I would like to make a request for more filters on the Security Exceptions Log. I currently have a site that has more than 50 log pages (100 per page) and it would be great if I could narrow down (in particular) and hide the IP's that have already been blocked so I don't have to sift through them to find bad ones to add to them.
#10072 Request for more filters
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by nicholas on Thursday, 20 October 2011 02:59 CDT
Wednesday, 19 October 2011 13:01 CDT
earthrat
Wednesday, 19 October 2011 17:17 CDT
nicholas
Akeeba Staff
Manager
I've explained in the past why it's not possible, but I don't mind doing that again :)
The blacklist doesn't allow you to only enter IP addresses. It is a very powerful tool which allows you to enter single IPs, IP ranges (from-to), IP subnets (IP/netmask) or CIDR blocks. As a result, we can not do a simple database query to figure out which IPs are excluded and which are not. We have to run all of the filters against each IP in order to know that. If you have 100 pages of 50 items each, we're talking about 5,000 records. Can you imagine loading these to memory and running the filters on each one of them? Not my idea of fun :) It would cause timeouts and memory outage errors in a heartbeat. Therefore, it is NOT possible to have a filter by IP addresses already excluded.
Furthermore, I have explained countless times that blocking IP addresses is the next more pointless thing to trying to drill a hole in the water. The vast majority of IP addresses are assigned dynamically, which means that the IP address which belongs to a hacker/spammer today will not belong to him in a month or even in a week. I seriously doubt if anyone ever goes back to his black-list to remove older IPs, so you pretty much end up potentially blocking legitimate visitors. Not to mention that if I were to hack you I'd use TOR and have a randomised IP on each of my requests. The only thing which DOES make sense is temporary ban of an attacker. This is what the automatic IP blocking feature does and this is what you need to set up on your sites.
The IP Blacklist has exactly one practical application: disallowing a specific network to access your site. This is rarely needed and even more rarely needed for a not-so-shady reason ;)
The blacklist doesn't allow you to only enter IP addresses. It is a very powerful tool which allows you to enter single IPs, IP ranges (from-to), IP subnets (IP/netmask) or CIDR blocks. As a result, we can not do a simple database query to figure out which IPs are excluded and which are not. We have to run all of the filters against each IP in order to know that. If you have 100 pages of 50 items each, we're talking about 5,000 records. Can you imagine loading these to memory and running the filters on each one of them? Not my idea of fun :) It would cause timeouts and memory outage errors in a heartbeat. Therefore, it is NOT possible to have a filter by IP addresses already excluded.
Furthermore, I have explained countless times that blocking IP addresses is the next more pointless thing to trying to drill a hole in the water. The vast majority of IP addresses are assigned dynamically, which means that the IP address which belongs to a hacker/spammer today will not belong to him in a month or even in a week. I seriously doubt if anyone ever goes back to his black-list to remove older IPs, so you pretty much end up potentially blocking legitimate visitors. Not to mention that if I were to hack you I'd use TOR and have a randomised IP on each of my requests. The only thing which DOES make sense is temporary ban of an attacker. This is what the automatic IP blocking feature does and this is what you need to set up on your sites.
The IP Blacklist has exactly one practical application: disallowing a specific network to access your site. This is rarely needed and even more rarely needed for a not-so-shady reason ;)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Wednesday, 19 October 2011 19:46 CDT
earthrat
Thanks for the info and know that the IPs that I am blocking on the site are repeat offenders and have tried hack the site 5 times or more. However with that comment (and not that I don't agree) then it leads me to ask why is it even there in the first place if it is pointless?
Thursday, 20 October 2011 02:59 CDT
nicholas
Akeeba Staff
Manager
There are cases where a specific IP may belong to an attacker for a long period of time (a week or a month), triggering a lot of security exceptions many times a day, all day long. In those cases you do need to block that IP address, hence the blacklist feature. As I said, it's a rare case, but it's a real one and I have to cover you for it, don't I?
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!