Credits: Video Training produced by Brian Teeman
Probably the most important part of Admin Tools is the Web Application Firewall, as this provides a suite of tools to protect your web site.
It's active from the moment that you install Admin Tools. We can configure it from the Security section by selecting "Web Application Firewall".
Here you can see several options. The most important one (and the one we will concentrate on is this video) is Configure WAF. WAF is just an abbreviation for Web Application Firewall.
Click on the Configure WAF icon.
The first part covers the Basic Protection Features. Whether we should allow administrators access to the web site based on an IP address or whether we should use a secret URL parameter. (This is covered in more detail in the video “Restricting Access to Joomla”.)
Moving on to the Request Filtering. This is the important stuff that protects your web site from malicious people. I strongly recommend that you stick to these defaults settings.
You can find further information about all of these options by hovering over the title and even more details in the documentation that you can find at the akeebabackup.com web site.
With this default setting your web site is being protected automatically from many of the most common types of vulnerability that exist on the web.
The next tab covers Hardening options. Again I recommend that you leave these at the defaults unless you fully understand them.
Next is whether we treat failed logins as security exceptions. By default this is set to Yes and we will talk about security exceptions later.
In the cloaking tab you will find several options to hide the type of web site that you are running. Many people believe that it's good to hide the fact that you are using Joomla for your web site.
There are many ways you can identify a web site as running Joomla, one of which is that metagenerator tag. If you wish to you can hide or customise this tag by setting this to "yes" and setting your own generator tag here if you so wish. Perhaps as a joke you might want to set it to WordPress.
The next cloaking options will prevent someone from loading up a page on your website using a template parameter. I recommend you leave this setting to yes because in some circumstances they may see something that you didn't want them to.
Finaly you will find the 404 shield. This ensures that any attempts to target urls that are known to be attacked by hackers will be treated as security exceptions and logged accordingly and not 404s.
Project Honeypot is an external application. It is designed to prevent people using contact forms for spam. You can find out more about Project Honeypot at their website following the link from here.
The final sections cover logging and blocking repeat offenders. Before blocking anyone you might want to ensure that users from a certain IP address or domains are never blocked by adding them to a whitelist.
Each time someone makes a failed attempt we log it, and after a defined number of attempts we block them from accessing our web site completely. The way to do this is by IP address.
An IP address is a unique number assigned to every internet connection. Of course this isn't perfect because a good hacker may well be using a randomised IP address, but it does prevent the script kiddie. So I recommend that you set this to yes.
Now we need to decide - do we want to email someone to say that there has been an automatic ban. I'd like to know that something is going on so I'm going to put my own email address in there.
I can now choose what the trigger is for the ban. By default it is 3 attacks in 1 hour, but you can change that to whatever criteria you want, even to minutes or days. I usually set it to 3 attacks in 15 minutes.
Then it's how long you want to ban that person for. I don't want that person ever to reappear, so I'll put in a really large number in the number of days. And now when that person returns to my web site they will be blocked and the only thing they will see is this message which you can customise if you wish.
There are a few different types of logging that Admin Tools offers you. The first one is less of a security issue and more of a tool to help you debug a code error although it can also indicate a site under attack.
If you enter your email address here then you will be notified with further details whenever there is a php error.
Next it is possible to add a note for every single user to store the IP address that they used when they signed up. You may need to log this for regulatory purposes if so you should enable it.
Now is the main one which is logging the security exceptions.
Obviously we want to log them so this should remain set to yes. Again we can choose to send an email on every single security exception. If you want to apply this just enter your email address in here.
Personally I don't bother setting this, as there can be quite a lot of exceptions. They just mean someone has tried and failed. I only know want to know if someone has been blocked.
However, you might want to choose to enable the next one - to send an email every time somebody logs in to your administrator.
Now if you've got a lot of administrators you probably don't want to set this. But if you are the only one and somebody is able to log in then that's a security issue and I'd want to know about it. So I'm going to enter my email address in there so that now if anybody logs in to the administrator of this web site I will be notified.
We can also set it to be notified on every failed attempt but again the same with the security exceptions there could be a lot and do I really want to know about the failures?
Once you've set Web Application Firewall configuration exactly how you want it and made sure that you've read the documentation to understand what the settings are, press Save & Close and all those configured options for the Web Application Firewall are now in operation.