Menu

Topic-icon Firewall crosscheck whitelist IPs?

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
5 months 3 weeks ago - 5 months 3 weeks ago #7878 by azurelinksc
Firewall crosscheck whitelist IPs? was created by azurelinksc
Hola Jose,

This may be more of a Wishlist thing, but I'm submitting it to the Buglist forum since it may be a configuration setting I'm missing...

When a visitor does something that triggers any of the firewall filters and their IP address is added to the firewall log, does the firewall check with the whitelisted IPs before adding the record to the log? If not, I think it would be a good feature to add to SCP.

As you know, the attempts to crack into a site can be very numerous and I've found that often checking every single record in the log can be very time consuming. What I end up doing is viewing 100 records at a time, scrolling down quickly and looking for friendly usernames, and if none are seen, group select and add to blacklist. It is too time consuming to search for whitelisted IPs.

It would be very helpful and a real time saver if I could be sure that the firewall is checking with the whitelisted IP list first and if an IP is indeed whitelisted, it is NOT added to the firewall.

Does this feature exist, and if not, can you add it?

Thanks!
Last edit: 5 months 3 weeks ago by azurelinksc. Reason: Modified paragraph.

Please Log in or Create an account to join the conversation.

More
5 months 3 weeks ago #7879 by Jose
Replied by Jose on topic Firewall crosscheck whitelist IPs?
Hola azurelinksc! :)

An ip can be listed in more that one list; for example, you can have the same ip listed in whitelist and blacklist. What determines the firewall behaviour is the priority dropdowns (Waf configuration -> Lists -> Priority):


If First priority is blacklist then this ip will be no longer able to access the website. If First priority is whitelist then the ip will be always granted to access to the website, no matter if do you accidentally add it to blacklist reviewing logs.

Regards,
Jose
Attachments:

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
5 months 3 weeks ago #7880 by azurelinksc
Replied by azurelinksc on topic Firewall crosscheck whitelist IPs?
Thanks Jose,
This is a bit confusing. The most obvious priority settings would be to make the first priority: Dynamic Blacklist, second: Blacklist, and third: Whitelist. Though I think I might make it also Blacklist. In a firewall component, why would you ever set anything to whitelist anything automatically? In your opinion, is adding a feature so that the firewall automatically checks whitelisted IPs and does not add the attempt to the log, not a good idea?

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
5 months 3 weeks ago #7881 by azurelinksc
Replied by azurelinksc on topic Firewall crosscheck whitelist IPs?
Related to this topic, is there a setting in SCP which would display a message in the login panel that says "You have X number of login attempts left before you will be blocked."? And maybe also, after they are blocked, display another message which says "Please visit again after X minutes and try again."

Please Log in or Create an account to join the conversation.

More
5 months 3 weeks ago #7882 by Jose
Replied by Jose on topic Firewall crosscheck whitelist IPs?
You're welcome!

In a firewall component, why would you ever set anything to whitelist anything automatically?

Despite I added the OTP feature to avoid the blacklist securely, sometimes administrators are blocked and they can't access to the site. Imagine what happens when someone with low experience in Joomla is blocked... This is why I added the whitelist. They can list their IPs there so always can access to the site. Take note that ips are not added automatically: must be added by an administrator.

In your opinion, is adding a feature so that the firewall automatically checks whitelisted IPs and does not add the attempt to the log, not a good idea?

Yes, it's a good idea. In fact, the first thing that the firewall checks is if the ip is in whitelist. In this case no action is taken.

Related to this topic, is there a setting in SCP which would display a message in the login panel that says "You have X number of login attempts left before you will be blocked."? And maybe also, after they are blocked, display another message which says "Please visit again after X minutes and try again."

I have seen this bahaviour in other security products, but setting this in SCP would require a complete refactor of some code. I plan to add more info when someone is blocked in a future (for example the message will show the ip so the administrator can easily unblock it in case of a false positive). Maybe I could also add your suggestion "Please visit again after X minutes and try again." if someone is blocked by dynamic blacklist.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
5 months 3 weeks ago - 5 months 3 weeks ago #7883 by azurelinksc
Replied by azurelinksc on topic Firewall crosscheck whitelist IPs?

Despite I added the OTP feature to avoid the blacklist securely, sometimes administrators are blocked and they can't access to the site. Imagine what happens when someone with low experience in Joomla is blocked... This is why I added the whitelist. They can list their IPs there so always can access to the site. Take note that ips are not added automatically: must be added by an administrator.


Yes, I understand the need for the whitelist. I was commenting on what you said about Priority where you could set the first priority to Whitelist, which means any offending IP would be whitelisted, which makes no sense to me. Unless I'm misunderstanding how your Priority system works.

Yes, it's a good idea. In fact, the first thing that the firewall checks is if the ip is in whitelist. In this case no action is taken.


This isn't the case for my sites. In my experience a record of a failed login or multiple concurrent logins (by Super Users) still appears in the firewall log, even though the user's IP exists in the Whitelist. Have I configured it incorrectly? By "no action taken" do you mean that even though a log record is created, the IP isn't blocked?

I usually visually scan for friendly usernames in the log, and if none exists, I group select and add to the blacklist. But that method will catch whitelisted IPs in the firewall log and blacklist them, too, which I don't want to do. I simply don't have time to scan for 8-10 whitelisted IPs each time I process the firewall log. So what I am asking is that if the IP is in the whitelist, that no log record be added at all.
Last edit: 5 months 3 weeks ago by azurelinksc.

Please Log in or Create an account to join the conversation.

Time to create page: 0.116 seconds
Powered by Kunena Forum

Login or Sign In