Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Can Login Security be used with Flood Control? Is there any reason to use both? Or are they redundant modules? It looks like Login Security does everything that Flood Control does?
Comments
Comment #1
jweirather CreditAttribution: jweirather commentedBumping this, hoping for some clarity.
After looking through the code for both, it appears the "Login Security" module uses its own table, "login_security_track" instead of the D7 "flood" table. Also, I don't find any mentions of "flood" in login_security.module or the admin inc file.
Can anyone confirm that Login Security takes precedence over (or otherwise extends) the D7 flood features, and/or that the settings of each won't interfere with the other?
Thanks!
Comment #2
deekayen CreditAttribution: deekayen commentedCore flood control takes precedence over login security. It'd probably be good to figure how to get Login Security to leverage core flood control instead of attempting to implement its own thing that would be secondary anyway.
Comment #3
jweirather CreditAttribution: jweirather commentedGreat. Thanks for the timely update(s)!
FWIW - It seems like some future version of this module might-could also include Username Enumeration Prevention. (since it sounds like it already basically does this). In my mind:
Module - Login Security Basic Settings (core flood control settings)
Submodule (tab) - Login Security Advanced Settings (all the cool stuff in this module)
Submodule (tab) - Username Enumeration Prevention (that module)
etc.
Maybe in the near future I'll have more time to work on contrib features. Would be happy to help, time permitting.
Thanks again!
Comment #4
deekayen CreditAttribution: deekayen commentedWhy include Username Enumeration Prevention when it's already a stable, independent, working module?
Comment #5
jweirather CreditAttribution: jweirather commentedOn Username Enumeration Prevention, combining it was just a passing notion, I'm new to both modules. My impression was there was some overlapping and closely related functionality (login_security.module line 239). I understand your point.
Also, and please forgive me if this is already accounted for or discussed, but does revealing the number of remaining flood-controlled login attempts defeat the purpose of obfuscating login error messages? In other words, if a username only has 4 tries left, then that username must(?) have an account.
Thanks!
Comment #6
deekayen CreditAttribution: deekayen commentedIf that's a concern in your situation, then don't show the "x tries left" message. It's optional iirc.
Comment #7
jweirather CreditAttribution: jweirather commentedYes, it does appear it's optional, thanks.
I guess my underlying question was whether that concern might be already accounted for by the module. As an off-the-cuff example, the module might disregard whether the username actually exists as an account, and show the same counter even for usernames that do not exist on real user accounts, or something similar.
I do understand the practical concerns with storing unknown usernames, etc.
Anyway, thanks for the prompt feedback. It is appreciated.
Comment #8
ElegantSolutions CreditAttribution: ElegantSolutions commentedWhy worry about the username - focus on the IP address. Repeated attempts from a single IP to one or many user names should be blocked.
Comment #9
deekayen CreditAttribution: deekayen commentedBecause right or wrong, standards like PCI focus on username, not IP.
Comment #10
jweirather CreditAttribution: jweirather commented#8, I see your point, but I'd have to imagine that a reasonable percentage of attackers would use a proxy, or switch devices/locations/ISPs.