Support

Admin Tools

#9790 htacess and denying blocks of IPs

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 17 March 2011 06:37 CDT

Tuesday, 15 March 2011 11:48 CDT

user6500
Gents,

I utilized the htaccess maker to make a basic htacess file for my site www.nevadanavy.com. The site's administrator has been under attack periodically by a bunch of IPs centered around Ankara.[I have jsecure, happily, but I want to fence these guys out. They can't not succeed forever]

So I installed a block of code in the 'custom' section of htaccess maker. (See htaccess file attached0

Good news is that it doesn't crash the site. Bad news is that it does not block the listed IPs. [I tested it by inserting my own IP to be blocked; it didn't. And the Turks came the following morning and had no trouble attacking the administrator

So, I did something wrong. Any insights would be greatly appreciated before the next Turk attack.

--Ed

Tuesday, 15 March 2011 16:36 CDT

nicholas
I've got two better alternative for you in version 2.0.1.

First alternative, blocking Turkey. Just go to Admin Tools, Web Application Firewall, Geographic Blocking. Click on the checkbox next to Turkey and save. Say goodbye to web visitors from Turkey :)

Second alternative, IP blacklisting. Just go to Admin Tools, Web Application Firewall, Security Exceptions Log. Filter by Admin Query String. Take a look at the IPs. Below each one there is an "Add to black-list" link. Click on it and the IP is added to the black list. These IPs will never get to access Joomla! again.

Why write .htaccess rules when it's all available through a nice GUI? ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 15 March 2011 21:32 CDT

user6500
Nicholas-

Great suggestion. I was just plowing through .htaccess and this is a great solution. Two items:

1. First, as you suggested, I blocked the country of Turkey. Which is good. Is there a way to test this, other than never hearing from anyone in Turkey again? Sort of like proving the refrigerator light goes out when you close the door.

2. I also tried, secondly, the Security Exceptions Log with the admin query, giving a time period of a year. No data were returned. Just wondered if that was normal since the Turks have been hammering me for a year. Thought there would be something---but maybe I didn't do it correctly.

Anyway, thanks for the empowerment. Slamming the door on their fingers is particularly satisfying.

--Ed

Wednesday, 16 March 2011 02:43 CDT

nicholas
1. Visits from Turkey will be logged as a "Geo Block" security exception in the log. If they never visit you from Turkey, you'll never know it works.

2. Have you turned on security exception logging from the WAF Configuration page?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 16 March 2011 11:26 CDT

user6500
Nichols,
First, thanks for your time. Installed the Geo-block, and I'll find out when and if the Turks come back. I did get a Security Exception already, the log giving the reason as 'bad behaviour'. Does that mean that the IP cited which is 188.72.230.156, is now blocked? I assume not, so I blacklisted it, assuming 'bad behavior' as something that ought to be blacklisted.

Lastly, with respect to htaccess maker, it seems to cover a number of the items that are already covered by Admin tools. WAF seems to make htacess redundant, no?

Anyway, thanks very much for your insight.

Ed

Wednesday, 16 March 2011 13:18 CDT

nicholas
"Bad Behaviour" means that the Bad Behavior library considered the request suspicious. Do note that BB may occasionally report false positives. I generally use the auto-ban option in the bottom section of WAF's config page to automatically ban repeat offenders after 3 security exceptions in a predetermined amount of time.

Regarding the cross-coverage of features between .htaccess Maker and WAF, it's not exactly so. The .htaccess Maker will protect ALL requests made to the web server, no matter if they are handled by Joomla! or not. On the other hand, WAF settings only apply when a Joomla! index.php page is called. IMHO, you can never be too safe ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 16 March 2011 23:22 CDT

user6500
Nicholas,

Again, thanks for your time, and not to waste your time---I am amazed, having put WAF in effect, that there are so many attacks on my site www.nevadanavy.com. It's not like I'm GE or Bank of America or the Pentagon. I'm not giving away tickets to the Super Bowl or selling gold at $15.00 an ounce. But in one day I got one whacko in Kenmore Washington displaying "bad behaviour' with at least a dozen attacks from different IPs. What, don't these guys have a sex life? This is what they do with their spare time? Amazing. Now I'm going to add an htaccess file. I had no idea there were so many losers out there. In addition to Turks.
So, thanks for creating Admin Tools Pro. I'll vote for you guys and Admin Tools as the best extension anytime!

--Ed

Thursday, 17 March 2011 06:37 CDT

nicholas
There are two reasons for Bad Behaviour firing other than real spammers and hackers:
1. Genuinely suspicious behaviour. This is usually attributed to teens who got their hands on a generic hacking script and try it on all sites they can get their hands on, a.k.a. "script kiddies". In this case, a cool off period of a few hours is enough to divert their attention to somewhere else.
2. A misconfigured browser or an ISP assigned dynamic IP address which used to belong to a hacker.

I always give users the benefit of doubt. If they cause too many attacks to be registered, I boot them for a few hours to make sure that if that was a genuine attack, it'll be thwarted away ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!