Support

Admin Tools

#29709 Default setting changes

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 23 June 2018 17:17 CDT

treat2day
I want the default reliability that Akeeba is known for back again.

You have been the most reliable and consistent in all the products I subscribe to using Joomla since 2012. It was a learning curve in the beginning but I took some classes with OSTraining and along the way figured things out on my own.

SOLUTION QUESTION: Maybe the professional version component has become too advanced for my skills. If I uninstall all Pro versions, can I install the free version without all the pro version has to offer.

PROBLEM:
I cannot spend anymore time clients are not billed for to get what used to work no longer working.

This has been a very troubling year with my understanding of how this component is now working. I understand there are many challenges and probably a large customer base with professional knowledge using your service.

I did not need to learn many of the troubleshooting issues if your component did not change my settings so often. I could count of Akeeba for many years without giving up an entire day trying to get broken plugins and components to work.

I have only requests Akeeba tech support a few times because of all the documentation available.

Now I have to delete the .htaccess every time a new update is issued to get my 14 domains I manage to work. Users never bother telling us what does not work. They just stop using the service.

The recent changes to default: 14 domains I manage

1. Super user locked out of every account after security logs them as accessing the admin area. SOLUTION: add all the super user to the exception. PROBLEM: ISP provider IP addresses are not permanent

2. Emails for every admin action, every admin uses on all 14 domains. SOLUTION: turn off new feature

3. Media players stopped working because of MIME issue which never happened in the past SOLUTION: add folder to .htaccess

4. PDF component download error which never happened in the past SOLUTION: add folder to .htaccess

5. iFrame for online book reader 404 error which never happened in the past SOLUTION: add folder to .htaccess

6. Download component does not find new FTP upload items which never happened in the past SOLUTION: add folder to .htaccess

7. Cannot login to front end without deleting the .htaccess first NO SOLUTION and I tried many from several sources.

I cannot count on items to work and have security. The only solution is to add all the folders with extensions that are not working to the .htaccess folder.

This is what one site looks like in order to work after adding more folders in the past year.

about
briefcase
calendar
clip-arts
images/video
images/audio
formmanager/forms/documents
downloadmanager/documents
modules/mod_media_weather
modules/mod_media_twitter
modules/mod_media_slider
modules/mod_slider4
modules/mod_slider_x
components/com_downloads
famous-people/reader
gallery3/directory
media
video/myreader
audiomp3/files
music/reader
templates/university
templates/foodies

nicholas
Akeeba Staff
Manager
Convenience. Security. These are two concepts which are at odds. Maximum convenience means no security. Maximum security means no convenience. Finding the balance that suits your specific needs is up to you.

Also, security is not something you install and forget. Do you think hackers don't try to find new vulnerabilities and new ways to exploit them every day? Well, they do and we have to make changes in our security products to protect you. Otherwise we wouldn't be selling a security product, we'd be snake oil. At the very least that would be immoral.

A quick rundown of your issues:

1. Super user locked out of every account after security logs them as accessing the admin area. This means that your sessions expire too soon. This is fixable in Joomla's Global Configuration. You could also remote the Administrator Secret URL Parameter feature but you should enable the administrator secret URL parameter. Or enable none and let two factor authentication protect you (that's why I contributed that feature to Joomla back in 2012). This is something I have said since 2010, when Admin Tools was launched. You have options, use the ones which make sense to you. Defaults are just that: what I believe are good default values if you don't know what you're doing and want to start somewhere.

2. Emails for every admin action, every admin uses on all 14 domains. Whenever we create a new feature we always consider very carefully its pros vs its cons. In this case, you receive an email when your site's Global Configuration is changed or Super Users are created outside of the backend Users manager. Both of these events are anomalous on most sites (and for those sites they are not they are an indication you're doing something ill-advised or outright detrimental to your security). That's why these two features come enabled by default: they notify you of anomalies. Unless, of course, you are talking about security exceptions. In this case it means that you never took the time to configure Admin Tools, which is a security tool, not something that you install and magically makes your site secure. There is no such magic solution. If there was I'd be selling it for 40 million Euros a year to companies and governments and they'd buy it without blinking an eye because it'd save them operating expenses more than ten times that price.

3. Media players stopped working because of MIME issue which never happened in the past. There's a reason we had to do this. We did our research and found a security issue in Joomla regarding SWF files. See https://www.nc-lp.com/blog/csrf-token-steal-in-joomla I'm sorry that we inconvenienced you, but I'd posit that a hacked site would be much more inconvenient. Also see #4.

