SSL Labs Score

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× Extension Discussions

AdminExile

More
1 year 1 month ago #55 by michael
michael created the topic: AdminExile
 There was once a free Joomla extension called JSecure and...

Your Joomla /administrator area is vulnerable to many forms of attack.  Without protection, anyone can begin a brute force attack by simply typing "/administrator" - That's too easy!!

Keep honest people honest, and keep everyone else OUT!  Secure your site with AdminExile

Any jackwagon can go to your website and type /administrator - that sucks.

AdminExile puts a stop to drive-by (and more serious) attempts to access /administrator. By using URL access keys (query parameters), attempts to access your /administrator login page will be met with either a redirect to your homepage, a 404 error, or a redirect somewhere else (I recommend https://www.nsa.gov or redirecting them to a huge file download like a Linux ISO image, that's always fun).

AdminExile Blocked Attempts

High volume attacks (hundreds and even thousands of hits) may drown out the lower volume attempts. There is rarely an hour where there are no attacks.

As you can see, the attacks come in waves. These numbers are coming from server logs generated by the logging feature of the 3 series. I put my server at risk by not blocking these attempts with the brute force protection feature - partly because I want this graph to reflect actual attack patterns, and partly because my AdminExile access keys are ridiculously long non-words.

Attackers eventually give up, because AdminExile doesn't give them any feedback. They must wonder - is this even a valid URL?

This image updates automatically every 5 minutes.

Packed with features (even the free version), AdminExile exists to serve one purpose - to protect your /administrator login page.

AdminExile Features:

Version 3.14 Features Free Pro
/administrator key and/or key+value URL Protection    
Prevent /administrator session cookie    
Block configured users from frontend login*    
Lost/Forgotten Link Recovery    
Failure Logging    
IPv4/6 Whitelist with CIDR capability    
IPv4/6 Blacklist with CIDR capability    
Bruteforce Detection and Blocking    
Bruteforce Notification Email    
Live data reporting    
    Download   36

Bug Reports

Documentation: Online

Total reviews: 137
Overall
Functionality
Ease of Use
Support
Documentation
Value for Money

*As of Joomla 3.7 - Frontend Restrictions are not operational. I am working on a solution to restore this functionality.


Read article...

Please Log in or Create an account to join the conversation.

More
1 month 4 weeks ago #201 by slashdottom
slashdottom replied the topic: AdminExile
Like others, I too 'upgraded' (read: downgraded) AdminExile from version 2.3.7 to the latest 3.3, only to be very disappointed with the removal of features that has been available to us for a long time in 2.x versions, in particular the Brute Force / notification tab.

Although I very much appreciate Richey's work, moving features to the newly released Pro version that were already available to us and coded in existing versions is quite an annoying move. I can understand if IP6 support is added or other new features added, meaning more coding required, a paid for Pro version makes sense, but not making something available for such a long time and now taking it away.

Yes I understand everyone has to make money, fair enough, but this move just doesn't seem right, as already pointed out above. Perhaps a better approach might have been to create something new and leverage your existing extension's long standing user base to notify of such new products.

I'm left wondering if upgrading from version 3.3 back to 2.3.7 is a viable option, unless some security issue has been discovered. Unfortunate for newer users of Joomla! who will not have the previous version 2.3.7 software, but read the many articles across the interwebs that talk about the included brute force feature and possibly be enticed to seek out the older full featured version instead, likely leading to more sites being hacked and possible ramification of that; moving to another CMS, negative stats in news as a result of infected extensions, etc.

On a side note, similarly annoying is 'actively' typing this message in your forum and being told 'You have been idle for too long, and your session has expired.' I'm typing!... not idle, jeeze. While I'm about it, what a distraction that large animated arrow-up.svg is, just saying.

Regards,
Tommy.
The following user(s) said Thank You: gaasen

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago - 1 month 3 weeks ago #204 by michael
michael replied the topic: AdminExile
If you would like to re-write 2.3.7 for J3.x compatibility - go for it. I GPL'd it for a reason....if you can do it better, then by all means.

Several features stopped working after updates in J3.5. IP Security, as well as several of the options in Brute Force stopped working because of Javascript changes in Joomla - Frontend Restrictions stopped working because of authentication system changes. More features would have stopped working in the upcoming J3.7 release.

This is a complete rewrite with better performance and fewer server requirements (GMP is no longer necessary to support IPv6 - more code written to circumvent a missing PHP module that most hosts don't have installed). I completely rewrote the PHP and the admin interface Javascript. These things take up my time and I still released a free version. I spend time answering dozens of support requests for lost keys every week, and I still released a free version. I have to pay for bandwidth for these downloads, and I still released a free version!

I've been providing this software for free for a long time, and I'm still providing it for free. People who know what they're doing can use the free version along with software like Fail2Ban and IPTables to achieve exactly the same thing as the paid version provides. I don't use the pro version on my sites, because I run my own servers and I use other tools to fill those gaps.
Last Edit: 1 month 3 weeks ago by michael. Reason: typo

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #205 by michael
michael replied the topic: AdminExile
By the way, the session timed out message is preceded by a "would you like to renew your session before it times out" message. Cancel one, suffer the other. Is that more annoying than allowing Joomla to operate normally - which would time out your session without warning?

That's another piece of software I released for free.

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago - 1 month 3 weeks ago #238 by Nicola
Nicola replied the topic: AdminExile
Dear Michael,
I use your AdminExile plugin from some years ago and I think that it was great to protect my websites. And continues to do so.
I believe that I have to say thank you for your time and for your great plugin that is still free. It's right that who wants more features recognizes the small fee you ask.
So, thank you!
Last Edit: 1 month 3 weeks ago by Nicola.
The following user(s) said Thank You: michael

Please Log in or Create an account to join the conversation.

More
1 month 2 weeks ago #257 by danjde
danjde replied the topic: AdminExile
Hi Michael,
I've installed your very very useful Admin Exile plugin on Joomla 3.6.5 hosted on my VPS Debian Jessie.
Today, after upgraded Adimin Exile to the 3.9 version I've realized that Is not possible to open the plugin options.
In fact if I try to clit into the plugin link (in backend) obtain only a description white page.
If I try to make the same with other plugins, all seem works fine.

I've clear all kind of cache with no results.

Could be a misconfigured php server setting?

many thanks!

Davide
Italy

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Kunena Forum