You are here

Home » API reference » Login Security 7

README.txt in Login Security 7

Same filename and directory in other branches
  1. 8 README.txt
  2. 5 README.txt
  3. 6 README.txt
  4. 2.x README.txt
Login Security
--------------
This module was developed to improve the security options in the login operation
of a Drupal site. By default, Drupal has only basic access control denying IP
access to the full content of the site.

With Login Security module, a site administrator may add any of the following
access control features to the login forms (default login form in /user and the
block login form).

These are the features included:

Ongoing attack detection
------------------------
System will detect if a password guessing or bruteforce attack is being performed
against the Drupal login form. Using a threshold value, you may instruct the
module to alert (using a watchdog message, and optionally send an email) the
admin user when the number of invalid login attempts reaches the threshold value.

Soft Protections
----------------
Soft protections don't disrupt site navigation, but alter the way a login
operation is performed.

Currently, the login form submission can be soft-protected with these two
options:

 - Invalidate login form submission: when the soft-block protection flag is
   enabled the login form is never submited, and any new login request will
   fail, but the host could still access the site.


Hard Protections
----------------
When there is evidence of hard account guessing operations, or when you need to
block users because of leak password guessing attempts, Hard protections may
help defeating the system.

 - Block account: it's common to block an account after a number of failed login
   attemps. Once this count is completed, the account can be blocked and user
   and admin are advised about this.

 - Block IP address: on a number of failed attempts, a host may be added to the
   access control list. This action will leave the host completely banned from
   the site.


Track time: Protection time window
----------------------------------
The time the protections operate is defined as the track time (or time window).
It's, the time that login events are being considered for the protections. For
example, we can say that an account will be blocked on the third login attempt,
but these three attempts should have happened in the protection time window.
If the time protection window is 1 hour, the three attemps should be in the
last 60 minutes. If one of this attempts was done earlier it's not considered.

The time protection window is not the time each protection is active. Blocked
accounts will remain blocked untill an administrator unblocks them, and banned
hosts need also administration interaction to be unbanned.


Duration of protections
-----------------------
The duration of the enabled protections depends of its type. Soft protections
are temporary, and will expire in the time defined by the 'track time' or
protection time window.

Hard protections are permanent, and an administrator should unblock or unban an
account or a host.

A blocked account could be unblocked through the administration section:
  /admin/user/user
A banned host could be un banned through the Access rules section:
  /admin/user/rules


Installation
------------
To install copy the login_security folder in your modules directory. Go to
Administer -> Site Building -> Modules and under the "Other" frame the
"Login Security" module Item will appear in the list. Enable the Checkbox
and save the configuration.


Configuration options
---------------------
You should have the 'administer site configuration' permission to configure the
Login Security module.

Go to Administer -> Site configuration -> Login Security (the url path is
admin/settings/login_security) and a form with the module options will be shown.
(Note: Any value set to 0 will disable that option.).

Basic options

 - Track time: The time window where to check for security violiations. It's,
   the time in hours the login information is kept to compute the login attempts
   count. A common example could be 24 hours. After that time, the attempt is
   deleted from the list, so it will not count.

 - Maximum number of login failures before blocking a user: It's that easy,
   after this number of attempts to login as an user no matter the IP address
   attempting to, the user will be blocked. To remove the blocking of the user,
   you will have to go to: Administer -> User Management -> Users

 - Maximum number of login failures before soft blocking a host: After that
   number of attempts to login from that IP address, no matter the username
   used, the host will not be allowed to submit the login form again, but the
   content of the site is still accesible for that IP address. Login attempts
   will start to clear of counts after the "Track Time" time window.

 - Maximum number of login failures before blocking a host: As the soft block
   protection does, but this time the IP address will be banned from the site,
   included in the access list as a deny rule. To remove the IP from this ban,
   you will have to go to:  Administer -> User Management -> Access Rules.

 - Maximum number of login failures to detect ongoing attack: This value is the
   threshold used to detect a password guess attack. The limit means that during
   the "track time" period, this number of invalid logins indicates a password
   guessing attack.

Notifications

 The module also provides some notifications for the users to understand what is
 happening.

 - Display last login timestamp: each time a user does success in login, this
   message will remember him when was the last time he logged in the site.

