security

I have to admit, Im overwhelmed about the amount of Drupal modules created that deal with security. It seems many are for keeping specific module types from doing insecure things or providing holes in security. So, what about a basic install with Views, CCK, Pathauto, Forums, Blogs, and little else. What are the most useful security modules out there?

-overwhelmed by modules
Mary

It took some time, but finally the 6.x-1.0 version of Login Security module is out. For a brief introduction to the module features please go to the module documentation. The README file included in the module explains the different options for the module settings and a configuration example.

Hope you enjoy the module!

I'm happy to announce that Login Security module release 6.x-1.0 is about to born. Currently, there is only one issue open. This issue takes care about string consolidation and english grammar. I'm not an english natural speaker, so probably there will be some words and corrections to be done. I would appreciate any help in this issue.

There is a new feature included for this 1.0 release: ongoing bruteforce attack detection that could easily be expanded for more paranoid settings.. probably in the 2.0 :)

You can check current roadmap status and (I hope) participate in the english correction.

Be wary of what folks can upload into the "files" directories on your Drupal site. They may be able to upload a PHP file, then try to access that PHP file in their web browser, thus being able to execute arbitrary code. This is dangerous!

I believe Drupal's .htaccess files block this sort of thing for Apache users, but what about us Lighty users? Fortunately, it's not too tough to stop this from happening; just add something like this to Lighty's config file:

Hi Everyone:

So I know of some well-known organizations and companies who are using Drupal for their community child sites and/or primary sites. However, I am just curious to know of some particular enterprise sites that are 1) using Drupal and 2) may have a user population anywhere from 500 - 10,000+. I'm trying to compile a list to show that Drupal can be used to archive information secure for a large online and active audience.

Thanks.

There are several modules which allow for user/admin generated css to be injected into the page.

CSS can contain cross site scripting attacks and the use of url() helps make it a means to exploit CSRF. What can we do to filter user generated CSS so that it is safe?

One strategy seems to be something like the way color module/garland work: users are limited to choosing specific colors which are inserted into specific pieces of the CSS. This is also what a lot of other sites do (twitter, bebo, etc.). That's great, but limiting.

Hi, I'm in process of creating stable release of the "login security" module, and would like to inform current users of this module about it to recall their ideas and most used features, and remove (or not) the rest of them.

Don't know how to make a public call about it, and would not like to create a release to make this kind of notice so everyone will have to update their module version, so I've decided to create it here.

If you have any consideration or would like to know about this stable release please go to:

http://drupal.org/node/397890

Tonight I went through the LA Drupal group's member list on groups.drupal.org and removed the administrator privileges from the accounts of several people who haven't been active recently or aren't directly involved in running the group. I'm announcing this because I'd like everyone to know that while our group has fewer admins now than before, the daily management of the group on groups.drupal.org remains the same and I hope this isn't seen as a consolidation of power.

On the contrary, our current admins (Chris Charlton, Mike Stewart and myself, Christefano) absolutely want to hear from anyone and everyone who's interested in helping out and fostering the development of LA Drupal. Just like how anyone in the Drupal community has a say about how they want to participate, everyone in the LA Drupal community is invited to foster the development of our group, both online and offline.

What's the interest level in a Drupal security training session? I'm thinking of this as a practical session focused on building a secure Drupal site using selected modules and configurations. The format would probably be a day long training session, depending on the level of detail people want to get into. Most of the information we'd be teaching would be focused on real world security issues and how to solve or prevent them using existing tools of the trade.