-
Notifications
You must be signed in to change notification settings - Fork 21
Feature Descriptions
BFStop's features and the respective configuration options are documented here. Note that you can also get information on each setting by hovering over its label with the mouse in the plugin configuration (Joomla 3); or they are shown below the respective input fields after pressing the "Toggle Inline Help" button (Joomla > 4).
See also the Configuration page.
BFStop blocks an IP address if it sees too many failed login attempts from that address. This process can be completely configured.
- The Block Duration setting determines how long a typical block will take; if any option other than "unlimited" is chosen, the block will be lifted after the specified period. See also the Permanent after option for a special case of blocks which are permanent even if something else is specified here. The default is to block for 24 hours.
- The Block threshold setting determines how many unsuccessful login attempts lead to a block; the interval checked for such attempts can be configured via the Check interval setting, see below. The default is to block after 10 attempts.
Advanced blocking options:
- Active for: In case you only want to use BFStop for logging and/or blocking either Frontend or Backend, you can configure this here. By default, BFStop will protect the Backend as well as the Frontend from Brute Force attacks.
- Enable Blocking: In case you only want to use BFStop for logging the failed login attempts, you can disable blocking with this setting. By default, blocking is enabled.
- Permanent after determines after how many temporary blocks (for the duration specified via Block Duration, see above), an IP address is blocked permanently.
- Check interval: The interval for which failed attempts from the same IP address are considered for blocking. If this is set to one day, a user could try the number of attempts specifwhenied under Block threshold in a single day before getting blocked. The default is "unlimited" (this setting was introduced with BFStop 1.5.0; previously the Block Duration was also used for this purpose).
-
Blocked message: A custom message to be shown once a block is in place. The default message is "Your IP address has been blocked because there were too many unsuccessful login attempts in a short time.".
- Show IP: if enabled, the client's IP as perceived by the server is shown in the blocked message. By default, this is disabled
- Use HTTP Error: When enabled, BFStop will send a 403 (Forbidden) HTTP status code when a blocked client tries to access Joomla!. Otherwise, the status code will be 200. By default, this setting is enabled.
These settings can be configured via the BFStop page in the Plugin section (on the "Plugin" and "Advanced" tabs), or, starting with BFStop 1.5.0, also via the BFStop component page.
when
BFStop can be configured to use an .htaccess file for blocking for better performance (since then the block is already happening at the webserver level without invoking Joomla!). These are the options affecting this feature:
- Use .htaccess: when this is enabled and BFStop blocks an IP, it will try to enter it into a .htaccess file. For the path to the .htaccess file, see the ".htaccess path" option below. By default, this option is disabled.
- .htaccess path specifies the path to the .htaccess file used for blocking (in case "Use .htaccess" is enabled). If empty, the root of the Joomla! installation will be used. Specify the full path to the desired .htaccess file here as a local file path. For the blocking to take effect, you have to make sure yourself that the .htaccess file resides in the Joomla! directory or in some directory above it. Note: Enabling blocking via .htaccess prevents unblock links sent out to users via the User Block Message option (see below) from working! when
To support legitimate users, BFStop can show additional hints. There are three options for this:
- Remaining attempts (on "Advanced" page) shows a message about the number of attempts a user has before he will get blocked. Note that this might also help attackers better plan their attempts. By default, this is disabled.
- Passwort reset reminder (on "Advanced" page): Users can be shown a message to rather use the reset password feature than risk getting blocked. This can be configured here to be shown either never, always, or when 1 or 2 attempts are left. The default is to not show this message.
- User Block Message (on "Notification" page): Sends an email to the registered email if an IP address was blocked using an existing user name. This email provides an unblock link (clicking on this link in the mail leads to the block being lifted). Note: Unblocking does not work if blocking via .htaccess is enabled (see above), as this prevents also the unblock link from getting through to Joomla.
This feature is intended to be a measure against distributed attacks, it is accessible through the "Delay" configuration page.
If enabled, then the more failed logins there are per hour (in general, not necessarily from a single IP), the longer the delay that's used before a failed login response is shown. Every failed login response message is per default delayed for the standard Delay time (if a value other than 0 is specified there). As soon as the attacks per hour go over the Minimum threshold, the adaptive threshold linearly increases, and reaches the maximum of Maximum delay seconds when Maximum threshold is reached.
When Adaptive delay is set to disabled (as it is by default), all settings below don't have any effect, only the Delay is also used by itself for delaying the response to each failed login attempt.
This adaptive delay procedure is also described in the mouse-over-hint for Adaptive delay. A short discussion of each parameter is given in the mouse-over hints.
The unit of all delays (Delay, Maximum delay) is seconds.
The unit of Minimum threshold and Maximum threshold is attacks per hour.
For upcoming versions there are plans to improve the defence against distributed attachs through adaptive failed login allowances (which are probably more effective than delaying response), see here: #76
Over time, BFStop's log of failed login attempts can grow quite large. Therefore, it has built-in capabilities to prune old entries. Use the following setting to enable pruning:
- Prune old attempts determines the number of weeks that entries are kept for. Pruning will delete all entries that are older than the given amount of weeks. If set to 0, pruning is disabled (this is the default).