I have removed the login block from a website, using the following method : Home » Administration » Structure » Blocks Select "Show block on specific pages" -> "Only the listed pages" And as per documentation entered "user". Works great, but someone could still tamper with my website by an easy guess (especially if they were familiar with drupal) and try to hack their way in.
I created a page with a path alias of "hubris". The page shows when I am logged in as admin, but if I log out and request the page I get a "Page Not Found Error" but I do get the login block. Could anyone tell me why I'm getting the error message.
thanks
* Tim Johnson tim@akwebsoft.com [130128 12:00]:
I have removed the login block from a website, using the following method : Home » Administration » Structure » Blocks Select "Show block on specific pages" -> "Only the listed pages" And as per documentation entered "user". Works great, but someone could still tamper with my website by an easy guess (especially if they were familiar with drupal) and try to hack their way in.
I created a page with a path alias of "hubris". The page shows when I am logged in as admin, but if I log out and request the page I get a "Page Not Found Error" but I do get the login block. Could anyone tell me why I'm getting the error message.
What's more : I would like to _not_ show the user page at all.
IOWS if a visitor pointed their browser at http://mydrupalsite.com/user, they would get a "page not found" error.
As far as I know with D7...
Yes you can remove the login block. But, it they type yoursitename.whatever/user/login and they will be presented with a login page.
Bob
-----Original Message----- From: Tim Johnson Sent: Monday, January 28, 2013 4:00 PM To: Drupal Support ML Subject: [support] Understanding the 'user' node
I have removed the login block from a website, using the following method : Home » Administration » Structure » Blocks Select "Show block on specific pages" -> "Only the listed pages" And as per documentation entered "user". Works great, but someone could still tamper with my website by an easy guess (especially if they were familiar with drupal) and try to hack their way in.
I created a page with a path alias of "hubris". The page shows when I am logged in as admin, but if I log out and request the page I get a "Page Not Found Error" but I do get the login block. Could anyone tell me why I'm getting the error message.
thanks
* Bob@TurnerPCC.com Bob@TurnerPCC.com [130128 13:57]:
As far as I know with D7...
Yes you can remove the login block. But, it they type yoursitename.whatever/user/login and they will be presented with a login page.
Bob
Hi Bob:
Actually on my site it's 'user' not login. ('login' gives me "Page Not Found") As it is now, I can create a page with the login block that could be a secret name. But 'user' persists. I would really like to disable the 'user' node, which is (I guess) kind of a 'builtin' node. I wonder if it could be disabled from the database. What do you think?
Thanks for the reply
Tim,
You are past my understanding of Drupal, either that or you are off base. Hopefully others will comment. I will listen.
Bob
-----Original Message----- From: Tim Johnson Sent: Monday, January 28, 2013 6:18 PM To: support@drupal.org Subject: Re: [support] Understanding the 'user' node
* Bob@TurnerPCC.com Bob@TurnerPCC.com [130128 13:57]:
As far as I know with D7...
Yes you can remove the login block. But, it they type yoursitename.whatever/user/login and they will be presented with a login page.
Bob
Hi Bob:
Actually on my site it's 'user' not login. ('login' gives me "Page Not Found") As it is now, I can create a page with the login block that could be a secret name. But 'user' persists. I would really like to disable the 'user' node, which is (I guess) kind of a 'builtin' node. I wonder if it could be disabled from the database. What do you think?
Thanks for the reply
* Bob@TurnerPCC.com Bob@TurnerPCC.com [130128 15:05]:
Tim,
You are past my understanding of Drupal, either that or you are off base. Hopefully others will comment. I will listen.
I'm new to drupal. I could very well be off base. Furthermore, when one is new to a system one may ask questions in a syntax that is perhaps not appropriate to the system.
The 'bottom line' is that 1)I want a 'secret' node with which to log in as admin 2)I want the 'user' node to become inactive, or 'access denied'. (If it can be done). thank you for your help.
On Mon, Jan 28, 2013 at 7:19 PM, Tim Johnson tim@akwebsoft.com wrote:
The 'bottom line' is that 1)I want a 'secret' node with which to log in as admin 2)I want the 'user' node to become inactive, or 'access denied'. (If it can be done). thank you for your help.
I don't understand what the problem is. If they don't have a username and password they can't log in. Just like every other site in the universe.
Then again, just like most things in Drupal, there is a module for this: http://drupal.org/project/rename_admin_paths
No idea if it works.
And you can prevent them from ever getting a username and password by setting People - Account Settings to Admin only. So they have to apply to you to get an ID on the system. Then when they go to /user there is no register tab so they can't even spam you unless they guess the email address of the U=1 user.
