I believe Admin Tools will block an IP when the query string is wrong a couple of times right?
Correct.
But if they keep trying this will still load all the PHP / database queries until it gets to the admin tools plugin that will output the message again?
Correct. Admin Tools is a Joomla plugin. Joomla has to do its initialization. As soon as it reaches the onAfterInitialize stage Admin Tools kicks in and blocks the blacklisted IPs (if the IP is not blacklisted other checks are made, including the secret URL parameter for the backend pages). This minimizes the amount of database queries executed.
So the server resources are still used in this case and might cause the server to overload?
Correct.
There not much to be done about that?
Not really.
While we could in theory put the blacklisted IPs in .htaccess this would only offer marginal performance gains until you hit about 50 to 300 IPs in the blacklist (depending on your server), at which point the performance is the same. Worse, blacklisted IPs in the .htaccess need to be parsed and compared for every request of every resource being accessed, including static media. Not to mention that some servers prefer to have a .htaccess file which is unwriteable to the software running on the server for security reasons (a human needs to upload updates to the .htaccess manually), thereby making it impossible to use that method anyway.
If you factor all these you quickly realize that you're much better off
not using .htaccess for IP blacklisting in most cases.
What makes more sense is having a server-level firewall (e.g. an IPTables OS-level firewall and mod_security2 for Apache with a good ruleset) to snuff most attacks before they hit the PHP application. Then just rely on the PHP software firewall (Admin Tools) to kill off the attacks that make it through. Layers of defence work better than a monolithic single line of defence as the French can tell you (think about the failure of the Maginot Line in WW2).
Is the .htaccess only a 'browser' protection when a user browses to the admin page? Or does it also influence direct approach of files / scripts in the administration folder?
This question does not make sense. The web server does not server "browsers" and "scripts". It fulfils HTTP requests. It doesn't know and doesn't care if the request came from a browser being operated by a human, a software bot, or an alien in a spaceship piggybacking on NASA's Deep Space Network to troll us petty humans. The web server simply sees a request and serves it based on some rules. The .htaccess file is a set of rules which are added on top of the base set of rules configured by the server administrator (your host).
So, .htaccess contents apply to all request made to the browser, no matter their origin or intent.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!