Support

You can use Admin Tools' built-in “Add persistent offenders to the IP Disallow List” feature to do this automatically. You just need to enter the same criteria you'd use in your manual trawling through the logs. Conversely, you can add known-good IP addresses in the “Never block these IPs” list to prevent them from being blocked at all in the first place. It does not make sense manually handling that step. Why are you using Admin Tools if you don't make use of its automation? It makes no sense.

If you want, you can export the #__admintools_ipblock tables across all your sites to CSV, TSV, or Excel format using phpMyAdmin or a similar tool. You could then import, sort, and filter the list and create a master list you could import (via phpMyAdmin) on all of your sites.

> Assuming that I have "Disallow site access to IPs in the IP Disallow List" set to Yes and "Add persistent offenders to the IP Disallow List" set to Yes in my WAF Configuration then anyone that tries to attack my site will be added to the Blocked Request Log and potentially the Auto I.P. Blocking Administration

Correct. That's what it does. If the limit you've set up is, say, 3 attacks in 10 seconds then if an IP produces three or more attacks within a 10 second window it gets auto-blocked for the duration you have specified, e.g. 5 minutes.

> This will also trigger an email to be sent giving the reason for the block.

Yes, but we'll get there.

> If the attacker continues to attack my site after being "Permanently disallow IP after automatic IP blocks" then that I.P. will be added to the Site I.P. Disallow List. Correct? 

If the continue attacking you after the auto-block IP expires then their attacks are added again to the blocked requests log. If they hit the limit their IP gets auto-blocked, again, and a new auto-blocked IP is recorded.

If there is a number of auto-blocked IP entries for the same IP address within the period you specified (e.g. 3 in one day) then their IP is permanently banned.

> Doesn't this make the emails redundant? 

Emails are always redundant. They are only meant to be used as a crutch during development or as a troubleshooting tool. The idea is that when you are setting up Admin Tools for the first time for a site you will very rarely get it right the first time. You will keep getting yourself and other people testing the dev site blocked. You need the emails to figure out who got blocked and, in case you block yourself, how to unblock yourself.

After this initial period you should remove the email address from the fields in the Logging and Reporting page and only refer to the Blocked Requests Log page. After all, at this point you know how to unblock yourself, or at least where in the documentation to look for this information.