday, 17 September 2022 15:53 CDT

Thursday, 15 September 2022 14:28 CDT

davidascher

I have recently upgraded this site (a test copy of a live site) to Joomla 4. Since that upgrade all seems to be fine except for ONE user - my client. Every 14 minutes (plus or minus a few seconds) after they log in, I see an email reporting a failed attempted login from that user's office IP address. The attempted logins do not include the secret parameter at the end. If I set the parameters for autobanning an IP address to something that that I know will happen - like 4 failures in one hour - then the  address is autobanned and the emails stop. 

I did see ticket #36696 and thought it might be relevant except for two things:

  • The machine the client uses is a desktop PC machine, not a laptop machine.
  • This behavior only occurs for this client's account. It is an Administrator account, whereas mine is a Super User account. 
    • the client has an assigned IPv6 address as well as an IPv4 address. My own office has only a IPv4 address - no IPv6 address

Following your recommendation in ticket 36696, I asked the client to log in, log out, and then close the browser tab they'd used. The problem of these mysterious recurrent invalid login requests disappeared. 

However, I do not think the explanation you'd provided for the customer whose client was running on a laptop (at least that is what I inferred) applies to a desktop PC system. I don't think it hibernates - and it certainly does not hibernate while the client is logged in and doing things on the site.

I'm happy to provide any further info that you think you might need or want to solve this mystery... Or alternatively, you can tell me where I have misunderstood your reply to ticket 36696. It makes no sense to me that this should only happen to my client and not to me - especially since they have always been careful to log out when they finished their work - and I am not so careful. AND I am using a laptop and they are not.

One more thing - this misbehavior is NEW, occurring on the test site running Joomla 4.2 but not previously or currently on the live site running Joomla 3.10.11.

 

 

Edited by davidascher on 2022-09-15 14:32 CDT

Thursday, 15 September 2022 14:30 CDT

System Task
system
The ticket information has been edited by david ascher (davidascher).

Friday, 16 September 2022 00:26 CDT

nicholas

> admin tools shows repeated failed login attempts from IP address where there is nobody doing anything

Admin Tools is not a standalone application. It only runs inside Joomla. Joomla is a web application. It only runs when the web server tells it to run. The web server only tells PHP and Joomla to run if there is a request to be processed. A request is added to the web server's processing queue only because of network traffic.

Therefore the very fact that Admin Tools does anything means that there is network traffic from the IP address reported by the Operating System, to the web server, to PHP, to Joomla, to Admin Tools, to its log and your email.

> Every 14 minutes (plus or minus a few seconds) after they log in, I see an email reporting a failed attempted login from that user's office IP address.

The 14 minutes +/- a few seconds should have given you a hint as to what is going on.

Joomla's edit pages (all edit pages!) run a Keep-Alive JavaScript file. This file performs an AJAX request to the /administrator/index.php URL every X - 1 minutes (and not sooner than 15 seconds) where X is your site's session timeout in minutes. The default session timeout in Joomla is 15 minutes. Therefore we expect to see a ping every 14 minutes give or take a few seconds. Ah! The fact that closing the admin pages alleviated the problem further proves that this is what is going on.

Now, it does not matter if your client's computer is a desktop or a laptop. All computers the past 20 years or thereabouts have sleep states and their operating systems do put them to the S3 (sleep-to-RAM) state whenever they are left unattended for a while. On Windows, the default is 5 minutes of inactivity. When the computer sleeps the JavaScript timers pause.

It is also possible for the computer to wake up automatically or through the user's actions after the Joomla session has expired. Therefore, any attempt to access the backend of the site will trigger the Admin Query exception.

What they probably do is this. They have the site open on their browser. Then they open a different tab and forget about it. At some point they need to grab a coffee, answer a phone call or just go to the bathroom. The computer sleeps. They come back, turn the sleeping computer back on (from their perspective it's just the screensaver they are dismissing) and go back to what they are doing. The background Joomla tab's JavaScript timer resumes and starts pinging the server every 14-ish minutes but the session is already closed. Therefore you get the periodic blocked requests. The traffic does come from the user's computer, they are just oblivious to what they are doing wrong.

Tell your client to NEVER leave any tabs / windows to their Joomla backend open. Always close them when they are done. That's the solution.

Finally, let me tell you that IPv4 vs IPv6 and laptop vs desktop have nothing to do with this. Furthermore, what I described (keep alive) works the same since Joomla 1.6 released in 2010. Joomla 3 and 4 — including 4.2 — work the same. Nothing has changed. Session management is a fundamental concept throughout Joomla's life since it was called Mambo back in 2001. The keepalive.js script has been present for more than a dozen years. It just happened that your client started leaving open tabs in the background without thinking about it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 17 September 2022 08:02 CDT

davidascher

Thank you for that in depth less on the behavior of modern operating systems and browsers. I certainly learned much more than I expected in response to my little problem. 

However, your explanation fails to explain why 

  • this happens after my client logs in to the admin backend of this (test Joomla 4.2) system but does not happen when log in to the same system.
  • this never happened to the client on their Joomla 3.10.11 live system. 
  • this has never happened on any Joomla system on which I have worked ever - in the last 15 years or so.

I have never routinely closed each browser tab after I've finished a Joomla admin session - I rarely remember to log out. I had never seen this behavior previously. and I cannot stimulate Admin Tools to behave this way after my admin sessions.

It occurred to me that I had forgotten that I had made some changes to the Admin Tools test site in order to reduce attempts by unkn own actors from Eastern Europe and Asia to log in to this test system. The autoban parameters were originally set to detect 3 failed log in attempts within one minute - presumably to catch bot based hack attempts. (I had not chosen those values; they were set that way on the live site before I became involved with this client.) The hack attempts I was observing were much more spread out - one every ten minutes or even longer intervals. In response, I had modified Admin Tools to autoban an IP address from which a failed log in occurred five times in one hour.  This DID seem to correspond to when this problem started.

Therefore, I have changed the Admin Tools autoban parameters back to their original values (3 failed attempts within one minute) and this behavior has completely stopped.There are no more failed ghost logins attempts being reported via emails nor in the logs. I asked the client to ensure that they log in, start an editing session (JCE editor) and walk away. No failed ghost log in attempts are reported. To be fair, before I remembered having changed the Admin Tools parameters, I also asked them to open a new browser tab, log in to the Joomla backend , start a JCE editor session, wait five minutes, close the editor session, log out of Joomla and finally close the browser tab. That also seemed to eliminate the issue of these failed ghost logins - as you had described they would - and should.

However, I  am afraid I do not see any obvious logical connection between those parameter settings and the behavior I wrote about. And, if I am following your detailed explanation of why that behavior MUST occur, I don't see how changing those parameters to the original values would stop that behavior - in addition to why the behavior never occurred after my own logins.

I can certainly live with the Admin Tools settings as they are - but I think the mystery of exactly what causes these ghost log in attempts (either only when the client - a  System Admin - logs in or not when I - a System Admin - log in ) remains unsolved. I very much appreciate that you are a very busy guy focussed on managing some of the most complex, capable,  and important extensions for Joomla, so I would be happy to offer any help I can to help find the underlying cause(s) of this problem. I have some ideas about things to test and as i get results from those tests I will, if you'd like share them with you.

For example,  set the Admin Tools parameters back to 5 failures within an hour; create a new System Admin user.; log in using those credentials and see if the ghost login return. And see how if extending the autoban faied logins period to any value longer than the system's  sesion length parameter will cause this problem (of course, only for some groups of logged in users and not others). And see if reducing the the Admin Tools failed logins period to shorter than the system session time will stop the failed ghost log ins. 

As you can see, unlike you, I suspect that the failed ghost logins may be related to Admin Tools behaviour - with its fingers apparently deep into the bowels of Joomla, and the web server (and maybe the browsers' behaviors?)  - holds the key to this mysterious behaviour. With the millions of Joomla sites out there and the tens or hundreds of thousands of Admin Tools tistes out there, almost all of them I'd expect leaving the autoban parameters at default values, I am not surprised that this problem has not reared its ugly head previously - or at least that you haven't receieve a log of reports of it. Leaving things as they  are, seems to me to be waiting for a disaster, one with a small probability of ever occuring,  to occur "big time" at some time in a future release or update of Joomla or of Admin Tools.  It would be better to completely understand what is going on now, when you have only my report in addition to a small number of others about this failed ghost login behavior then to wait until things blow up and have to deal with it then.

I will update this ticket with the results of my tests to provide you with additional data points to help with your problem anallysis and, with any luck, lead you to to the ultmiate solution to solving the issue without imposing "unusual" behaviours on those who log into Joomla's admin backed to perform various tasks.

Once again - many thanks for the time and effort and expertise you have put into Admin Tools and Akeeba Backup for Joomla (and I presume for the several other products and extensions for WP that you produce). They are heads and shoulders above the vast majority of other extensions in terms of relaibility and quality - not to mention utility. I don't know what I would do without the capabilities provided by Akeeba Backup especially.  We are lucky to have a guy like you and a team like yours dedicated to providing such high quality, well thought out, flexible, and reliable tools without which, Joomla would much less capable of meeting the needs of larger, more complex sites.

[I had actually begun this extensive note before the weekend but for varous reasons, was unable to complete it and had to start it again. That's probably a good thing as you would probably have ruined your weekend thinking about the issues I raised. I would not want to be responsible for ruining (almost) anybody's weekend ]  

Saturday, 17 September 2022 15:53 CDT

davidascher

Please feel free to ignore my last reply. THe problem is fixed and more importantly I reread the documentation and now, I think I have a better understanding of what was happening. I may get back to you about the logging that I'm seeing and not seeing.

Thank you.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!