Support

Admin Tools

#38076 Admins Tools > WAF > Exceptions

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.2.5
PHP version
8.0.25
Admin Tools version
n/a

Latest post by nicholas on Thursday, 24 November 2022 06:48 CST

Wednesday, 23 November 2022 12:15 CST

crazyhorse

Why are Amazons worldwide server IP addresses added to WAF exceptions? I certainly did not add them.

 

the only never block I have ever added was my own fixed IOP. Why would I want to never block Amazon servers? If they never do anything that would cause admin tools to block them there is no point in making the exceptions, surely. If they do try to behave badly isn't that the whole point of admin tools to block them? Or an I missing something? 

 

If they are not added by default I am at a loss as to how they got there, have I been hacked?

 Old and mostly in the way

Wednesday, 23 November 2022 13:27 CST

nicholas

I think that you are probably misreading or misinterpreting something. The only IPs allowed by default are those of CloudFlare and Sucuri, it's documented and you can remove them if you want to. Sucuri is using AWS servers so probably THAT is what you mean, not a list spanning several hundred lines with massive IPv4 and IPv6 blocks covering the entire AWS cloud... The idea behind this default is that some misconfigured sites (no reverse proxy setting in Global Configuration) would get everyone immediately locked out by blacklisting the IPs of these two caching CDNs / security proxies when ANY Vitor's access was considered suspicious. Once the site is set up correctly it no longer sees these IP addresses, it sees the IP address of the visitor.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 24 November 2022 02:38 CST

crazyhorse

My very basic understanding means I am almost certainly misinterpreting: Thank you for your clarification.

the address are :

34.250.7.114
34.250.203.214  
54.216.138.100 
54.216.114.117  
3.64.51.169  
52.62.227.180  
15.188.66.58  
13.50.31.157 
3.98.253.172  

And all belong to Amazon according to IP Lookup, hence Securi I guess but not Cloudflare IP addresses

 

 

 Old and mostly in the way

Thursday, 24 November 2022 03:29 CST

nicholas

It would help if you told me EXACTLY where you see these addresses. You claim they are in Web Application Firewall > WAF Exceptions but this is NOT an IP-based feature. The Web Application Firewall > Configure WAF > Exceptions > Never block these IPs does not contain any IP from the list you gave me by default. Is it possible that you are using a third party service on that site and you, or another Super User, added these IP addresses?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 24 November 2022 03:59 CST

crazyhorse

Sorry I should have been more explicit:

Admin tools > Web Application Firewall > Configure WAF > Exceptions  - see attached Image

I and pretty sure deleted all of these yesterday. I am the only superuser. 

I have watchful on the site but only as a regular user.

I have just deleted them all again and clicked on watchful's

"Do you use Admin Tools or RS Firewall?

Click the button below to whitelist Watchful in these firewalls."

And that did not add those IPS back in.

 

Admin tools > Web Application Firewall > WAF Exceptions  is empty

 

Logged out of Admin Backend ... logged in again  and the IP address have been added again to Admin tools > Web Application Firewall > Configure WAF > Exceptions

I guess it must be Watchful or something very strange 

 

 

 

 Old and mostly in the way

Thursday, 24 November 2022 04:13 CST

crazyhorse

Solved -- it is Watchful.. on their site they say:

 

Watchful uses a set of IP addresses to power our service, including addresses across the globe to accurately detect website uptime:

34.250.7.114/32
34.250.132.64/32
34.250.203.214/32
54.216.138.100/32
54.216.114.117/32
3.64.51.169/32
54.193.88.250/32
52.62.227.180/32
54.207.182.59/32
15.188.66.58/32
13.50.31.157/32
3.98.253.172/32
63.35.85.164/32

Sorry to have taken you time.
 Old and mostly in the way
Edited by crazyhorse on 2022-11-24 04:14 CST

Thursday, 24 November 2022 06:48 CST

nicholas

No problem!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!