4. PDF component download error which never happened in the past. We fixed a bug which allowed arbitrary access to non-Joomla folders. Considering that the frontend protection is meant to stop that I'd say this is a good thing. For what it's worth, you just need to add the folder in "Frontend directories where file type exceptions are allowed". Adding them to the folders where everything is allowed misses the point of front-end protection (which is the whole point of the .htaccess Maker) so maybe you can just not use the .htaccess Maker on your site? The drawback is that it's easier to get hacked. For example, an upload vulnerability means complete compromise of your site. With .htaccess Maker's front-end protection you are protected even if the attacker uploads a malicious .php file since they can't access it directly. Again, convenience vs security.

5. iFrame for online book reader 404 error which never happened in the past. See #4.

6. Download component does not find new FTP upload items which never happened in the past. See #4. Also note that this is a strong indication that your download component serves files directly from a web accessible directory. Therefore anyone can download any of these files by guessing the filenames (which is typically far easier than it sounds). It sounds like an insecure or at lest not well thought out download component to me. I am not pulling hair from my butt here. I have written Akeeba Release System used for all of our downloads and also the downloads for Joomla! itself. I think I can convincingly claim I know what I'm doing when it comes to download components ;)

7. Cannot login to front end without deleting the .htaccess first. I have no idea why since there is zero usable information in that statement. There are no changes in the .htaccess Maker which could explain it. Please make sure you are using version 5.1.2. The first releases, 5.1.0 and 5.1.1, had a bug with the frontend protection. We pulled them and replaced them as soon as we found out about it, releasing 5.1.2 which fixed the issue.


At the end of the day Admin Tools is a security tool. It can help you set up and maintain total security on your site. It's not a security service that you put in front of your site, never configure, never disturbs your site and rarely stops actual hackers who have a moderate knowledge of what they are doing. Admin Tools takes about 1 to 5 hours for the initial setup and about 1 hour per year per site to maintain. If this is not what you are looking for then yes, Admin Tools Professional is not for you. This is OK. Security tools are not for everybody. Maybe you don't really need total security of the kind you can achieve with Admin Tools. Different sites have different threat models and security needs.

Which brings us to your original question. Yes, you can replace Admin Tools Professional with Admin Tools Core but I see no reason to. You'd lose all features which make Admin Tools useful. At this point you can simply uninstall it. You should also delete the .htaccess files from your site's root and the administrator directory. Joomla still needs a .htaccess so just copy its htaccess.txt into .htaccess in your site's root.

Finally, as a side note, if you want to downgrade your subscription please note that you will lose your renewal discount. It only applies when buying the same subscription (renewal), not when downgrading.

I hope this sincere information helps. I remain for your questions.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

treat2day
All valid responses. However, it is a public response in a forum. You make perfect and valid points. I get that too. I failed in expressing my frustrations using bullet points without many of the details for each one.

In my opinion, all the points you make are also valid security measures for a wide audience.

In addition, many of your concerns and security settings does not take in account that I too have considered protection when using Joomla plugins and extensions by using developers with expertise in the products they sell. These developers, including Akeeba, are highly rated in the community for many years on Joomla platform.

My response is not meant as a criticism but an explanation that I was speaking about security with implementations configured and highly recommended when using this security tool.

1. These are basic setting used and implemented as suggested in a training in 2012 by OSTraining. In fact, I only learned of OSTraining in 2012 by reading a post here, by Akeeba, that they have an excellent class on settings for your product. I have no explanation why being locked out using these setting began happening recently even with setup in all the areas you mentioned here.

The fix was to add the IP addresses in exceptions “Never block these IPs”. ISP carriers role out new ones and I just have to live with repeating these exceptions. This is an additional setting now necessary with these included measures already in place mentioned in the response:

– sessions set in Joomla's Global Configuration back in 2012
- remote Administrator Secret URL Parameter feature back in 2012

And yes these are the defaults implemented as suggested. Again, I am not sure why suddenly security logs automatically start locking out administrators.

2. I did not get the memo this was a new feature. I will take full responsibility for my lack of knowledge on this new feature. I need to do more reading about the new versions before implementing and discontinue blindly activating as I have done in the past.

Again, I have taken considerable amount of time to configure Admin Tools as a serious security tool.

