Login Security

Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block"). Enabling this module, a site administrator may

• limit the number of invalid login attempts before blocking accounts,
• or deny access by IP address, temporarily or permanently.

A set of notifications by email or Nagios may help the site administrator to know when something is happening with the login form of their site:

• password and account guessing,
• bruteforce login attempts or just unexpected behaviour with the login operation.

For alternative controls, Login Security can disable Drupal core's login error messages, obfuscating the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists.

On login, users can optionally see their last login or access timestamp.

For a lighter alternative, check out Flood control.