This document outlines Drupal security improvement modules and recommendations, including modules for spam protection like CAPTCHA and Mollom, restricting site content access, encrypting sensitive data with modules like Field Encryption, strengthening user permissions, login security with features such as login attempt limits, and monitoring the site with modules that detect hacking attempts, audit security settings, and log errors.
19. Protection
● Administer Users by Role
– Role based user administration
● Username Enumeration Prevention
– Username brute force / definition
● Permission watchdog
– Logging any role any permission change
21. Login
● Flood control
– Login attempts per IP restriction
– How long login per IP disabled
● Login Security
– Attempts limit for account blocking
– Ban Login by IP
– Brute force attack detected Email
22. Login
● Login Notify
– Disable ability login from some browser
– Email message with login details
● Login Activity
– Successful login logging
– UID, User agent, IP, Date
● Restrict Login or Role Access by IP
– User, Role, All users
23. Sessions
● Session Limit
– Restrict user sessions qty
– Many-many actions on restrict
● Automated Logout
– Different restrictions for roles
– Users can setup own timeout
27. Logging and alerts
● Email logging and alerts
– Send Email to admin on error
● Web server logging
– watchdog() message to error.log
● Watchdog triggers
● Watchdog rules
28. Tips and Tricks
● Username: administrator, admin, root
● Disable (uid=1) if not used
● No devel on Live
● Disable registration if not needed