3. The MIME issue is a valued security measure taken by Akeeba. However, consider my frustration in the position of taking a considerable amount of time to search, read forums from multiple sources, deactivating plugins and extensions one at time.

Again, other developers for my components also implemented safeguards and many of them put solutions in place. It never occurred to me that double duty in security was the culprit and no fault of the extension developer or Akeeba stepping up its security.

4. Using the .htaccess is a security setting no one should do without.

5. Yes, this was also addressed in my last PDF component update by the developer. That is why it came to my surprise .htaccess was a second security setting that took a considerable amount of time to come to that solution.

6. This component has never served files directly from the web. It is a solid component that the developer and his team are highly respected in their field. The user must go through several steps before getting to the final download. The FTP is done on the backend by administrators only.

Again, there is double duty working against each other and the solution was .htaccess and no fault of the download developer or Akeeba. Just another added time-consuming problem that is happening all at once is quite overwhelming.

7. This was fixed after installing the new update 5.1.2 but this note about the problem was already written.

You were very helpful in sending me in the right direction. Investigate new update security implementations before blindly installing them will take some time but considerably less than finding a new problem with extensions and plugins.

Thank you.

What was not helpful was this at the end of day comment. It feels rude and dismissive. Your explanations on each item was clearly what was needed and understood for new security implementations. Call me sensitive, but the comment reads, to me, as a personal attack on my actions in security without knowing what I have already done in securing my site. I could have done without those comments in that paragraph as a solution.

Consider this matter closed with solid directions going forward.

nicholas
Akeeba Staff
Manager
Since this is a public ticket you understand that a. I have to respond to all your generic remarks with generic replies and b. my replies will be generic in lack of details on your part. I would very much prefer it if you'd seek support for each issue, support we can gladly give, instead of coming here with what comes across as a dismissive and complaining post. I will have to defend my software and my company using arguments which you may not like. But I will always be frank and open with you, even if the truth is not aligned with my interests as I did in my response. Yet, you didn't take offense at the generalities I had to write but at the solid truth I put in my reply.

I have to insist, Admin Tools Professional and any security tool is not for everybody. I am not implying that you are not smart enough to use it! On the contrary, I assume that you are smart enough to make informed decisions. In fact, knowing that you could misconstrue my response I explicitly stated why I am making this statement: not all sites have the same threat model. This is a cold, hard fact! In case this is not clear I can clarify. Some sites may consider being hacked as an acceptable risk. For example, a blog with frequent enough backups to guarantee that no information is really lost could consider getting hacked as an acceptable risk. Also, not all sites are likely to be attacked by adversaries who know what they are doing, requiring defense in depth (part of which is implemented with security tools) to defend against. If your only expected threat is script kiddies with primitive tools or the latest proof of concept attack (patched anywhere between 6 hours to 6 months ago in Joomla...) a web application firewall service which needs virtually no management on your part would actually be a better fit, albeit more expensive. What I am saying is that you should not be afraid to choose the RIGHT TOOL for the job and I should not be reluctant to tell you so, even if the right tool is not something I am selling. Would you rather me do what other developers do and say "I am the God, my software is the only thing that's worth anything, everything else is crap"? I refuse to be that guy. I write software to help people with their sites, not to be rich.

So, honestly, I want you to actually spend some time and think what is your threat model on your sites. Does it make sense for you to spend time, even if it's just a few hours per year per site, to manage your security or is your threat model covered by an easier to manage service? If you decide that a service is the way to go there is no hard feelings. You can either downgrade to Core or uninstall completely. Core doesn't have many useful features so I don't know if it'd even make sense to downgrade instead of uninstalling. This is an honest statement. The only reason Core exists is that I know people who use it to fix permissions and, frankly, it doesn't cost me that much to maintain it. Otherwise I consider it kinda useless. Would you rather me play daft and tell you that it's useful and you should keep it? I don't think that would reflect nicely on our business relationship.

The only downside to not using Admin Tools Professional is that you'd need to downgrade your subscription which means that our system does not give you a discount. This is a fact. Would you rather me lie to you or conveniently "forget" to tell you that you'll be paying pretty much the same for one less product?

Please keep in mind when talking to me that I'm not going to lie to you. What I write is the truth, the whole truth and nothing but the truth to the best of my knowledge and abilities. I write what I mean and I mean what I right. I would make a TERRIBLE politician. So please don't read things I didn't write. Thank you for your time and have a great day :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!