Drupal 7 security improvement modules

Anton Ivanov

Roadmap● Spam protection● Site content access● Encryption● Permission and Registration● Login and Session● Useful modules

Spam protection

CAPTCHA● CAPTCHA ● Draggable Captcha

● KeyCAPTCHA● reCAPTCHA

Mollom● Text analytics● CAPTCHA service

Useful modules● Honeypot

– Hidden field

– Form fill time > 5s

● SpamSpan filter– mymail [at] example [dot] com

● Block anonymous links

Site content access

Node page view● Restrict node page view

– Nodes

● Rabbit Hole– Nodes, Users, Taxonomy terms

– 403, 404, Redirect, Display entity

Ban users● IP Ranges

– Black list

– White list

● GoAway– Redirect banned users to some page

– Permissions: Ban, Un-ban, Settings change

HTTPS● Secure Login

– Login or Any another form

● Secure Pages– node/*

– user/*

– admin/*

– Or any another path

Global content access● Content Access

– Node/Type CRUD Role/Author based

● ACL– Node/Type CRUD any User based

Substitution for protection● 403 to 404● User One

Encryption

Encryption● Field Encryption

– FIELD_ENCRYPT_CHANGEABLE = FALSE

● Encrypted Files– Upload destination: “Encrypted files”

● Webform Encrypt– Setup for every component

Encryption● DataBase Email Encryption

– Email Registration compatible

– Logintoboggan compatible

● Encrypt– encrypt()

– decrypt()

Permission and Registration

Registration● Password policy

– Many-many restrictions

● Registration codes– Import & Export

– Send to Email

Expiration● User Expire● Node expire

– Legacy mode

– Trigger “Content Expired” event

Protection● Administer Users by Role

– Role based user administration

● Username Enumeration Prevention– Username brute force / definition

● Permission watchdog– Logging any role any permission change

Login and Session

Login● Flood control

– Login attempts per IP restriction

– How long login per IP disabled

● Login Security– Attempts limit for account blocking

– Ban Login by IP

– Brute force attack detected Email

Login● Login Notify

– Disable ability login from some browser

– Email message with login details

● Login Activity– Successful login logging

– UID, User agent, IP, Date

● Restrict Login or Role Access by IP– User, Role, All users

Sessions● Session Limit

– Restrict user sessions qty

– Many-many actions on restrict

● Automated Logout– Different restrictions for roles

– Users can setup own timeout

Useful modules

Review and Detect● Hacked!

– Detect hacked contrib modules & themes

● Security Review– Site security settings test

– “Run checklist” for test

Protection● Security Kit

– Cross-site Scripting protection

– Cross-site Request Forgery protection

– Clickjacking protection

– HTTP Strict Transport Security (HSTS)

● Paranoia– Disable PHP execution via UI

Logging and alerts● Email logging and alerts

– Send Email to admin on error

● Web server logging– watchdog() message to error.log

● Watchdog triggers● Watchdog rules

Tips and Tricks● Username: administrator, admin, root● Disable (uid=1) if not used● No devel on Live● Disable registration if not needed

Thank You! Questions?

Anton Ivanov