Cracking Drupal - extra security http://crackingdrupal.com/taxonomy/term/18/0 en Contributed modules for Securing your Site http://crackingdrupal.com/security-modules <p>Among the thousands of modules on drupal.org there are over 100 in the <a href="http://drupal.org/taxonomy/term/69">security</a> category. Unfortunately some of those are abandoned or inaccurately tagged. We've looked at every module and compiled this resource to help you understand the security-related community modules available. Not all modules provide security exactly, some are about hardening your site against weaknesses and others are about monitoring and reporting abuses.</p> <p>This list will stay up-to-date as new modules are added and we will be expanding it for usefulness and to include our assessment of each module's capabilities.</p> <h2>Login and session</h2> <ul> <li><a href="http://drupal.org/project/persistent_login">Persistent Login</a> <ul> <li>How long, how many, and on what pages login is remembered</li> </ul> </li> <li><a href="http://drupal.org/project/single_login">Single Login</a> <ul> <li>Detect and prevent duplicate logins</li> </ul> </li> </ul> <h2>Password</h2> <ul> <li><a href="http://drupal.org/project/login_security">Login Security</a> <ul> <li>Limit unsuccessful logins, ban by IP, notifications</li> </ul> </li> <li><a href="http://drupal.org/project/password_change">Password change confirm</a> <ul> <li>Require existing password before changing password</li> </ul> </li> <li><a href="http://drupal.org/project/password_require">Password Require</a> <ul> <li>Require a password for submitting any form</li> </ul> </li> <li><a href="http://drupal.org/project/password_sentry">Password sentry</a> <ul> <li>Track logins</li> </ul> </li> <li><a href="http://drupal.org/project/password_strength">Password Strength</a> <ul> <li>Check and enforce password strength</li> </ul> </li> <li><a href="http://drupal.org/project/password_expire">Password Expire</a> <ul> <li>Passwords expire after a set time</li> </ul> </li> <li><a href="http://drupal.org/project/password_policy">Password Policy</a> <ul> <li>Enforce password strength</li> </ul> </li> <li><a href="http://drupal.org/project/salt">Salt</a> <ul> <li>Prepend a "salt" to passwords prior to storage (Not needed in Drupal 7)</li> </ul> </li> <li><a href="http://drupal.org/project/phpass">Secure Password Hashes (phpass)</a> <ul> <li>Store password hashes using phpass instead of MD5 (Not needed in Drupal 7)</li> </ul> </li> </ul> <h2>Authentication</h2> <ul> <li><a href="http://drupal.org/project/passwindow">PassWindow</a> <ul> <li>Two-step authentication via visual decoding with physical card</li> </ul> </li> <li><a href="http://drupal.org/project/openid">OpenID</a> <ul> <li>Authentication via OpenID service (in core Drupal 6)</li> </ul> </li> <li><a href="http://drupal.org/project/swekey">Swekey</a> <ul> <li>Two-step authentication using USB key</li> </ul> </li> <li><a href="http://drupal.org/project/winliveid">Windows Live ID</a> <ul> <li>Authentication via Windows Live</li> </ul> </li> <li><a href="http://drupal.org/project/yubikey">YubiKey</a> <ul> <li>Two-step authentication using USB key</li> </ul> </li> </ul> <h2>Analysis</h2> <ul> <li><a href="http://drupal.org/project/badbehavior">BadBehavior</a> <ul> <li>Monitor traffic and block spampots or malicious requests</li> </ul> </li> <li><a href="http://drupal.org/project/goaway">GoAway</a> <ul> <li>Light-weight ban by IP</li> </ul> </li> <li><a href="http://drupal.org/project/httpbl">HTTP Black List (http:BL)</a> <ul> <li>Implement the http:BL in Drupal, blocking requests from blacklisted IPs</li> </ul> </li> <li><a href="http://drupal.org/project/md5check">MD5 Check</a> <ul> <li>Create MD5 checksum of all Drupal files and monitor for alterations</li> </ul> </li> <li><a href="http://drupal.org/project/phpids">PHP Intrusion Detection System (PHPIDS)</a> <ul> <li>Implement the PHP Intrusion Detection System for monitoring and alerting for malicious visitors</li> </ul> </li> <li><a href="http://drupal.org/project/rfireport">Remote File Inclusion Report</a> <ul> <li>Record attempts to have remote files included in Drupal</li> </ul> </li> <li><a href="http://drupal.org/project/security_review">Security Review</a> <ul> <li>Check for misconfiguration that leads to an insecure site</li> </ul> </li> <li><a href="http://drupal.org/project/security_scanner">Security scanner component for SimpleTest</a> <ul> <li>Penetration test your site</li> </ul> </li> <li><a href="http://drupal.org/project/troll">Troll</a> <ul> <li>Track and ban IPs</li> </ul> </li> </ul> <h2>Secure communications</h2> <ul> <li><a href="http://drupal.org/project/cse">Client Side Encryption (cse)</a> <ul> <li>Encrypt data transfer between browser and server</li> </ul> </li> <li><a href="http://drupal.org/project/openpgp">OpenPGP</a> <ul> <li>Encrypt outgoing emails</li> </ul> </li> <li><a href="http://drupal.org/project/secrole">Secure by role</a> <ul> <li>Force certain pages over SSL</li> </ul> </li> <li><a href="http://drupal.org/project/securepages">Secure Pages</a> <ul> <li>Force certain pages over SSL</li> <li><a href="http://drupal.org/project/securepages_prevent_hijack">Secure Pages Prevent Hijack</a> - Prevent hijacked sessions from accessing secure pages.</li> </ul> </li> </ul> <h2>Anti-spam and protection</h2> <ul> <li>Prevent spam submissions <ul> <li><a href="http://drupal.org/project/captcha">CAPTCHA</a></li> <li><a href="http://drupal.org/project/recaptcha">reCAPTCHA</a></li> <li><a href="http://drupal.org/project/captcha_pack">CAPTCHA Pack</a></li> <li><a href="http://drupal.org/project/egglue_captcha">Egglue CAPTCHA</a></li> <li><a href="http://drupal.org/project/riddler">Captcha Riddler</a></li> <li><a href="http://drupal.org/project/mollom">Mollom</a></li> <li><a href="http://drupal.org/project/akisment">Akismet</a></li> <li><a href="http://drupal.org/project/spam">Spam</a></li> <li><a href="http://drupal.org/project/blockanonymouslinks">Block anonymous links</a></li> <li><a href="http://drupal.org/project/blogspam">BlogSpam</a></li> <li><a href="http://drupal.org/project/vidoopcaptcha">VidoopCAPTCHA</a></li> <li><a href="http://drupal.org/project/spamicide">Spamicide</a></li> </ul> </li> <li><a href="http://drupal.org/project/email2image">Email2Image</a> <ul> <li>Obfuscate emails by displaying them as images</li> </ul> </li> <li><a href="http://drupal.org/project/secure_permissions">Secure Permissions</a> <ul> <li>Control access to the permissions setting page</li> </ul> </li> <li><a href="http://drupal.org/project/spamspan">Spamspan Filter</a> <ul> <li>Obfuscate emails</li> </ul> </li> <li><a href="http://drupal.org/project/gtspam">GTSpam</a> <ul> <li>Obfuscate emails</li> </ul> </li> <li><a href="http://drupal.org/project/paranoia">Paranoia</a> <ul> <li>Disable some of Drupal's features not necessary for all sites, like the PHP input filter.</li> </ul> </li> <li><a href="http://drupal.org/project/paranoidvalidator">Paranoid Form Validator</a> <ul> <li>Reject form submissions containing potentially-dangerous input</li> </ul> </li> </ul> http://crackingdrupal.com/security-modules#comments contributed modules extra security Tue, 06 Oct 2009 21:11:58 +0000 Ben Jeavons 32 at http://crackingdrupal.com