On Mon, Jan 28, 2013 at 9:44 PM, Al Sessions fultonchain@gmail.com wrote:
On Mon, Jan 28, 2013 at 7:19 PM, Tim Johnson tim@akwebsoft.com wrote:
The 'bottom line' is that 1)I want a 'secret' node with which to log in as admin 2)I want the 'user' node to become inactive, or 'access denied'. (If it can be done). thank you for your help.
I don't understand what the problem is. If they don't have a username and password they can't log in. Just like every other site in the universe.
Then again, just like most things in Drupal, there is a module for this: http://drupal.org/project/rename_admin_paths
No idea if it works.
-- Al Sessions http://valecemetery.org http://420summit.com http://ld-cards.com
-- [ Drupal support list | http://lists.drupal.org/ ]
From what I understand, in the WordPress world it is a fairly common thing
to change the path of the user login page in order to harden the site because this helps prevent bots from finding the login page in the first place. The other thing that is commonly done is to change the preassigned admin username to something else.
I myself have wondered about how this might be done with Drupal, and have never found an answer. Although to be honest, i never looked that hard. So if you do find the answer, or if someone knows the answer to this, please post it back here.
All the Best, Steve
On Mon, Jan 28, 2013 at 10:28 PM, Walt Daniels wdlists@gmail.com wrote:
And you can prevent them from ever getting a username and password by setting People - Account Settings to Admin only. So they have to apply to you to get an ID on the system. Then when they go to /user there is no register tab so they can't even spam you unless they guess the email address of the U=1 user.
On Mon, Jan 28, 2013 at 9:44 PM, Al Sessions fultonchain@gmail.comwrote:
On Mon, Jan 28, 2013 at 7:19 PM, Tim Johnson tim@akwebsoft.com wrote:
The 'bottom line' is that 1)I want a 'secret' node with which to log in as admin 2)I want the 'user' node to become inactive, or 'access denied'. (If it can be done). thank you for your help.
I don't understand what the problem is. If they don't have a username and password they can't log in. Just like every other site in the universe.
Then again, just like most things in Drupal, there is a module for this: http://drupal.org/project/rename_admin_paths
No idea if it works.
-- Al Sessions http://valecemetery.org http://420summit.com http://ld-cards.com
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
On Mon, Jan 28, 2013 at 10:41 PM, Steve Wickham steve@wickwoodonline.com wrote:
From what I understand, in the WordPress world it is a fairly common thing
to change the path of the user login page in order to harden the site because this helps prevent bots from finding the login page in the first place. The other thing that is commonly done is to change the preassigned admin username to something else.
I myself have wondered about how this might be done with Drupal, and have never found an answer. Although to be honest, i never looked that hard. So if you do find the answer, or if someone knows the answer to this, please post it back here.
It can be done but you have to study the hooks system of the API. But setting user registration to admin only and removing the login block should be sufficient. Changing /user is a bit on the paranoid side.
I think if you are working in the WordPress world it helps to be paranoid. ;-) That's why I'm working with Drupal and gave up searching for answer to this question myself.
Steve
On Tue, Jan 29, 2013 at 8:19 AM, Earnie Boyd earnie@users.sourceforge.netwrote:
On Mon, Jan 28, 2013 at 10:41 PM, Steve Wickham steve@wickwoodonline.com wrote:
From what I understand, in the WordPress world it is a fairly common
thing
to change the path of the user login page in order to harden the site because this helps prevent bots from finding the login page in the first place. The other thing that is commonly done is to change the
preassigned
admin username to something else.
I myself have wondered about how this might be done with Drupal, and have never found an answer. Although to be honest, i never looked that hard.
So
if you do find the answer, or if someone knows the answer to this, please post it back here.
It can be done but you have to study the hooks system of the API. But setting user registration to admin only and removing the login block should be sufficient. Changing /user is a bit on the paranoid side.
-- Earnie
-- https://sites.google.com/site/earnieboyd
[ Drupal support list | http://lists.drupal.org/ ]
It can be done using menu_alter, but I do agree it is on the paranoid side and really won't provide extra security. Instead it's much better to do something like add CAPTCHA on the login form. Even better:
https://drupal.org/project/flood_control
You can limit the number of failed logins per IP and and username.
Jamie Holly http://www.intoxination.net http://www.hollyit.net
On 1/29/2013 8:19 AM, Earnie Boyd wrote:
On Mon, Jan 28, 2013 at 10:41 PM, Steve Wickham steve@wickwoodonline.com wrote:
From what I understand, in the WordPress world it is a fairly common thing
to change the path of the user login page in order to harden the site because this helps prevent bots from finding the login page in the first place. The other thing that is commonly done is to change the preassigned admin username to something else.
