Our tech blog is English, so the whole world can enjoy the drill :)
We’ve all heard or have had advice regarding safety in Drupal sites. Building safe queries and filtering whatever input your environment receives. There are many contributed modules to help and ensure that your environment is safe. Many of these modules stay hidden for “normal” Drupal users. That’s why I’ve decided to write a blog about these modules. What do these modules do and when you should use them.
Depending on the site your building you might have to implement a user signin / register page. This could be the Drupal default or a custom form. There are a few aspects to be considered for forms like these.
- Secure connections (SSL)
- Password strength
- Flood control
- XFS (cross frame scripting)
#0) Secure connections (SSL)
The first problem can be countered forcing SSL or by using the Secure pages module for Drupal. The first option is the easiest to implement and requires no module. A slight tweak in your .htaccess file is usually enough.
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
The secure pages module allows an administrator to use SSL on specific pages, forms or user roles.
https://www.drupal.org/project/securepages
#1) Password strength
The second problem is related to the “normal” users. They tend choose an easy password because it is easy to memorize. This does however make it easy to crack a password. To counter the password strength problem you can use the password policy module. This module allows an administrator to create policies for passwords. The polices can contain the following settings:
- Expiration time, the time a password remains valid.
- Constraints, the requirements for a password like character / digit amount, history of passwords and whether or not your username may be contained in the password.
- Whether or not a user is blocked after his / her password has been expired.
https://www.drupal.org/project/password_policy
#2) Flood control
Even if a user creates a strong password it may be cracked using a brute-force attack. This method is often used to try cracking weak passwords by trying all combinations. This can easily be countered using flood control. By default Drupal blocks an IP for 6 hours after 5 unsuccessful tries. This can however be countered by changing your IP. The flood control module allows an admin to alter these default settings. It has the following options:
- Limit failed login (ip)
- Limit failed login (username)
- Limit sending emails
For these options the limit and the timeframe can be set.
https://www.drupal.org/project/flood_control
#3) XFS (cross frame scripting)
The last security issue for user data is a bit trickier. A malicious site may place your site in an Iframe. The user thinks he / she is visiting your site and logs in through the iframe. The site only needs to store your keystrokes in order to obtain the username and password for an account. To prevent such behavior you can implement the Secure kit (or Seckit) module. This module prevents a number of these security leaks:
- X-XSS-Protection
- X-Content-type-options, http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-i...
- Cross-site request forgery, http://en.wikipedia.org/wiki/Cross-site_request_forgery
- Click-jacking, http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clic...
- SSL/TLS
https://www.drupal.org/project/seckit
#4) Idle Session Timeout
Security issues are not only limited to user data, sometimes the user account can be compromised due to them not logging out. A random person or colleague can then use that account to do their dirty work. Logging a user out after a set amount of time can prevent this. The Auto-logout module takes care of this issue. It allows the administrators to set an amount of time to enforce logout and they can even display a message to the users right before their session expires.
https://www.drupal.org/project/autologout
#5) Concurrent Sessions
This same issue can occur within the time limit of the auto-logout when a user logs in on a different computer. To prevent multiple sessions you can add the session limit module. This module can prevent the creation of new sessions until the old session is closed or close the previous session when a user creates a new one.
https://www.drupal.org/project/session_limit
#6) Nagios monitoring
The last module I’d like to mention is the Nagios module. This module integrates a site into the Nagios monitoring application. The module then reports to the Nagios application whether there are updates for the core or contributed modules, the site configurations are setup correctly and many other security related settings.
The modules mentioned in this document are the following projects:
