Support

Admin Tools

#10067 Central IP blacklist for multiple sites using admin tools - feature request.

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 18 October 2011 10:05 CDT

Tuesday, 18 October 2011 04:28 CDT

davesage
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: n/a
PHP version: n/a
MySQL version: n/a
Host: (optional, but it helps us help you)
Admin Tools version: 2.1.10


Description of my issue:

Sorry couldn't find a seperate feature request board, feel free to move this topic if there is one.

I run multiple websites all using admin tools pro, I had a thought this morning about a feature request. as I look through the WAF exception logs and add people to the IP Blacklist on my sites I thought, wouldn't it be good if all my sites blacklists were linked together so that if I block an IP address on one site it is automatically added to my other sites blacklists (or have some central repository).

Not sure how feasible this is and how it might be implemented but I wonder if this might be a good feature?

Ignore me if this is silly. :-)

(You could do the same thing for central updates as well - but I'm sure I've already seen that somewhere.)

Cheers,

Dave

Tuesday, 18 October 2011 07:11 CDT

nicholas
Hi Dave,

Well, it's been asked again, but it's not very practical. That would require one site to act as a "master server" and all other sites to act as "slave servers". Then, every time a page would load, the slave servers would have to query the master server if that's an allowed request. Not very practical; it would basically flood the master server and cause sites on the slave servers to become very slow. Why not just "sync" the blacklists? Trust me, bad idea. Any delay in sync could mean that someone who shouldn't be blacklisted is.

And it only gets more complicated the more you think about it :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 07:33 CDT

davesage
Hi Thanks for the quick reply and of course you've already thought this through far more than I had.

I was presuming the live lookup with a master and slaves would be a really bad idea but I thought the sync idea might have some milage. At the moment with no sync there is a delay between the sites becuase actually they are unrelated so I thought even if it synced by a cron job this would be better then nothing.

At least those IPs I've manually added to the black lists would be replicted across my sites sort of semi-automatically.

I don't understand the 'someone might be blacklisted who shouldn't be'?

I think I just meant that if I have a list of blacklisted IPs that really are blacklisted then they could be shared across sites, sorry if I'm missing something obvious.

Anyway, keep up the good work,

Dave

Tuesday, 18 October 2011 09:17 CDT

nicholas
Hi Dave,

There are actually two blacklists in Admin Tools. The first is that which you manage manually. The other is the one which is automatically managed, depending on the settings of the automatic IP blocking. The former can be set up to sync, the latter not really.

Syncing implies that we need to do server-to-server communication. This will happen in the clear, over plain HTTP. It's conceivable that a clever hacker can launch a man-in-the-middle attack -or compromise one of the sites- and figure out how the communication takes place. Then he can simply blacklist everybody, including you, and ask for ransom. Or he could blacklist you while he's hacking your site. So syncing is potentially dangerous and I'd like to steer clear from it.

Another issue is that you might blacklist an IP which was simply raising false positives. What if that IP belongs to a client who want to demo your sites to? You want him to be removed from the blacklist a.s.a.p. This means that we'd have to support manual syncing as well.

How do you automate syncing? You can do that with a plugin which runs every few minutes, as long as there is adequate traffic. Experience shows that this is a BAD idea, as it slows down the traffic on your site when it runs, and it can wreck havoc anytime (trust me, you don't want to know just how many ways something like that may cause trouble). The other approach is using a CRON job, but experience shows that the vast majority of people either don't have access to it or can't follow the step by step instructions to schedule a CRON job - mostly because even though the instructions are step by step, they still require you to know a few advanced server administration bits to get PHP scripts to launch reliably through a CRON job.

I told you, the more you look at it, the less convenient it becomes :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 09:32 CDT

davesage
Fair enough, I'll continue to trust that you're way ahead of me and that you'll add the features that work and not the ones that won't as you have done to this point - this just proves I'm well behind the curve.

Thought it worth a mention though just in case.

Cheers,

Dave

Tuesday, 18 October 2011 09:34 CDT

nicholas
Well, it was a good suggestion, it's just the practicality of it that's not looking good. In any case, I'm here to think for you what makes more sense and develop what does make sense. If you were all doing this kind of in promptu feature analysis, I'd be out of business, right? :D

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 10:00 CDT

davesage
lol - hit the nail on the head Nicholas (as usual)!

and you do a very good job at it too :-)

Tuesday, 18 October 2011 10:05 CDT

nicholas
Thank you for your kind words!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!