I myself have wondered about how this might be done with Drupal, and have never found an answer. Although to be honest, i never looked that hard. So if you do find the answer, or if someone knows the answer to this, please post it back here.
It can be done but you have to study the hooks system of the API. But setting user registration to admin only and removing the login block should be sufficient. Changing /user is a bit on the paranoid side.
On Mon, Jan 28, 2013 at 10:41 PM, Steve Wickham steve@wickwoodonline.comwrote:
From what I understand, in the WordPress world it is a fairly common
thing to change the path of the user login page in order to harden the site because this helps prevent bots from finding the login page in the first place. The other thing that is commonly done is to change the preassigned admin username to something else.
I myself have wondered about how this might be done with Drupal, and have never found an answer. Although to be honest, i never looked that hard. So if you do find the answer, or if someone knows the answer to this, please post it back here.
http://drupal.org/project/rename_admin_paths
This module allows you to:
- rename path like '/admin/...' to '/something/...' - rename path like '/user/..' to '/something else/..'
It can be effective against registration spam bots or malicious people.
This small module just implements hook_outbound_alter and hook_inbound_alter to rename paths. A settings form allows to choose replacement term for "admin" and "user".
* Al Sessions fultonchain@gmail.com [130129 10:37]:
http://drupal.org/project/rename_admin_paths
This module allows you to:
- rename path like '/admin/...' to '/something/...'
- rename path like '/user/..' to '/something else/..'
It can be effective against registration spam bots or malicious people.
This small module just implements hook_outbound_alter and hook_inbound_alter to rename paths. A settings form allows to choose replacement term for "admin" and "user".
I have just implemented this. It works as advertised!
FYI: I have clients and potential clients that are 1)Paranoid - citing good reason 2)Extremely security conscious - citing good reason 3)Suspicious of PHP - http://en.wikiquote.org/wiki/Rasmus_Lerdorf doesn't help things. 4)Suspicious of CMS systems.
(drupal, however - regardless of the core language is well spoken of by members of the same community, one of the reasons I chose to learn it)
This module is going to help me overcome much of the above. Furthermore it is illustrative of drupal's rich store of resources.
I included the enumerated items not to encourage controversy but to point out the push back that I am working to overcome. :) I'm not as paranoid as they are....
Thanks again for the support. You all keep up the good work. cheers
There is no such thing as a user 'node' (well, unless you use one of those modules). Users are just users.
If you get rid of /user, how are you ever going to get in to administer the site?
I have a bunch of sites where the login block has been disabled entirely. On those sites, one must use the /user path. I don't see what the harm of leaving that in place could be. Without an ID and password, the user is going nowhere.
Nancy
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Tim Johnson
Actually on my site it's 'user' not login. ('login' gives me "Page Not Found") As it is now, I can create a page with the login block that could be a secret name. But 'user' persists. I would really like to disable the 'user' node, which is (I guess) kind of a 'builtin' node. I wonder if it could be disabled from the database. What do you think?
* Ms. Nancy Wichmann nan_wich@bellsouth.net [130128 15:17]:
There is no such thing as a user 'node' (well, unless you use one of those modules). Users are just users.
Then I am using the term 'user' improperly. I apologize.
If you get rid of /user, how are you ever going to get in to administer the site?
I would (and have) created a new page with a secret name. As of now it is called 'hubris' (see my OP)
I have a bunch of sites where the login block has been disabled entirely. On those sites, one must use the /user path. I don't see what the harm of leaving that in place could be. Without an ID and password, the user is going nowhere.
Yes, it may be unnecessary to do this. But in the meantime, I am still learning things. I probably should go with your opinion.
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
<Amen>
* Tim Johnson tim@akwebsoft.com [130128 12:00]:
Home » Administration » Structure » Blocks Select "Show block on specific pages" -> "Only the listed pages" And as per documentation entered "user". Works great, but someone could still tamper with my website by an easy guess (especially if they were familiar with drupal) and try to hack their way in.
Thanks for all of the suggestions. I have enough input to get me started. FYI: 1)I'm not paranoid 2)Some of my potential clients are and they are paid to be. Nuff said.... 3)I'm glad I'm using drupal and not the ..um.. other one. 4)Regardless of the need, this is a good learning exercise for me. cheers
-
Al Sessions -
Bob@TurnerPCC.com -
Earnie Boyd -
Jamie Holly -
Ms. Nancy Wichmann -
Steve Wickham -
Tim Johnson -
Walt Daniels