 - Display last access timestamp: each time a user does success in login, this
   message will remember him his last site access.

 - Notify the user about the number of remaining login attempts: It's also
   possible to advice the user about the attempts available prior to block the
   account.

 - Disable login failure error message: Selecting this option no error message
   will be shown at all, so user will not be aware of unsuccessful login
   attempt, or blocked account messages.

 - Send a notification email message to a site user of your choice, each time an
   account is blocked.

 - Send a notification email message to a site user of your choice about login
   suspicious activity (a determined value threshold of invalid login attemps
   is reached).

Notifications are configurable in the Login Security settings section, where
the strings could be personalized using the following placeholders:

    %date                  :  The (formatted) date and time of the operation
    %ip                    :  The IP Address performing the operation
    %username              :  The username entered in the login form (sanitized)
    %email                 :  If the user exists, this will be it's name
    %uid                   :  ..and if exists, this will be it's uid
    %site                  :  The configured site's name
    %uri                   :  The base url of the Drupal site
    %edit_uri              :  Direct link to the user (name entered) edit page
    %hard_block_attempts   :  Configured attempts before hard blocking the IP
    %soft_block_attempts   :  Configured attempts before soft blocking the IP
    %user_block_attempts   :  Configured login attempts before blocking the user
    %user_ip_current_count :  The total attempts for the name by this IP address
    %ip_current_count      :  The total login attempts by this IP address
    %user_current_count    :  The total login attempts for this name
    %tracking_time         :  The tracking time: in hours
    %tracking_current_count:  Total tracked events
    %activity_threshold    :  Value of attempts to detect ongoing attack.


Cleaning the event tracking information
---------------------------------------
If for any reaons, you are encoutering problems with specific users (because
they are restricted), or if you change settings and want to do a module
'restart', you may clean the event track in this settings page.
At the bottom you will find a "Clear event tracking information" button.
If you click this button, all tracked events will be deleted.


Understanding protections
-------------------------
Internally, protections could consider user name, ip address or both. This is a
list of what's now implemented and how login submissions affect the protections:

 1.- On any login, the pair host<->username is saved for security, and only on a
   successfull login or by track time expiration, the pair host-username is
   deleted from the security log.

 2.- For the soft blocking operation, any failed attempt from that host is being
   count, and when the number of attempts exceeds, the host is not allowed to
   submit the form.

   Note: (2nd and 3rd impose restrictions to the login form, and the time these
   restrictions are in rule is the time the information is being tracked: "Track
   Time").

 3.- For the user blocking operation, any failed attempt is count, so no matter
   what the source IP address is, when too many attempts appear the account is
   blocked. A successful login, even if the user is blocked will remove any
   tracking entry fron the database.

 4.- For the host blocking operation, only the host is taken in count. When too
   many attempts appear, no matter the username being tested, the host IP
   address is banned.

   Note: (4th and 5th operations are not being cancelled automatically).
   Note: The tracking entries in the database for any host <-> username pair are
        being deleted on: 'login', 'update' and 'delete' user operations.

 5.- For the onoing attack detection, all the tracked events are taken in count.
   The system detects an ongoing attack and notices the admin about that. It will
   remain in attack mode (no more notices will be sent) untill the attack is no
   longer detected. This will happen when the total number of tracked events is
   below 'maximum allowed to detect ongoing attack' / 3. Since then, once the
   threshold value is reached again, a new notification will be set in the log
   or sent by email.

   E.g Say you put 1 hour of track time and a maximum number of login failures
   to detect ongoing attack of 20. This means that if during the last hour there
   are more than 20 invalid login attemps an attack is detected. A log entry is
   created to notice the detected attack, and system switches to 'attack' status,
   where no more notices about the attack will be logged or sent. After sometime
   the attack stops. And once the number of invalid login attemps for this last
   hour is below 1/3 of this maximum: invalid attemps are below 6 (20 / 3 for
   the example) a normal status is recovered. If a new attack is detected, the
   module will alert again about it.

Most used configuration
-----------------------
The most common configuration options will look like this:

 Track time = 1 Hour
 Max number of logon failures before blocking a user  = 5
 Max number of logon failures before soft blocking a host  = 10
 Max number of logon failures before blocking a host  = 15

 - The user will be blocked after five attemps of account guessing within the
   last 60 minutes.
 - Any host trying 10 login attempts will be punished not being able to submit
   the form again within the 60 minutes track time.
 - If the number of attempts reaches 15, the host will be banned.


