Modules: Security

Advanced User

Details

The advanced user module allows the filtering of users based on the user.module fields and optionally the profile.module fields. The fields available for filtering can be configured using the module settings. Eg. Site admin may search through 1000s of users to display all users who have not accessed their account.

Once the group of users with selected common denominators are filtered, the module can be used to perform functions that email, block, unblock, add or remove roles, or delete. Another nice feature is the ability to notify administrators or other roles, by email, of user account creation or profile changes.

Version	Date	Links	Status
5.x-2.x-dev	2008-May-16	Download · Release notes	Development snapshot

AntiSpam PWF Captcha

AntiSpam Protect Web Form Captcha Plug-in for Drupal
supports English, German, French, Spanish, Russian localization.
Customize your CAPTCHA with desired colors and fonts. Chose among many image types.
Add reload button and audio support.

Version	Date	Links	Status
5.x-1.3	2007-Dec-14	Download · Release notes	Recommended for 5.x

Block anonymous links

BlockAnonymousLinks is a simple module which blocks comments from anonymous users that contain links.

It relies on the fact that most spam messages contain hyperlinks and also on the fact that (for now) (most) spambots don't register on the sites they want to spam. It tries to block comment-spam at an early stage.

Version	Date	Links	Status
6.x-1.0	2008-Mar-14	Download · Release notes	Recommended for 6.x
5.x-1.1	2008-Mar-14	Download · Release notes	Recommended for 5.x

CAPTCHA

A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions from spambots – automated scripts that harvest email address from publicly available web forms.

Version	Date	Links	Status
6.x-1.0-rc2	2008-Apr-11	Download · Release notes	Recommended for 6.x
5.x-3.1	2007-Dec-03	Download · Release notes	Recommended for 5.x
4.7.x-1.2	2007-Jan-30	Download · Release notes	Recommended for 4.7.x

Comment Mail

The Comment Mail module allows an email to be sent to the site administrator(s) when new comments are posted. A link in the email allows quick approval, editing, deletion, and/or banning of the poster's IP address.

Version	Date	Links	Status
5.x-0.1	2007-Jul-25	Download · Release notes	Recommended for 5.x
4.7.x-1.x-dev	2006-Nov-13	Download · Release notes	Development snapshot

Form single

Announcement: There is no good server-side solution for this problem in Drupal 5 or Drupal 6. Your best option is Ted Serbinski's JS solution: http://tedserbinski.com/2007/01/11/how_to_prevent_duplicate_posts

This module is seeking a maintainer. Contact me if interested.

http://drupal.org/files/issues/t_6.patch

Any efforts to backport this patch to 4.7 would be greatly appreciated. To read about the final soultion that was achieved, read here:

http://drupal.org/node/107358

The Formsingle module prevents forms in Drupal 4.7 from being submitted twice. Try this; with your Drupal 4.7 installation, create a new page, or submit a new comment. When it comes time to press the submit button, click it as many times as you can before the page reloads. Can you click it 50 times? 100 times? Does Drupal submit a new page or comment for every single click? You bet! This module fixes that.

As this is a new module and totally untested in the real world, I highly recommend NOT installing it on live sites. Please test this module, examine the code, provide feedback, and hopefully soon we'll have a solid tool to provide this (critical) feature.

See the Roadmap issue in the issue tracker for an overview of tasks and future directions for this module.

Version	Date	Links	Status
5.x-1.x-dev	2007-Jan-29	Download · Release notes	Development snapshot
4.7.x-1.x-dev	2006-Nov-30	Download · Release notes	Development snapshot

Google Proxy Hacking Protector

In Dan Thies' great post about the method "Google Proxy Hacking" at

http://www.seofaststart.com/blog/google-proxy-hacking

he illustrates how an (evil) third party can remove your site from the Google
search results.

One actual example of the application of this black hat SEO tactic
for Google bowling my own company site out the results is illustrated here

http://www.marketingfan.com/search-engines/google-proxy-bowling

Obivously this screams for a solution and Dan and Jamie already presented some methods
for doing that.

The project "antiproxyhack" implements these as a convenient drupal module
for all drupal users of version 5.x and upwards (we are considering a backport to 4.7 too, but want to get new sites updated first!)

