December 16, 2020

Learning Login Security in Drupal

By Caleb Rhodes

On the Drupal platform, the ‘Login Security’ module plays an important role in the provision of – and improvement of – multiple security options while logging onto the Drupal site. In its default state, Drupal simply provides basic access control, which denies access to specific IP addresses for viewing the full content of the site.

Customers can also be provided with the option of viewing the timestamp showing their last access or last login, allowing them to also confirm their security.

The easiest way for hackers into the Drupal system is often by misusing the authentication system or the application’s login system, which simultaneously leads to the compromising of many users’ accounts, data leaks, financial losses, to name a few. You need to protect your Drupal with firewall for that.

To prevent this, there are multiple options available that will allow you to build up your security such as strong login credentials, passwords, taking up HTTPS, using two-factor authentication for preventing brute force attacks, etc. 

Under this module, the site administrator has the tools to restrict and protect access through the addition of various other access control features to the login forms (default login form in or user where the block is called ‘login form block’). When the site administrator enables this module, they are allowed to limit the number of login attempts that are illegitimate before permanently blocking their accounts, as well as deny access on the basis of specific IP addresses (temporarily or permanently). 

The site administrator will also have the opportunity to switch on the alert system for receiving notifications through emails so that they are able to stay on top of all that’s happening to their site’s login form, the good and the bad. This includes the attempts at guessing the passwords and the linked accounts, brute force login attempts, or any suspicious or unexpected behavior from log-in attempts. 

For further modifications to the ‘Login Security’ module, there are alternatives where you can disable the option of Drupal core’s inbuilt login error messages, thus hiding the reasons for every failed login attempt. This makes it more difficult for the hacker to pinpoint the exact reason for failure, even springing the doubt of the possible non-existence of that account. 

For Drupal, User is the default core module that provides details and options regarding user account management including authentication features, the procedure of logging in and out, managing your passwords, roles and permissions, registrations, etc. This allows it to provide a standard protective layer that protects the Drupal platform against brute force attacks, amongst other threats like code injections and cross-site scripting attacks, especially using the flood control mechanism. 

What the flood control mechanism does is register every failed attempt with the required details such as type of event, user identifier, timestamp, and the expiration of the flood event. Flood event types are of two types – one is based on IP addresses, and the other is based on user accounts. Usually, the default state for blocking is if there has been a minimum of 50 login failures from the same IP address within the hour; both the user account and the host IP address get combined blocked if there are 5 failed login attempts within the last 6 hours. 

Of course, this comes with its own set of limitations – site administrators need a user interface to configure the minimum number of login attempts and the adequate blocking time period, and there should be a functioning alert system that sends alerts duly to the site administrator in case their account is being exploited or there are other suspicious changes. 

When configuring the ‘Login Security’ module, there is a precise form given under admin > config > people > login_security, under the ‘Manage’ option. 

Options include:

  • ‘track time’ (time period within which the login failures are considered, soft protection)
  • ‘user’ (maximum number of login failures before permanent blocking)
  • ‘soft host’ (maximum number of login failures from a specific IP address before being banned from the core ban module)
  • ‘hard host’ (maximum number of login failures from a specific IP address before being permanently banned from the core ban module)
  • ‘attack detection’ (maximum number of login failures before the detection of an ongoing attack and logging the warning)
  • ‘disable login failure error message’ (display core login error messages)
  • notify the user about the last login attempt, 
  • display last login attempt, etc. 

The given options can be configured and modified as per your needs, after which you can press ‘save configuration’ to apply the respective changes. 

Therefore, the Login Security module is a crucial aspect of the Drupal platform that must be used wisely to increase the security barriers of your site. With this module, the site administrator has greater control when dealing with security issues like brute force attacks. However, ensuring security shouldn’t just be limited to configuring security modules but also with other security measures as mentioned at the beginning of the article as well as the people who handle within the organization. 

Reference from: https://www.getastra.com/blog/drupal-security/drupal-security-guide/