Other modules interaction
-------------------------
If you want your users to be informed when their accounts have been blocked,
you can use the module "Extended user status notifications":
 http://www.drupal.org/project/user_status


Important note
--------------

Currently, user uid 1 is never blocked even if the "user blocking operation" is
enabled. User uid 1 is widely exposed in too many sites (and probably the name
for that account is 'admin' in most of the cases) that deliberately was removed
from this protection because of the risk to be easily blocked. If you want to
protect your users, you may use a combination of features, and not only rely on
the user blocking operation.

More information: http://drupal.org/node/601846


Other notes
-----------
The session ID (PHP session neither Drupal's session) is not taking in count for
the security operations, as automated bruteforce tool may request new sessions
on any attempt, ignoring the session fixation from the server.


Thanks to..
-----------
Christefano and deekayen, both have done great contributions and help with this
module.

File

README.txt
View source 
  1. 

  2. Login Security

  3. --------------

  4. This module was developed to improve the security options in the login operation

  5. of a Drupal site. By default, Drupal has only basic access control denying IP

  6. access to the full content of the site.

  7. 

  8. With Login Security module, a site administrator may add any of the following

  9. access control features to the login forms (default login form in /user and the

  10. block login form).

  11. 

  12. These are the features included:

  13. 

  14. Ongoing attack detection

  15. ------------------------

  16. System will detect if a password guessing or bruteforce attack is being performed

  17. against the Drupal login form. Using a threshold value, you may instruct the

  18. module to alert (using a watchdog message, and optionally send an email) the

  19. admin user when the number of invalid login attempts reaches the threshold value.

  20. 

  21. Soft Protections

  22. ----------------

  23. Soft protections don't disrupt site navigation, but alter the way a login

  24. operation is performed.

  25. 

  26. Currently, the login form submission can be soft-protected with these two

  27. options:

  28. 

  29.  - Invalidate login form submission: when the soft-block protection flag is

  30.    enabled the login form is never submited, and any new login request will

  31.    fail, but the host could still access the site.

  32. 

  33. 

  34. Hard Protections

  35. ----------------

  36. When there is evidence of hard account guessing operations, or when you need to

  37. block users because of leak password guessing attempts, Hard protections may

  38. help defeating the system.

  39. 

  40.  - Block account: it's common to block an account after a number of failed login

  41.    attemps. Once this count is completed, the account can be blocked and user

  42.    and admin are advised about this.

  43. 

  44.  - Block IP address: on a number of failed attempts, a host may be added to the

  45.    access control list. This action will leave the host completely banned from

  46.    the site.

  47. 

  48. 

  49. Track time: Protection time window

  50. ----------------------------------

  51. The time the protections operate is defined as the track time (or time window).

  52. It's, the time that login events are being considered for the protections. For

  53. example, we can say that an account will be blocked on the third login attempt,

  54. but these three attempts should have happened in the protection time window.

  55. If the time protection window is 1 hour, the three attemps should be in the

  56. last 60 minutes. If one of this attempts was done earlier it's not considered.

  57. 

  58. The time protection window is not the time each protection is active. Blocked

  59. accounts will remain blocked untill an administrator unblocks them, and banned

  60. hosts need also administration interaction to be unbanned.

  61. 

  62. 

  63. Duration of protections

  64. -----------------------

  65. The duration of the enabled protections depends of its type. Soft protections

  66. are temporary, and will expire in the time defined by the 'track time' or

  67. protection time window.

  68. 

  69. Hard protections are permanent, and an administrator should unblock or unban an

  70. account or a host.

  71. 

  72. A blocked account could be unblocked through the administration section:

  73.   /admin/user/user

  74. A banned host could be un banned through the Access rules section:

  75.   /admin/user/rules

  76. 

  77. 

  78. Installation

  79. ------------

  80. To install copy the login_security folder in your modules directory. Go to

  81. Administer -> Site Building -> Modules and under the "Other" frame the

  82. "Login Security" module Item will appear in the list. Enable the Checkbox

  83. and save the configuration.

  84. 

  85. 

