Help: Entire website blocked

[Wizard_TPG]

Guys,

I am recieving the following message on both my main joomla site and the administrator site.

Your IP address has been blocked because there were too many unsuccessful login attempts in a short time. Your IP address is: [ redacted ].

The ip address of [ redacted ] is my bluehost web server address.

I have a second joomla website on the same account that is running fine.
Both have the latest version of joomla

Things I have tried:
- Enabling debug (in configuration.ini) - Nothing shown
- Enabling error reporting to maximum - nothing shown
- Manually setting enable to 0 for any security plugins that I had installed in the database (bfstop, centrora and jhackguard)
- Replacing index.php with a very basic index.php (to test that php is not the issue) - worked fine

The website is http: [ redacted ]


Thanks in advance guys

[toivo]

Does your site use an extension to improve its security, for example Admin Tools?

[Wizard_TPG]

After my site was hacked last year I installed several security extensions.
bfstop
Centrora
jhackguard
Admin Tools

I have just got back form the doctor and everything is working now.
But this is the second time this week that this has happened so I really need to identify the cause.

[toivo]

Good to hear, the block must have timed out. This is a real problem because anyone can trigger the block if the IP address is the proxy server of your host, instead of the IP address of the end user.

The block may be originating from one of the first three extensions because the message displayed by the Web Application Firewall (WAF) of Admin Tools starts with ''You are a spammer, hacker or an otherwise bad person", unless it default message has been modified in the configuration of WAF.

If you have the installation packages of the three extensions, expand them and use a text search tool or just an editor and the language files to find the start of the message "Your IP address has been blocked". Once you locate it, read from the documentation of that extension how an IP can be removed from the blacklist.

It would be better to uninstall the extension found to be the culprit, because obviously it is not smart enough to detect correctly the source IP address from where the hack attempt or invalid login comes from.

[toivo]

It is also possible that the reverse proxy server or load balancer of your host produces incorrect request headers, which are then inspected by the security plugins.

You had already tried to disable those plugins but that did not seem to remove the block. Therefore you should talk to your host and find out about their reverse proxy server if it does some filtering and blocking.

[Slackervaara]

It might be BfStop that locked your out:
What can I do in case I have locked myself out?
Read this:
https://github.com/codeling/bfstop/wiki/FAQ

[JAVesey]

It might be BfStop that locked your out:
What can I do in case I have locked myself out?
Read this:
https://github.com/codeling/bfstop/wiki/FAQ

Good call - that message is from BruteForceStop.

Curious as to how the OP has ended up in this situation though; can only be that it's self-inflicted if it is BFStop. If gives you a countdown of attempts left then blocks the IP which must, by definition, be the Op's own IP.

One way round it would be to login via another device, e.g. a mobile phone over 4G, if the original attempts were via a device connected via wifi/local router, i.e. use a device with a different i.p. address.

[Webdongle]

Reboot your router and see if your ISP sets a different IP address. That should get you in. Also please viewtopic.php?f=806&t=969442

[Wizard_TPG]

It is also possible that the reverse proxy server or load balancer of your host produces incorrect request headers, which are then inspected by the security plugins.

I had a good look at the bfstop access attempt logs and I would say that toivo is on the money with his post.
The log shows login attempts from several users that I know are valid users but all attempting to connect from the same ip address, which happens to be the same address as the web host.

To fix the issue I have put my webhosts ip in the bfstop whitelist and this seems to have fixed the issue.

My site has been using bfstop for well over 12 months without issue and this has happened out of the blue. Because of this I would highly recommend other bfstop users to whitelist their webhost ip, just in case.

[JAVesey]

To fix the issue I have put my webhosts ip in the bfstop whitelist and this seems to have fixed the issue.

Good news

My site has been using bfstop for well over 12 months without issue and this has happened out of the blue. Because of this I would highly recommend other bfstop users to whitelist their webhost ip, just in case.

I've been using BFStop for about 6 years and not seen this before. You advice is sound