Protecting drupal login from brute force attacks

Events happening in the community are now at Drupal community events on www.drupal.org.
manorius's picture
Posted by manorius on October 13, 2011 at 9:53am

Any ideas of a good module that I can protect my site's login from brute force attacks?
Or maybe is the a way to disable the login altogether? By allowing the admin who has access to the server
to turn it on and off?

Thanks

Categories:

Comments

What do you mean by brute

Posted by kelvinleehk on October 13, 2011 at 10:10am
kelvinleehk's picture

What do you mean by brute force....???

Anyway, you can always consider installing http://drupal.org/project/Captcha. That can help ensure the login attempt is performed by human.

Kelvin Lee
Onion Creative
Twitter: @KelvinLeeHK | @OnionCreativeHK
Google+: +Kelvin Lee

I mean someone just trying

Posted by manorius on October 13, 2011 at 12:53pm
manorius's picture

I mean someone just trying multiple passwords. But you are right captcha should be enough...

Drupal 7 has good throttling

Posted by dalin on October 13, 2011 at 2:06pm
dalin's picture

Drupal 7 has good throttling of the login form built-in.
http://api.drupal.org/api/drupal/modules--user--user.module/function/use...
This of course is not effective against distributed attacks.
Another technique is to use hook_menu_alter() to change the URL of the login page.

--

Dave Hansen-Lange
Director of Technical Strategy, Advomatic.com
Pronouns: he/him/his

Changing the login URL

Posted by danchadwick on August 14, 2013 at 11:59am
danchadwick's picture

Changing the login URL sounded like a good idea until I looked at all the places where login links are created (such as for comments when an anonymous user). I think you'd have to look through core and relevant contrib to see what would also have to be changed.

DrupalHK

Group categories

HKDUG Vocabulary

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: