Support

Hello,

I'm unable to figure this one out. My client's are getting calls from some of their customers that they are getting this error ("THIS REQUEST IS BLOCKED BY ADMIN TOOLS. PLEASE CHANGE THIS MESSAGE IN THE COMPONENT'S OPTIONS.", see screenshot). I never see the error but I am on the Admin IP white list. The website is Cityofexeter.com I've tried locating the problem and am stumped. The Security exceptions log is not recording the error. The only errors it seems to be catching is template in the url and some failed log ins.

However, I do have it set NOT to record any Geo blocking errors, but since this is occurring with people within the local area, I don't think that could be it.

I have uninstalled admin tools and re-installed it but it didn't seem to do anything. I've eliminated system cache and turned off page cache plugins as someone on the board said it worked for them.

This seems to be happening on multiple pages, so I'm not sure it has anything to do with a specific module. Can you recommend anything? I really don't want to uninstall security.

Thank you for your help.

Can we get an IP address of one of the people who is blocked? Are they always blocked or only on certain pages?

You don't need to uninstall Admin Tools to disable it. You can just unpublish the System - Admin Tools plugin. That will turn off the Web Application Firewall (and GeoIP blocking). The only thing left is the .htaccess file. There is usually a htaccess.txt file in the root of your site, it is Joomla!'s default .htaccess file. You can replace your current .htaccess file with that one. That will tell us if the problem is caused by Admin Tools.

Hi Dale,

Thank you for your quick response. I am unable to unpublished the System - Admin tools plugin as attempting to do so gives me a 403 error. I am able to disable Admin Tools by renaming the plug-in with ftp but am hesitant to do so because it would leave the site open to attacks. When I mentioned that I had uninstalled the component, it was to start fresh in case one of my original settings was the culprit. But clearing out the component and deleting any left over tables and files did nothing to stop the reports from coming in once I reinstalled admin tools.


I replaced the htaccess files (both the .htaccess.admintools and the .htaccess files. But since I wasn't able to re-create the problem in the first place I am unable to confirm that that made a difference. As I said before, the security exceptions log is not recording any errors except when someone tries to access a page with template in the url or a failed login. In that case the IP was 35.190.178.70. looking up http://cityofexeter.com/component/mailto/?link=...(and a bunch of random numbers with the template name). This seems to be a re-occurring attempt from multiple IPs so I did not associate it with the problem.

Once again, thank you for any advice you can give as I am going completely nuts with this.

April

The 403 erro is Admin Tools protecting itself. It's a new feature. In Web Application Firewall, Configure WAF, on the first tab, "Defend against plugin deactivation" needs to be No to disable the plugin.

It could be the GeoIP blocking. That does not leave any trace in the log file. We are using a third party database to match IP to a country. We're using the free version of the database, which is not as good as the paid version. It does have errors in it. And IP addresses are not as stable as they used to be. All if the IP4 addresses are issued, they have been for years. So blocks of IPs get traded between big companies when they need new ones. When Verizon needs more IP addresses, they have to buy them from someone who has excess addresses. It takes a while for the MaxMind database to catch up with these transfers.

It will not significantly affect your site security to disable the GeoIP block. It is trivial for any human hacker to bypass it. It will stop the bots, they are usually not smart enough to switch proxy servers when they get blocked. Hackers don't use their own IP addresses, so it really isn't all that useful. Nicholas has tried to remove it from Admin Tools but every time he tries, he has clients up in arms.

Please disable the GeoIP plugin. That will disable it without messing up your country selections in case that isn't the cause.

The template error is caused by visitors clicking the email icon on an article. You can fix it by setting "Allow site templates" to Yes. If you don't display the email icon on your articles, then someone is calling the URL directly and it really should be a security exception.

Dale,

Again, thank you so much for your assistance. I have made your suggested changes and will monitor it throughout the day to see if there are any more complaints.

April

Please let me know if that does the trick. Have a good weekend!

Hi,
Since I have not received another customer complaint, I'm closing the ticket and concluding that must have been the problem. Thank you so much for your assistance.
April Pastis

You're welcome!