security

Node Page Disable

module_name
node_page_disable
Description

Adds an checkbox labelled 'Retain /node as an active url?' to /admin/config/system/site-information

This lets you disable the /node page which would otherwise list all published content.

Note it doesn't let you individual disable /node/xxx access by content type - see restrict_node_page_view or rabbit_hole for that.

This is for D7 only - in D8 you go to /admin/structure/views and disable /node there.

Categories
Tested by me
Yes
Drupal 8 support
No
Essential
Yes
Avoid
No
Deprecated
No

Rabbit hole

module_name
rabbit_hole
Description

Lets you set display, access denied, redirect or programmatic accessing for direct access to nodes.

However, note that includes both /node/xxx and the node alias, i.e. you can't just use it to restrict numeric URLs, the human friendly ones will get blocked too - so restrict_node_page_view might be more appropriate.

There's a series of submodules (such as rh_node) and without enabling them you won't see any options in the UI.
(look for the Rabbit Hole tab when editing nodes, for example).

Categories
Tested by me
Yes
Drupal 8 support
Yes
Essential
No
Avoid
No
Deprecated
No

Mydropwizard

module_name
mydropwizard
Description

If you have a Drupal 6 site, this modifies your Available Updates page (/admin/reports/updates) with direct download and release note links to all the D6 LTS (Drupal 6 Long Term Support) releases. 

Categories
Tested by me
Yes
Drupal 8 support
No
Essential
Yes
Avoid
No
Deprecated
No

Google Authenticator login

module_name
ga_login
Description

Use in conjunction with tfa to support OATH based HOTP/TOTP systems.

Nov 2022: No longer needed (i.e. uninstall it) when you upgrade to tfa 2.x for Drupal 9 and 10.

Categories
Tested by me
Yes
Drupal 8 support
Yes
Essential
Yes
Avoid
No
Deprecated
No

Entity Access Audit

module_name
entity_access_audit
Description

This is a way of visualising - via grids of ticks and crosses - which roles have access to different operations on different entities.

Introductory blog post

Categories
Tested by me
No
Drupal 8 support
Yes
Essential
No
Avoid
No

Nagios

module_name
nagios
Description

Generate customisable Nagios reports for things like module updates, cron not running etc.  

The D8 version is now compatible with NRPE because there's a Drush command to generate the Nagios string. 

Categories
Tested by me
Yes
Drupal 8 support
Yes
Essential
No
Avoid
No

Role Watchdog

module_name
role_watchdog
Description

Logs every time a role is changed. Users get a Role History tab and there's a notification feature. 

Should now work fine on D8, not personally tested it (earlier: 15 Sep 2018 - there's a dev branch, but when you install it complains about missing role entity, and drush updb does nothing) 

Categories
Tested by me
Yes
Drupal 8 support
Yes
Essential
Yes
Avoid
No
Deprecated
No

Two Factor Authentication

module_name
tfa
Description

install tfa and ga_login (TFA is just a framework, it doesn't come with it's own login plugins.)

Use this patch I wrote - it adds display of validation skip times and an admin reset button for users who are got locked out.

My installation instructions:

Next you need to generate an encryption profile.
First you need to generate a key - key type needs to be Encryption (not Authentication).
A 128bit key = 128/8 bytes = 16 characters - so generate a random 16 character string.

Set key provider to File rather than Configuration, this means the key won't end up in your version control.

Tick the 'strip trailing line breaks' box to avoid the "The selected key size does not match the actual size of the key." error

Key path should be relative to Drupal so the config will work on multiple sites
e.g. if you have created a file called /app/tfa.key on a lando container, set the key path to ../tfa.key
I'm actually creating mine in a keys directory.

Remember to save the key somewhere in your password manager, or your ansible variables, in case you lose the files later.
Remember to add /keys to your .gitignore file, so it won't get stored in version control.
Remember to copy it manually onto your production server.

In the TFA settings (/admin/config/people/tfa) you probably want to increase the number of times a user can skip validation.

Note that TFA has a separate 'Tfa user login' block (replacing the ordinary 'User login') 

Categories
Tested by me
Yes
Drupal 8 support
Yes
Essential
Yes
Avoid
No

Flood Control

module_name
flood_control
Description

Protect against brute-force login attacks. Unclear what's happening with porting of this.

Categories
Tested by me
No
Drupal 8 support
No
Essential
No