Please use the CVS or dev version until v1.2! Thanks!

Version	Date	Links	Status
5.x-1.2	2007-Oct-29	Download · Release notes	Recommended for 5.x

Gotcha - Contact Spam Catcher

Gotcha is sort of a take off on "captcha." The idea was first mentioned on http://drupal.org/node/166921 as a possible way to trick spam bots who try to use the Drupal contact form. I don't particulary like the extra step humans are required to perform in these "verification" methods, and some just don't work.

The idea is simple: Basically you place a bogus input field on a contact form, and use CSS to not display it. On submission you check for a value. If there is a value entered, then that means a non-human has been blanketing form fields, and the form post can be ignored as spam. The spam bot will probably never know.

Gotcha adds a field labeled "Subject" at the top of the contact form. It uses a "div" tag to render the field as "display: none" so human users shouldn't see it, and won't enter any data there. Hopefully, the suspected spam bot will see "Subject" and be enticed to enter something there. There is descriptive text to encourage a human (whose browser might be set to display it anyway) to ignore this field.

Gotcha intercepts the contact form submission and checks the hidden field. If something is there, Gotcha simply returns to the front page and ignores the message. The attempt is logged, along with the submitter's IP address, and the suspect message is saved in the database. If the field is empty, then the message is passed on through to the contact module for normal processing.

Unfortunately, most of the spam was still getting through. And most of that was a bunch of links to drugs or porn. From exerience, I knew that the Spam module was already good at dealing with this in comments. After browsing that module, I found that I could "hook" into its filters and use them to identify spam.

All of my spam emails stopped immediately!

Version	Date	Links	Status
5.x-1.0	2007-Nov-17	Download · Release notes	Recommended for 5.x

Hashcash

Hashcash is a module which implements the Hashcash algorithm to help protect sites from spam. This module is similar to the popular wordpress plugin wp-hashcash.

Administrators are able to specify which roles need to pass a Hashcash check, and also which forms should have the hashcash check inserted into them

This is the first release of Hashcash, so any feedback would be greatly appreciated

The development of this module has been funded in part by the EDIT project

sdrycroft

Version	Date	Links	Status
5.x-1.2	2008-Apr-23	Download · Release notes	Recommended for 5.x

http:BL

Implementation of http:BL for Drupal. It provides IP-based blacklisting through http:BL and allows linking to a honeypot. http:BL allows blocking of email harvesters and comment spammers through a centralized DNS blacklist. See http://www.projecthoneypot.org/httpbl.php for more information.

Version	Date	Links	Status
5.x-2.1	2008-Apr-29	Download · Release notes	Recommended for 5.x

Login Security

With Login security a site administrator may add two types of access control to the login forms (default and block) within a defined time window.

Version	Date	Links	Status
6.x-1.x-dev	2008-Jan-21	Download · Release notes	Development snapshot
5.x-1.1	2008-Jan-24	Download · Release notes	Recommended for 5.x

Organic Groups Sites

Together, og_sites_hub and og_sites provide multisite functionality in which a central 'hub' site has a set of associated sites leveraging Organic Groups functionality to selectively share data (nodes and users), such that the hub site has access to all data while associated sites see and edit only their own data plus that specifically shared by the hub site.

Version	Date	Links	Status
5.x-1.x-dev	2007-Jun-19	Download · Release notes	Development snapshot

Password policy

This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.

Version	Date	Links	Status
6.x-1.x-dev	2008-Feb-13	Download · Release notes	Development snapshot
4.7.x-1.x-dev	2007-Jan-03	Download · Release notes	Development snapshot

Password Strength

This module provides a backport of Drupal 6's jQuery password strength checking to Drupal 5. It also adds PHP-based password strength checking and validation routines that mirror the jQuery routines, so that administrators can restrict passwords to only be, for example, "high" strength. The module simply modifies existing password confirm fields (where two passwords are entered, like the user edit form), so no other setup is required beyond configuring the desired enforcement rules.

Version	Date	Links	Status
5.x-1.2	2008-Apr-06	Download · Release notes	Recommended for 5.x