  86. Configuration options

  87. ---------------------

  88. You should have the 'administer site configuration' permission to configure the

  89. Login Security module.

  90. 

  91. Go to Administer -> Site configuration -> Login Security (the url path is

  92. admin/settings/login_security) and a form with the module options will be shown.

  93. (Note: Any value set to 0 will disable that option.).

  94. 

  95. Basic options

  96. 

  97.  - Track time: The time window where to check for security violiations. It's,

  98.    the time in hours the login information is kept to compute the login attempts

  99.    count. A common example could be 24 hours. After that time, the attempt is

  100.    deleted from the list, so it will not count.

  101. 

  102.  - Maximum number of login failures before blocking a user: It's that easy,

  103.    after this number of attempts to login as an user no matter the IP address

  104.    attempting to, the user will be blocked. To remove the blocking of the user,

  105.    you will have to go to: Administer -> User Management -> Users

  106. 

  107.  - Maximum number of login failures before soft blocking a host: After that

  108.    number of attempts to login from that IP address, no matter the username

  109.    used, the host will not be allowed to submit the login form again, but the

  110.    content of the site is still accesible for that IP address. Login attempts

  111.    will start to clear of counts after the "Track Time" time window.

  112. 

  113.  - Maximum number of login failures before blocking a host: As the soft block

  114.    protection does, but this time the IP address will be banned from the site,

  115.    included in the access list as a deny rule. To remove the IP from this ban,

  116.    you will have to go to:  Administer -> User Management -> Access Rules.

  117. 

  118.  - Maximum number of login failures to detect ongoing attack: This value is the

  119.    threshold used to detect a password guess attack. The limit means that during

  120.    the "track time" period, this number of invalid logins indicates a password

  121.    guessing attack.

  122. 

  123. Notifications

  124. 

  125.  The module also provides some notifications for the users to understand what is

  126.  happening.

  127. 

  128.  - Display last login timestamp: each time a user does success in login, this

  129.    message will remember him when was the last time he logged in the site.

  130. 

  131.  - Display last access timestamp: each time a user does success in login, this

  132.    message will remember him his last site access.

  133. 

  134.  - Notify the user about the number of remaining login attempts: It's also

  135.    possible to advice the user about the attempts available prior to block the

  136.    account.

  137. 

  138.  - Disable login failure error message: Selecting this option no error message

  139.    will be shown at all, so user will not be aware of unsuccessful login

  140.    attempt, or blocked account messages.

  141. 

  142.  - Send a notification email message to a site user of your choice, each time an

  143.    account is blocked.

  144. 

  145.  - Send a notification email message to a site user of your choice about login

  146.    suspicious activity (a determined value threshold of invalid login attemps

  147.    is reached).

  148. 

  149. Notifications are configurable in the Login Security settings section, where

  150. the strings could be personalized using the following placeholders:

  151. 

  152.     %date                  :  The (formatted) date and time of the operation

  153.     %ip                    :  The IP Address performing the operation

  154.     %username              :  The username entered in the login form (sanitized)

  155.     %email                 :  If the user exists, this will be it's name

  156.     %uid                   :  ..and if exists, this will be it's uid

  157.     %site                  :  The configured site's name

  158.     %uri                   :  The base url of the Drupal site

  159.     %edit_uri              :  Direct link to the user (name entered) edit page

  160.     %hard_block_attempts   :  Configured attempts before hard blocking the IP

  161.     %soft_block_attempts   :  Configured attempts before soft blocking the IP

  162.     %user_block_attempts   :  Configured login attempts before blocking the user

  163.     %user_ip_current_count :  The total attempts for the name by this IP address

  164.     %ip_current_count      :  The total login attempts by this IP address

  165.     %user_current_count    :  The total login attempts for this name

  166.     %tracking_time         :  The tracking time: in hours

  167.     %tracking_current_count:  Total tracked events

  168.     %activity_threshold    :  Value of attempts to detect ongoing attack.

  169. 

  170. 

  171. Cleaning the event tracking information

  172. ---------------------------------------

  173. If for any reaons, you are encoutering problems with specific users (because

  174. they are restricted), or if you change settings and want to do a module

  175. 'restart', you may clean the event track in this settings page.

  176. At the bottom you will find a "Clear event tracking information" button.

  177. If you click this button, all tracked events will be deleted.

  178. 

