I have some questions about the blacklist:

How do I see why an ip address was blacklisted?

How is RSFirewall blocking an ip address?

My experience so far is that there is no automated adding of IP's to the Blacklist. You need to enter the RS Firewall control panel and manually add IP's if you wanted them blocked(Blackisted) or unblockable(Whitelisted).

Actually there's an option in RSFirewall! (go to Firewall Configuration > Active Scanner and enable "Automatic blacklisting").

I am running RSFirewall 1.4.0 Rev 46 on a Joomla 2.5.8 installation. I have automatic blacklisting on for /administrator, and it has not automatically blacklisted an attacker that has been at it for two days now. I also added the IP to the blacklist manually. It saves the IP to the blacklist, but still doesn't block the attacker. I continue to receive e-mails that the IP is attempting to log in roughly every 2 minutes. In past versions, when I blacklisted an IP, I no longer received the e-mail notifications. I assumed this was because once blacklisted the IP couldn't even get to the administrator directory and attempt a log in. Has something changed. Getting tired of the e-mail notifications.

If you have CAPTCHA enabled for the /administrator login you'll have to disable that - they don't work together. If you have CAPTCHA, blacklisting will not work, instead a CAPTCHA image will show up after the set number of failed logins.

That seemed to be the problem, thanks for the quick response.