Support

Admin Tools

#10170 Unable to block IP in AT

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Mobilepro on Saturday, 24 December 2011 13:05 CST

Saturday, 24 December 2011 11:46 CST

Mobilepro
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)?Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.5.25
PHP version: 5.2.15
MySQL version: 5.0.92-community
Host: (optional, but it helps us help you)
Admin Tools version: 2.1.14


Description of my issue:

I'm getting these alerts from csf at least 50 times a day from the same IP that accesses two sites on my VPS server.

Time: Sat Dec 24 12:07:45 2011 -0500

PID: 20039

Account: xxxxxx

Uptime: 304615 seconds



Executable:



/usr/bin/php



Command Line (often faked in exploits):



/usr/bin/php /home/xxxxxxx/public_html/website.com/index.php



Network connections by the process (if any):



tcp: web_server_ip:54566 -> 69.164.219.150:80



Files open by the process (if any):



/usr/local/apache/logs/mod_jk.log

/usr/local/apache/logs/jk-runtime-status.6524 (deleted) /usr/local/apache/logs/jk-runtime-status.6524.lock (deleted)



I've added the IP (69.164.219.150) to the WAF black list on both sites but continue to see these alerts and see nothing in WAF that it's being blocked. Am I missing something as far as what's going on in looking at the alerts or shouldn't I be able to block this particular IP.

As a side note when I add that IP to csf deny list (currently 98 blocks in the list) on the server not only does it not block it but the TTFB for those websites jump to 20+ seconds making them effectively unusable. Not sure what that's about.

Thanks in advance for your insight.

Saturday, 24 December 2011 11:58 CST

nicholas
In order for the IP blacklist to be effective you need to also enable this feature in Configure WAF page.

That said, please do note the cascade of events: CSF is two layers of protection ABOVE Admin Tools' WAF. What I mean is that a request goes first through CSF, then goes through Apache's mod_security2, then goes through Admin Tools' WAF. Obviously, if CSF is sending you warning emails for some IP, adding it to Admin Tools' WAF won't stop those emails, as WAF will run after the request has gone through CSF.

Regarding your problem with the huge TTFB, it doesn't seem very logical. CSF is a kernel-level firewall, as it's making use of the iptables Linux kernel module. I've never seen an iptables filter causing this kind of dramatic difference in TTFB! Maybe you should call your host and let them know of this issue.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 24 December 2011 12:19 CST

Mobilepro
Thanks...I had put in a ticket already to my hosting provider about the csf/ttfb issue and the response was to contact the offending domain. That was really helpful support.

We might be referring to two different things. The email alerts aren't what I care about just to ability to block the IP. I had WAF configured to use the black list but never see that IP get to it. If it isn't blocked at the csf level( which it isn't) it should get to WAF I assume and get blocked there.

Saturday, 24 December 2011 12:28 CST

nicholas
Well, if you get an email from CSF, then the request is blocked there, which means that it never reaches WAF. If it had reached WAF, it would have been (silently) blocked, so you wouldn't know if it's blocked. The idea behind IP blocking in WAF is that you shouldn't be bothered by the blocked IPs ever again.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 24 December 2011 13:05 CST

Mobilepro
Sorry I should have been more specific. These emails I get from csf about this IP are "Suspicious Process Running..." alerts and not "IP blocking...". There's no indication in the logs that the IP is blocked by csf and it doesn't show in the csf firewall deny list.

I also have WAF set to email me alerts for security exceptions.

I don't want to eat up any more of your time on this...I really appreciate your support. I'll keep monitoring and see what I can come up with.

Thanks

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!