Support

Admin Tools

#40520 Suspicious Activity Email

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.0.3
PHP version
8.1
Admin Tools version
7.4.9

Latest post by tampe125 on Friday, 05 April 2024 03:20 CDT

Tuesday, 02 April 2024 12:18 CDT

neo314

Hi Nicholas,

Can you clarify what triggers the suspicious activity email and whether or not there are settings to adjust its behavior? This does not seem to be in the email templates and it is unclear whether the terms in the documentation regarding "blocked requests" apply to this since the email for too many failed logins appears to be a different email.

We just started having end users login. I expected some failed login attempt issues, but this was the only issue so far. Not sure what triggered it.

 

Edited by neo314 on 2024-04-02 12:19 CDT

Wednesday, 03 April 2024 03:13 CDT

tampe125

Hello,

there are several reasons for a customer to be blocked. You can review the reason for the block inside the Blocked Requests Log and search for the IP address.

Davide Tampellini

Thursday, 04 April 2024 00:50 CDT

neo314

Good point about the log. Thanks. I think what I was looking for is some clarity on configuration issues. I have not needed to deal with large numbers of users with logins on Joomla while using Admin tools before. When I go over the documentation, it is not entirely clear to me where some triggers are. For example, 3 logins within 1 minute gets blocked. That makes sense and it is configurable.

Is there anywhere else where X number of failed logins, can also trigger a suspension? I was trying to figure out whether I had a couple of people actually try to login that fast, or if the issue was something else. In particular, one client got the rescue URL and not the "you look suspicious" response. I think the latter is the response you get for 3 tries within 1 minute, correct? So what triggers the "you got blocked" and "here is how to get a rescue link" email? I am certain this person was not trying to hack the site, fake an admin login, or trying to get into the back end.

The log did not really shed any light on this and I did not find another failed login configuration setting besides the X number of times within 1 minute setting. The documentation talks about blocked requests, but is that only logins or are other types of blocked requests included?

Friday, 05 April 2024 03:20 CDT

tampe125

Hello,

let me shed some light on the general concept of Admin Tools. Our extension will protect your website on several layers, both with the .htaccess file and with the system plugin.

The system plugin is a little more clever than the .htaccess file, since it allows us to perform some reasoning before blocking an IP. A visitor could trigger several different security exceptions, if they are configured to be logged and it pass the frequency threshold, it will be blocked.

For example, inside WAF Configuration, you can tell Admin Tools to treat failed logins as security exceptions. This means that a visitor that is failing to login will be handled as if he was creating a malicious request, therefore it will be blocked in the same way.

Moreover, in the Hardening Options tab, you can tell Admin Tools to disable a user after he failed to login for a specific amount of times.

Hope this helps.

Davide Tampellini

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!