security

WebmistressM's picture

120+ Security Based Modules? Really?

I have to admit, Im overwhelmed about the amount of Drupal modules created that deal with security. It seems many are for keeping specific module types from doing insecure things or providing holes in security. So, what about a basic install with Views, CCK, Pathauto, Forums, Blogs, and little else. What are the most useful security modules out there?

-overwhelmed by modules
Mary

16 comments

Login Security for Drupal 6 1.0 release is out

It took some time, but finally the 6.x-1.0 version of Login Security module is out. For a brief introduction to the module features please go to the module documentation. The README file included in the module explains the different options for the module settings and a configuration example.

Hope you enjoy the module!

Login to post comments

Login Security, closing last stint for 1.0 release

I'm happy to announce that Login Security module release 6.x-1.0 is about to born. Currently, there is only one issue open. This issue takes care about string consolidation and english grammar. I'm not an english natural speaker, so probably there will be some words and corrections to be done. I would appreciate any help in this issue.

There is a new feature included for this 1.0 release: ongoing bruteforce attack detection that could easily be expanded for more paranoid settings.. probably in the 2.0 :)

You can check current roadmap status and (I hope) participate in the english correction.

Login to post comments · Read more

Protect your files directories

Be wary of what folks can upload into the "files" directories on your Drupal site. They may be able to upload a PHP file, then try to access that PHP file in their web browser, thus being able to execute arbitrary code. This is dangerous!

I believe Drupal's .htaccess files block this sort of thing for Apache users, but what about us Lighty users? Fortunately, it's not too tough to stop this from happening; just add something like this to Lighty's config file:

Login to post comments · Read more

Drupal for Online Enterprise

Hi Everyone:

So I know of some well-known organizations and companies who are using Drupal for their community child sites and/or primary sites. However, I am just curious to know of some particular enterprise sites that are 1) using Drupal and 2) may have a user population anywhere from 500 - 10,000+. I'm trying to compile a list to show that Drupal can be used to archive information secure for a large online and active audience.

Thanks.

3 comments

Who should be involved in securing a Drupal Site?

VinceW's picture
VinceW - Thu, 2009-08-20 14:52

A lot of attention is given to writing secure code for drupal. But is securing a drupal site only a matter of writing/using correct coding, or are other roles as much responsible for securing a Drupal Site?


greggles's picture

Filtering User Generated CSS

There are several modules which allow for user/admin generated css to be injected into the page.

CSS can contain cross site scripting attacks and the use of url() helps make it a means to exploit CSRF. What can we do to filter user generated CSS so that it is safe?

One strategy seems to be something like the way color module/garland work: users are limited to choosing specific colors which are inserted into specific pieces of the CSS. This is also what a lot of other sites do (twitter, bebo, etc.). That's great, but limiting.

Login to post comments · Read more

"Login Security" module uses and roadmap for a 6.x stable release

Hi, I'm in process of creating stable release of the "login security" module, and would like to inform current users of this module about it to recall their ideas and most used features, and remove (or not) the rest of them.

Don't know how to make a public call about it, and would not like to create a release to make this kind of notice so everyone will have to update their module version, so I've decided to create it here.

If you have any consideration or would like to know about this stable release please go to:

http://drupal.org/node/397890

2 comments
christefano's picture

LA Drupal management on groups.drupal.org

Tonight I went through the LA Drupal group's member list on groups.drupal.org and removed the administrator privileges from the accounts of several people who haven't been active recently or aren't directly involved in running the group. I'm announcing this because I'd like everyone to know that while our group has fewer admins now than before, the daily management of the group on groups.drupal.org remains the same and I hope this isn't seen as a consolidation of power.

On the contrary, our current admins (Chris Charlton, Mike Stewart and myself, Christefano) absolutely want to hear from anyone and everyone who's interested in helping out and fostering the development of LA Drupal. Just like how anyone in the Drupal community has a say about how they want to participate, everyone in the LA Drupal community is invited to foster the development of our group, both online and offline.

Login to post comments · Read more
mtapman's picture

Drupal Site Building Security Training

What's the interest level in a Drupal security training session? I'm thinking of this as a practical session focused on building a secure Drupal site using selected modules and configurations. The format would probably be a day long training session, depending on the level of detail people want to get into. Most of the information we'd be teaching would be focused on real world security issues and how to solve or prevent them using existing tools of the trade.

3 comments · Read more
Syndicate content