You are here

Home » API reference » Login Security 5

README.txt in Login Security 5

Same filename and directory in other branches
  1. 8 README.txt
  2. 6 README.txt
  3. 7 README.txt
  4. 2.x README.txt
Login Security
--------------

This module was developed to improve the security options in the login operation
of a drupal site. By default, drupal has only basic access control deniying IP
access to the full content of the site.

With Login security a site administrator may add two types of access control to
the login forms (default and block). These are the features included:

 Soft Protections:

 - Block login forms or requests, when the protection flag is enabled the form is
   never submited, and any request even with a valid form token ID will be dropped,
   but the host still can access the site.

 Hard Protections:
 - Block account: on a number of failed attempts, the account can be blocked.
 - Block IP: on a number of failed attempts, a host may be added to the access
   control list.

Notes:
 - soft block for hosts will expire in the ammount of hours configured.
 - hard blocked hosts will not be removed from list. It should be done by manually.
 - blocked accounts will not be removed from block list. It should be donde manually.

The session ID (php session neither drupal's session) is not taking in count for
the security operations, as automated bruteforce tool may request new sessions on
any attempt, ignoring the session fixation from the server.



Installation
------------

To install copy the login_security folder in your modules directory. Go to
Administer -> Site Building -> Modules and under the "Other" frame the
"Login Security" module Item will appear in the list. Enable the Checkbox
and save the configuration.



Configuration
-------------

Go to Administer -> User Management -> User Settings and new box will appear
close to the registering information with the following options. Any value
set to 0 will disable that option.

 - Track time: The time window where to check for security violiations. It's,
   the time in hours the login information is kept to compute the login attempts
   count. A common example could be 24 hours. After that time, the attempt is
   deleted from the list, so it will not count.

 - Soft block host on login fail: After that number of attempts to login from
   that IP address, no matter the username used, the host will not be allowed to
   submit the login form again, but the content of the site is still accesible
   for that IP address. The block will start to clear of counts after the
   "Track Time" time window.

 - Hard block host on login fail: As the soft block, but this time the IP address
   will be banned from the site, and included in the access list as a deny rule.
   To remove the IP from the list you will have to go to:
   Administer -> User Management -> Access Rules.

 - Block user on login fail: It's that easy, after N attempts of login as a user
   no matter the IP address attempting to, the user will be blocked. To remove
   the blocking of the user, you will have to go to:
   Administer -> User Management -> Users


 The flow will happend like described:

1st -  On any login, the pair host<->username is saved for security, and only
on a successfull login, the pair host-username is deleted from the security log.

2nd - For the soft blocking operation, any failed attempt from that host is
being count, and when the number of attempts exceeds, the host is not allowed
to submit the form.

3rd For the user blocking operation, any failed attempt is count, so no matter
what the source IP address is, when too many attempts appear the account is
blocked. A successful login, even if the user is blocked will remove any tracking
entry fron the database.

4th For the host blocking operation, only the host is taken in count. When too
many attempts appear, no matter the username being tested, the host IP address
is banned.

Note: The tracking entries in the database for any host <-> username pair are
      being deleted on: 'login', 'update' and 'delete' operations.



Notifications
-------------

Thanks to christefano, the module now accepts configurable notifications for the
actions. These are the available placeholders for the displayed messages:

    %date                  :  The (formated) date and time of the operation
    %ip                    :  The IP Address performing the operation
    %username              :  The username entered in the login form (sanitized)
    %email                 :  If the user exists, this will be it's name
    %uid                   :  ..and if exists, this will be it's uid
    %site                  :  The configured site's name
    %uri                   :  The base url of the drupal site
    %edit_uri              :  Direct link to the user (name entered) edit operations
    %hard_block_attempts   :  Configured login attempts before hard blocking the IP address
    %soft_block_attempts   :  Configured login attempts before soft blocking the IP address
    %user_block_attempts   :  Configured login attempts before blocking the user
    %user_ip_current_count :  The total attempts for the name entered by this IP address
    %ip_current_count      :  The total login attempts by this IP address
    %user_current_count    :  The total login attempts for this name (no matter the IP address)
    %tracking_time         :  The tracking time, it's maximun soft blocking time.


