Cracking Drupal - extra security en Contributed modules for Securing your Site <p>Among the thousands of modules on there are over 100 in the <a href="">security</a> category. Unfortunately some of those are abandoned or inaccurately tagged. We've looked at every module and compiled this resource to help you understand the security-related community modules available. Not all modules provide security exactly, some are about hardening your site against weaknesses and others are about monitoring and reporting abuses.</p> <p>This list will stay up-to-date as new modules are added and we will be expanding it for usefulness and to include our assessment of each module's capabilities.</p> <h2>Login and session</h2> <ul> <li><a href="">Persistent Login</a> <ul> <li>How long, how many, and on what pages login is remembered</li> </ul> </li> <li><a href="">Single Login</a> <ul> <li>Detect and prevent duplicate logins</li> </ul> </li> </ul> <h2>Password</h2> <ul> <li><a href="">Login Security</a> <ul> <li>Limit unsuccessful logins, ban by IP, notifications</li> </ul> </li> <li><a href="">Password change confirm</a> <ul> <li>Require existing password before changing password</li> </ul> </li> <li><a href="">Password Require</a> <ul> <li>Require a password for submitting any form</li> </ul> </li> <li><a href="">Password sentry</a> <ul> <li>Track logins</li> </ul> </li> <li><a href="">Password Strength</a> <ul> <li>Check and enforce password strength</li> </ul> </li> <li><a href="">Password Expire</a> <ul> <li>Passwords expire after a set time</li> </ul> </li> <li><a href="">Password Policy</a> <ul> <li>Enforce password strength</li> </ul> </li> <li><a href="">Salt</a> <ul> <li>Prepend a "salt" to passwords prior to storage (Not needed in Drupal 7)</li> </ul> </li> <li><a href="">Secure Password Hashes (phpass)</a> <ul> <li>Store password hashes using phpass instead of MD5 (Not needed in Drupal 7)</li> </ul> </li> </ul> <h2>Authentication</h2> <ul> <li><a href="">PassWindow</a> <ul> <li>Two-step authentication via visual decoding with physical card</li> </ul> </li> <li><a href="">OpenID</a> <ul> <li>Authentication via OpenID service (in core Drupal 6)</li> </ul> </li> <li><a href="">Swekey</a> <ul> <li>Two-step authentication using USB key</li> </ul> </li> <li><a href="">Windows Live ID</a> <ul> <li>Authentication via Windows Live</li> </ul> </li> <li><a href="">YubiKey</a> <ul> <li>Two-step authentication using USB key</li> </ul> </li> </ul> <h2>Analysis</h2> <ul> <li><a href="">BadBehavior</a> <ul> <li>Monitor traffic and block spampots or malicious requests</li> </ul> </li> <li><a href="">GoAway</a> <ul> <li>Light-weight ban by IP</li> </ul> </li> <li><a href="">HTTP Black List (http:BL)</a> <ul> <li>Implement the http:BL in Drupal, blocking requests from blacklisted IPs</li> </ul> </li> <li><a href="">MD5 Check</a> <ul> <li>Create MD5 checksum of all Drupal files and monitor for alterations</li> </ul> </li> <li><a href="">PHP Intrusion Detection System (PHPIDS)</a> <ul> <li>Implement the PHP Intrusion Detection System for monitoring and alerting for malicious visitors</li> </ul> </li> <li><a href="">Remote File Inclusion Report</a> <ul> <li>Record attempts to have remote files included in Drupal</li> </ul> </li> <li><a href="">Security Review</a> <ul> <li>Check for misconfiguration that leads to an insecure site</li> </ul> </li> <li><a href="">Security scanner component for SimpleTest</a> <ul> <li>Penetration test your site</li> </ul> </li> <li><a href="">Troll</a> <ul> <li>Track and ban IPs</li> </ul> </li> </ul> <h2>Secure communications</h2> <ul> <li><a href="">Client Side Encryption (cse)</a> <ul> <li>Encrypt data transfer between browser and server</li> </ul> </li> <li><a href="">OpenPGP</a> <ul> <li>Encrypt outgoing emails</li> </ul> </li> <li><a href="">Secure by role</a> <ul> <li>Force certain pages over SSL</li> </ul> </li> <li><a href="">Secure Pages</a> <ul> <li>Force certain pages over SSL</li> <li><a href="">Secure Pages Prevent Hijack</a> - Prevent hijacked sessions from accessing secure pages.</li> </ul> </li> </ul> <h2>Anti-spam and protection</h2> <ul> <li>Prevent spam submissions <ul> <li><a href="">CAPTCHA</a></li> <li><a href="">reCAPTCHA</a></li> <li><a href="">CAPTCHA Pack</a></li> <li><a href="">Egglue CAPTCHA</a></li> <li><a href="">Captcha Riddler</a></li> <li><a href="">Mollom</a></li> <li><a href="">Akismet</a></li> <li><a href="">Spam</a></li> <li><a href="">Block anonymous links</a></li> <li><a href="">BlogSpam</a></li> <li><a href="">VidoopCAPTCHA</a></li> <li><a href="">Spamicide</a></li> </ul> </li> <li><a href="">Email2Image</a> <ul> <li>Obfuscate emails by displaying them as images</li> </ul> </li> <li><a href="">Secure Permissions</a> <ul> <li>Control access to the permissions setting page</li> </ul> </li> <li><a href="">Spamspan Filter</a> <ul> <li>Obfuscate emails</li> </ul> </li> <li><a href="">GTSpam</a> <ul> <li>Obfuscate emails</li> </ul> </li> <li><a href="">Paranoia</a> <ul> <li>Disable some of Drupal's features not necessary for all sites, like the PHP input filter.</li> </ul> </li> <li><a href="">Paranoid Form Validator</a> <ul> <li>Reject form submissions containing potentially-dangerous input</li> </ul> </li> </ul> contributed modules extra security Tue, 06 Oct 2009 21:11:58 +0000 Ben Jeavons 32 at