Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block"). Enabling this module, a site administrator may limit the number of invalid login attempts before blocking an account, or denying access by IP address, temporarily or permanently. The site administrator can also be notified about password and account guessing, brute-force login attempts or just unexpected behaviour with the login operation.

Module feature list

Ongoing attack detection

The system is able to detect if a password-guessing or brute-force attack is being performed against the Drupal login form. Using a threshold value, you may instruct the module to alert (using a watchdog message, and optionally send an email) the administrator user when the number of invalid login attempts reaches the threshold value, used to early react on unexpected login attempts.

Soft Protections

Soft protections don't disrupt site navigation, but may alter the way a login operation is performed. This kind of feature will make the system more flexible when a suspicious behaviour appears in the login form. Currently, the login form submission can be soft-protected with these two options:

  • Invalid login request time delay: on any failed login, the form submission is delayed a base time, hardening the bruteforce attack to the login form. Including a time delay in each invalid submission, will reduce the number of login attempts a user or script can do. This protection is temporary, and once the user or script stops doing form submissions, the penalty delay time will be removed.
  • Increase invalid login delay: The base time delay could be extended and increased as the number of login attempts do. This way, additional attempts to guess the password will be punished with longer a delay in each submission.
  • Invalidate login form submission: when a user or script triggers this soft-block protection flag due to a large number of attempts, the login form ceases to actually submit, and any new login request from this IP address will fail. however, the rest of the site is still completely accessible as a regular anonymous user for that host, being unable to login temporarily.

Hard Protections

When there is evidence of hard account guessing operations, or when you need to block users because of leak password guessing attempts, Hard Protections may help defeating the system. These actions have permanent results, and can only be revoked by the site administrator.

  • Block account: it is common to block an account after a number of failed login attemps. Once this count is completed, the account name used in the invalid login operations is blocked and user and admin are advised about this. Note: the user with uid 1 cannot be blocked. (It is recommended not to use 'admin' or 'administrator' as the name for user 1 for this reason.)
  • Block IP address: on a number of failed attempts, a host may be added to the access control list. This action will leave the host completely banned from the site.

Lacking features / other modules & integration

Please see: Is Secure Login still being maintained?

Notifications

The module also provides some notifications for the administrator or regular users to understand what is happening. All the messages could be customized with several placeholders provided by the module. This is the list of the notification options:

  • Display last login timestamp: Displays when a user last logged in at each successful login.
  • Display last access timestamp: Displays when a user last accessed the site at each successful login.
  • Notify the user about the number of remaining login attempts: Warns the user about the remaining attempts available before the account is blocked.
  • Disable login failure error message: selecting this option no error message will be shown at all, so user will not be aware of unsuccessful login attempt, or blocked account messages (this includes the Drupal's "Invalid username or password" message.
  • Send an email message to the admin about blocked accounts: an email could also be sent to the administrator (uid 1), each time an account is locked.
  • Send email message to the admin about suspicious login activity: an email could also be sent to the administrator (uid 1), whenever suspicious activity being detected in the login form submissions. When a determined value (threshold) of invalid login attemps is reached, the email is sent.

Installation

Go to the Login Security module project page, download and install as any other Drupal module.

Configuration

To configure the Login Security module, please read carefully the README.txt file included in the package. Once you understand the different options you may go to "Administer" > "Site Configuration" > "Login Security" (/admin/settings/login_security) and configure with your prefered settings.

Comments

Charles Belov’s picture

Set or leave failed attempts at 0 to not use a particular blocking or reporting feature.

Charles Belov
SFMTA Webmaster
http://www.sfmta.com/

usmanjutt84’s picture

As in the configurations, whats the purpose of "the attempt is deleted from the list after given hours"?
Modules should include an option (radio buttons to automatic/manually unblock users) in configuration page to unblock user(s) after the given hours. That really feels comfortable while configuring this module.