Also, the placeholders are propagated to the watchdog system for any customization
needed in the auditing properties, but this has to be modified in the module source code.

If you want your users to be informed when it's account has been blocked, you can use the
module "Extended user status notifications": http://www.drupal.org/project/user_status


Other modules interaction
-------------------------

Thanks to christefano, now the login_security fits well in any drupal installation allowing
without breaking other module operations. The only interaction being performed for just
blocks a user, so to switch the user status an update hook is launched. Other modules can
now react to that hook.

This module doesn't include the option to notify the user when it's account is blocked. You
can use the module: "Extended user status notifications" for that operation.


Future Roadmap
--------------

In a future a better bruteforce and control function is to be included, so
database is now ready for this future update. A fuzzy dataminner will be able
to detect bruteforce attacks no matter the time and scope.

Why is not password policy included in this module? Because of:

http://drupal.org/project/password_policy

There exists a module for that, may be you should encourage it's mantainer to
update the code for 5.x and 6.x branches of drupal.

Thanks to..
-----------

Christefano has done a great job helping with the code cleanup and the string
cleaning.. my english is not that good yet!. The module has more options
now! Thanks dude!


ilo [at] reversing.org
christefano can be located at http://parahuman.org/contact/

File

README.txt
View source 
  1. 

  2. Login Security

  3. --------------

  4. 

  5. This module was developed to improve the security options in the login operation

  6. of a drupal site. By default, drupal has only basic access control deniying IP

  7. access to the full content of the site.

  8. 

  9. With Login security a site administrator may add two types of access control to

  10. the login forms (default and block). These are the features included:

  11. 

  12.  Soft Protections:

  13. 

  14.  - Block login forms or requests, when the protection flag is enabled the form is

  15.    never submited, and any request even with a valid form token ID will be dropped,

  16.    but the host still can access the site.

  17. 

  18.  Hard Protections:

  19.  - Block account: on a number of failed attempts, the account can be blocked.

  20.  - Block IP: on a number of failed attempts, a host may be added to the access

  21.    control list.

  22. 

  23. Notes:

  24.  - soft block for hosts will expire in the ammount of hours configured.

  25.  - hard blocked hosts will not be removed from list. It should be done by manually.

  26.  - blocked accounts will not be removed from block list. It should be donde manually.

  27. 

  28. The session ID (php session neither drupal's session) is not taking in count for

  29. the security operations, as automated bruteforce tool may request new sessions on

  30. any attempt, ignoring the session fixation from the server.

  31. 

  32. 

  33. 

  34. Installation

  35. ------------

  36. 

  37. To install copy the login_security folder in your modules directory. Go to

  38. Administer -> Site Building -> Modules and under the "Other" frame the

  39. "Login Security" module Item will appear in the list. Enable the Checkbox

  40. and save the configuration.

  41. 

  42. 

  43. 

  44. Configuration

  45. -------------

  46. 

  47. Go to Administer -> User Management -> User Settings and new box will appear

  48. close to the registering information with the following options. Any value

  49. set to 0 will disable that option.

  50. 

  51.  - Track time: The time window where to check for security violiations. It's,

  52.    the time in hours the login information is kept to compute the login attempts

  53.    count. A common example could be 24 hours. After that time, the attempt is

  54.    deleted from the list, so it will not count.

  55. 

  56.  - Soft block host on login fail: After that number of attempts to login from

  57.    that IP address, no matter the username used, the host will not be allowed to

  58.    submit the login form again, but the content of the site is still accesible

  59.    for that IP address. The block will start to clear of counts after the

  60.    "Track Time" time window.

  61. 

  62.  - Hard block host on login fail: As the soft block, but this time the IP address

  63.    will be banned from the site, and included in the access list as a deny rule.

  64.    To remove the IP from the list you will have to go to:

  65.    Administer -> User Management -> Access Rules.

  66. 

