This document outlines Drupal security improvement modules and recommendations, including modules for spam protection like CAPTCHA and Mollom, restricting site content access, encrypting sensitive data with modules like Field Encryption, strengthening user permissions, login security with features such as login attempt limits, and monitoring the site with modules that detect hacking attempts, audit security settings, and log errors.

1. Drupal 7
security improvement modules
Anton Ivanov

2. Roadmap
● Spam protection
● Site content access
● Encryption
● Permission and Registration
● Login and Session
● Useful modules

3. Spam protection

4. CAPTCHA
● CAPTCHA ● Draggable Captcha
● KeyCAPTCHA● reCAPTCHA

5. Mollom
● Text analytics
● CAPTCHA service

6. Useful modules
● Honeypot
– Hidden field
– Form fill time > 5s
● SpamSpan filter
– mymail [at] example [dot] com
● Block anonymous links

7. Site content access

8. Node page view
● Restrict node page view
– Nodes
● Rabbit Hole
– Nodes, Users, Taxonomy terms
– 403, 404, Redirect, Display entity

9. Ban users
● IP Ranges
– Black list
– White list
● GoAway
– Redirect banned users to some page
– Permissions: Ban, Un-ban, Settings change

10. HTTPS
● Secure Login
– Login or Any another form
● Secure Pages
– node/*
– user/*
– admin/*
– Or any another path

11. Global content access
● Content Access
– Node/Type CRUD Role/Author based
● ACL
– Node/Type CRUD any User based

12. Substitution for protection
● 403 to 404
● User One

13. Encryption

14. Encryption
● Field Encryption
– FIELD_ENCRYPT_CHANGEABLE = FALSE
● Encrypted Files
– Upload destination: “Encrypted files”
● Webform Encrypt
– Setup for every component

15. Encryption
● DataBase Email Encryption
– Email Registration compatible
– Logintoboggan compatible
● Encrypt
– encrypt()
– decrypt()

16. Permission and Registration

17. Registration
● Password policy
– Many-many restrictions
● Registration codes
– Import & Export
– Send to Email

18. Expiration
● User Expire
● Node expire
– Legacy mode
– Trigger “Content Expired” event

19. Protection
● Administer Users by Role
– Role based user administration
● Username Enumeration Prevention
– Username brute force / definition
● Permission watchdog
– Logging any role any permission change

20. Login and Session

21. Login
● Flood control
– Login attempts per IP restriction
– How long login per IP disabled
● Login Security
– Attempts limit for account blocking
– Ban Login by IP
– Brute force attack detected Email

22. Login
● Login Notify
– Disable ability login from some browser
– Email message with login details
● Login Activity
– Successful login logging
– UID, User agent, IP, Date
● Restrict Login or Role Access by IP
– User, Role, All users

23. Sessions
● Session Limit
– Restrict user sessions qty
– Many-many actions on restrict
● Automated Logout
– Different restrictions for roles
– Users can setup own timeout

24. Useful modules

25. Review and Detect
● Hacked!
– Detect hacked contrib modules & themes
● Security Review
– Site security settings test
– “Run checklist” for test

26. Protection
● Security Kit
– Cross-site Scripting protection
– Cross-site Request Forgery protection
– Clickjacking protection
– HTTP Strict Transport Security (HSTS)
● Paranoia
– Disable PHP execution via UI

27. Logging and alerts
● Email logging and alerts
– Send Email to admin on error
● Web server logging
– watchdog() message to error.log
● Watchdog triggers
● Watchdog rules

28. Tips and Tricks
● Username: administrator, admin, root
● Disable (uid=1) if not used
● No devel on Live
● Disable registration if not needed

29. Thank You! Questions?
Anton Ivanov