Support

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? All Admin Tools Pro Setup
Joomla! version: 1.5.25
PHP version: (unknown)
MySQL version: 5.1.53-log
Host: Dreamhost
Admin Tools version: 2.1.14


Description of my issue:

Hello, I've recently installed Admin Tools and it continues to block whatever IP i'm working at. To work I have to keep my database open and constantly delete my IP from the _ipautoban . I have a hidden login setup, and if I sign in it blocks my IP. I go delete my IP from the database and go back and I'm signed in. Then if I go to Admin Professional and sign in that section, it will sign me in but then block my IP. I delete my IP and go back and I'm in. I'm sure I have a setting wrong, but I've gone through and can't see why it's marking me as a threat by signing in. I have a hidden login, so I do have treat failed logins as security excepts set to NO. I also have Admin IPs only in Whitelist NO.

I'm getting hit constantly from someone Scranton, PA so I'm hesitant to take down the Admin Tools. Any suggestions? thanks for your help.

After changing the Configure WAF and clicking Save it kicked me out and blocked my IP.

It seems to fix the problem if I turn off the Secret URL Parameter, but I would really like to hide my login since it's getting hammered. I followed the simple renaming limitations it mentions during setup (example ab12). Any suggestions or is there another way to hide this login? Thanks for your help.

Thanks for your time Nicholas. I thought I was deleting my IP exceptions at the top of the list, but didn't realize they were mixed throughout pages of hack attempts. I searched for my IP address at the top and was able to delete them all. Things seem to be working now. Thanks again.

Quick question though, I feel like I'm building a wall here that's constantly getting pounded on by the same hackers from a specific city (Scranton, PA). Is there a recommended way to report them or take some kind of offense against them? It seems like sooner or later they'll get in if they're trying constantly.

wad3brown (and Nicholas and anyone else who is interested). The Pennsylvania (Scranton and other cities and some New Jersey locations) attackers attempt SQL injection, occasionally RFI, and also occasionally attempt direct access to components that I do not have installed.

This leads me to believe that the attacks are scripted. Also, the direct component attempt is to /component/ not /components/ (Joomla does not install a directory called "component".

On the projecthoneypot site, many of the IP addresses and ranges are being reported as initiating these attempts. I am now blocking entire ranges.

I expect that a US citizen caught doing this would suffer severe consequences, so I suspect that the servers have been taken over from offshore.

Oh, and by the way, on two of six sites, when I go to Admin Tools > WAF > Blacklist, I am "thrown out" of the back end. I find myself in the front end of the site.

I have removed my IP address from the exceptions, and from the autoban, and I have added it to the white list.

This began to happen after:

* I restarted Chrome.
* I logged into all six sites for blacklist management (today's attacks from Pennsylvania).

Ha! Well true, when you put it like that it does put me more at ease. The site does seem extremely secure now and as long as I can keep my plugins updated it should be fine. Thanks again, Admin Tools is a necessity for my sites from now on. We'll be updating to the full backup system soon as well.

Randy, I'm getting the same attempts on components I don't have installed. Good to know I'm not the only one this is happening to and this is getting attention. Thanks for the info.

Hi. Sorry, I have had a lot of work to do. I am using 2.1.14 until I can get a stable release of 2.2.

I will go now to read the article that Nicholas pointed to. I am fascinated by all this.