  67.  - Block user on login fail: It's that easy, after N attempts of login as a user

  68.    no matter the IP address attempting to, the user will be blocked. To remove

  69.    the blocking of the user, you will have to go to:

  70.    Administer -> User Management -> Users

  71. 

  72. 

  73.  The flow will happend like described:

  74. 

  75. 1st -  On any login, the pair host<->username is saved for security, and only

  76. on a successfull login, the pair host-username is deleted from the security log.

  77. 

  78. 2nd - For the soft blocking operation, any failed attempt from that host is

  79. being count, and when the number of attempts exceeds, the host is not allowed

  80. to submit the form.

  81. 

  82. 3rd For the user blocking operation, any failed attempt is count, so no matter

  83. what the source IP address is, when too many attempts appear the account is

  84. blocked. A successful login, even if the user is blocked will remove any tracking

  85. entry fron the database.

  86. 

  87. 4th For the host blocking operation, only the host is taken in count. When too

  88. many attempts appear, no matter the username being tested, the host IP address

  89. is banned.

  90. 

  91. Note: The tracking entries in the database for any host <-> username pair are

  92.       being deleted on: 'login', 'update' and 'delete' operations.

  93. 

  94. 

  95. 

  96. Notifications

  97. -------------

  98. 

  99. Thanks to christefano, the module now accepts configurable notifications for the

  100. actions. These are the available placeholders for the displayed messages:

  101. 

  102.     %date                  :  The (formated) date and time of the operation

  103.     %ip                    :  The IP Address performing the operation

  104.     %username              :  The username entered in the login form (sanitized)

  105.     %email                 :  If the user exists, this will be it's name

  106.     %uid                   :  ..and if exists, this will be it's uid

  107.     %site                  :  The configured site's name

  108.     %uri                   :  The base url of the drupal site

  109.     %edit_uri              :  Direct link to the user (name entered) edit operations

  110.     %hard_block_attempts   :  Configured login attempts before hard blocking the IP address

  111.     %soft_block_attempts   :  Configured login attempts before soft blocking the IP address

  112.     %user_block_attempts   :  Configured login attempts before blocking the user

  113.     %user_ip_current_count :  The total attempts for the name entered by this IP address

  114.     %ip_current_count      :  The total login attempts by this IP address

  115.     %user_current_count    :  The total login attempts for this name (no matter the IP address)

  116.     %tracking_time         :  The tracking time, it's maximun soft blocking time.

  117. 

  118. 

  119. Also, the placeholders are propagated to the watchdog system for any customization

  120. needed in the auditing properties, but this has to be modified in the module source code.

  121. 

  122. If you want your users to be informed when it's account has been blocked, you can use the

  123. module "Extended user status notifications": http://www.drupal.org/project/user_status

  124. 

  125. 

  126. Other modules interaction

  127. -------------------------

  128. 

  129. Thanks to christefano, now the login_security fits well in any drupal installation allowing

  130. without breaking other module operations. The only interaction being performed for just

  131. blocks a user, so to switch the user status an update hook is launched. Other modules can

  132. now react to that hook.

  133. 

  134. This module doesn't include the option to notify the user when it's account is blocked. You

  135. can use the module: "Extended user status notifications" for that operation.

  136. 

  137. 

  138. Future Roadmap

  139. --------------

  140. 

  141. In a future a better bruteforce and control function is to be included, so

  142. database is now ready for this future update. A fuzzy dataminner will be able

  143. to detect bruteforce attacks no matter the time and scope.

  144. 

  145. Why is not password policy included in this module? Because of:

  146. 

  147. http://drupal.org/project/password_policy

  148. 

  149. There exists a module for that, may be you should encourage it's mantainer to

  150. update the code for 5.x and 6.x branches of drupal.

  151. 

  152. Thanks to..

  153. -----------

  154. 

  155. Christefano has done a great job helping with the code cleanup and the string

  156. cleaning.. my english is not that good yet!. The module has more options

  157. now! Thanks dude!

  158. 

  159. 

  160. ilo [at] reversing.org

  161. christefano can be located at http://parahuman.org/contact/