  179. 

  180. Understanding protections

  181. -------------------------

  182. Internally, protections could consider user name, ip address or both. This is a

  183. list of what's now implemented and how login submissions affect the protections:

  184. 

  185.  1.- On any login, the pair host<->username is saved for security, and only on a

  186.    successfull login or by track time expiration, the pair host-username is

  187.    deleted from the security log.

  188. 

  189.  2.- For the soft blocking operation, any failed attempt from that host is being

  190.    count, and when the number of attempts exceeds, the host is not allowed to

  191.    submit the form.

  192. 

  193.    Note: (2nd and 3rd impose restrictions to the login form, and the time these

  194.    restrictions are in rule is the time the information is being tracked: "Track

  195.    Time").

  196. 

  197.  3.- For the user blocking operation, any failed attempt is count, so no matter

  198.    what the source IP address is, when too many attempts appear the account is

  199.    blocked. A successful login, even if the user is blocked will remove any

  200.    tracking entry fron the database.

  201. 

  202.  4.- For the host blocking operation, only the host is taken in count. When too

  203.    many attempts appear, no matter the username being tested, the host IP

  204.    address is banned.

  205. 

  206.    Note: (4th and 5th operations are not being cancelled automatically).

  207.    Note: The tracking entries in the database for any host <-> username pair are

  208.         being deleted on: 'login', 'update' and 'delete' user operations.

  209. 

  210.  5.- For the onoing attack detection, all the tracked events are taken in count.

  211.    The system detects an ongoing attack and notices the admin about that. It will

  212.    remain in attack mode (no more notices will be sent) untill the attack is no

  213.    longer detected. This will happen when the total number of tracked events is

  214.    below 'maximum allowed to detect ongoing attack' / 3. Since then, once the

  215.    threshold value is reached again, a new notification will be set in the log

  216.    or sent by email.

  217. 

  218.    E.g Say you put 1 hour of track time and a maximum number of login failures

  219.    to detect ongoing attack of 20. This means that if during the last hour there

  220.    are more than 20 invalid login attemps an attack is detected. A log entry is

  221.    created to notice the detected attack, and system switches to 'attack' status,

  222.    where no more notices about the attack will be logged or sent. After sometime

  223.    the attack stops. And once the number of invalid login attemps for this last

  224.    hour is below 1/3 of this maximum: invalid attemps are below 6 (20 / 3 for

  225.    the example) a normal status is recovered. If a new attack is detected, the

  226.    module will alert again about it.

  227. 

  228. Most used configuration

  229. -----------------------

  230. The most common configuration options will look like this:

  231. 

  232.  Track time = 1 Hour

  233.  Max number of logon failures before blocking a user  = 5

  234.  Max number of logon failures before soft blocking a host  = 10

  235.  Max number of logon failures before blocking a host  = 15

  236. 

  237.  - The user will be blocked after five attemps of account guessing within the

  238.    last 60 minutes.

  239.  - Any host trying 10 login attempts will be punished not being able to submit

  240.    the form again within the 60 minutes track time.

  241.  - If the number of attempts reaches 15, the host will be banned.

  242. 

  243. 

  244. Other modules interaction

  245. -------------------------

  246. If you want your users to be informed when their accounts have been blocked,

  247. you can use the module "Extended user status notifications":

  248.  http://www.drupal.org/project/user_status

  249. 

  250. 

  251. Important note

  252. --------------

  253. 

  254. Currently, user uid 1 is never blocked even if the "user blocking operation" is

  255. enabled. User uid 1 is widely exposed in too many sites (and probably the name

  256. for that account is 'admin' in most of the cases) that deliberately was removed

  257. from this protection because of the risk to be easily blocked. If you want to

  258. protect your users, you may use a combination of features, and not only rely on

  259. the user blocking operation.

  260. 

  261. More information: http://drupal.org/node/601846

  262. 

  263. 

  264. Other notes

  265. -----------

  266. The session ID (PHP session neither Drupal's session) is not taking in count for

  267. the security operations, as automated bruteforce tool may request new sessions

  268. on any attempt, ignoring the session fixation from the server.

  269. 

  270. 

  271. Thanks to..

  272. -----------

  273. Christefano and deekayen, both have done great contributions and help with this

  274. module.