Drupal 7 security improvement modules
Anton Ivanov
Roadmap● Spam protection● Site content access● Encryption● Permission and Registration● Login and Session● Useful modules
Spam protection
CAPTCHA● CAPTCHA ● Draggable Captcha
● KeyCAPTCHA● reCAPTCHA
Mollom● Text analytics● CAPTCHA service
Useful modules● Honeypot
– Hidden field
– Form fill time > 5s
● SpamSpan filter– mymail [at] example [dot] com
● Block anonymous links
Site content access
Node page view● Restrict node page view
– Nodes
● Rabbit Hole– Nodes, Users, Taxonomy terms
– 403, 404, Redirect, Display entity
Ban users● IP Ranges
– Black list
– White list
● GoAway– Redirect banned users to some page
– Permissions: Ban, Un-ban, Settings change
HTTPS● Secure Login
– Login or Any another form
● Secure Pages– node/*
– user/*
– admin/*
– Or any another path
Global content access● Content Access
– Node/Type CRUD Role/Author based
● ACL– Node/Type CRUD any User based
Substitution for protection● 403 to 404● User One
Encryption
Encryption● Field Encryption
– FIELD_ENCRYPT_CHANGEABLE = FALSE
● Encrypted Files– Upload destination: “Encrypted files”
● Webform Encrypt– Setup for every component
Encryption● DataBase Email Encryption
– Email Registration compatible
– Logintoboggan compatible
● Encrypt– encrypt()
– decrypt()
Permission and Registration
Registration● Password policy
– Many-many restrictions
● Registration codes– Import & Export
– Send to Email
Expiration● User Expire● Node expire
– Legacy mode
– Trigger “Content Expired” event
Protection● Administer Users by Role
– Role based user administration
● Username Enumeration Prevention– Username brute force / definition
● Permission watchdog– Logging any role any permission change
Login and Session
Login● Flood control
– Login attempts per IP restriction
– How long login per IP disabled
● Login Security– Attempts limit for account blocking
– Ban Login by IP
– Brute force attack detected Email
Login● Login Notify
– Disable ability login from some browser
– Email message with login details
● Login Activity– Successful login logging
– UID, User agent, IP, Date
● Restrict Login or Role Access by IP– User, Role, All users
Sessions● Session Limit
– Restrict user sessions qty
– Many-many actions on restrict
● Automated Logout– Different restrictions for roles
– Users can setup own timeout
Useful modules
Review and Detect● Hacked!
– Detect hacked contrib modules & themes
● Security Review– Site security settings test
– “Run checklist” for test
Protection● Security Kit
– Cross-site Scripting protection
– Cross-site Request Forgery protection
– Clickjacking protection
– HTTP Strict Transport Security (HSTS)
● Paranoia– Disable PHP execution via UI
Logging and alerts● Email logging and alerts
– Send Email to admin on error
● Web server logging– watchdog() message to error.log
● Watchdog triggers● Watchdog rules
Tips and Tricks● Username: administrator, admin, root● Disable (uid=1) if not used● No devel on Live● Disable registration if not needed
Thank You! Questions?
Anton Ivanov