Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Dilum.Bandara@uom.lk http://Dilum.Bandara.lk
Security & Privacy in LMSs ! Used "
by many trainers & trainees
Most of them aren’t technically savvy
! Can
be accessible from anywhere, at any time, on many devices ! Lost of features "
Chat, forums, pools, quizzes, etc.
! Many
internal threats
Motivation to alter grades " Motivation to know others grades "
2
Outline ! Security
review ! Securing Moodle Moodle server security " Moodle site security "
! Best
practices
3
Computer Security ! Objective "
Source – http://smallbusinessindia.intuit.in
To protect resources of your computer system
! Resources
Physical assets " Data & software " Personnel " Trust "
! A
computer system is secure if you can depend upon it to behave as you expect 4
Sources of Threats ! Outsiders
Hackers/crackers " Associates (customers, contractors) " Former employees "
! Insiders "
Users !
Trainers & trainees
System administrators " Programmers "
Source – aztechnews.com
Most incidents are due to insiders 5
How to Attack a System? ! By "
impersonating a valid user
A student impersonating another student !
"
Wiretapping !
"
Human engineering Clear passwords
Searching !
! By
Simple (username, password) pairs
exploiting bugs/weaknesses in systems
Default, test, & miss configurations " Unencrypted pages " Targeted attacks "
!
Buffer overflows, SQL injection attacks
6
Possible Attacks on Moodle ! Tampering
grades ! Tampering assignment submission times ! Accessing quizzes "
Answers or access before allowed time
! Login
as other users ! Denial of Service (DoS) attacks ! Session hijacking ! SQL injection attacks ! Cross-site scripting 7
Goals in Security – CIA !  Key
aspects of a computer related security system
Confidentiality
Integrity
Availability 8
Achieving CIA ! To
achieve confidentiality, integrity, & availability, computer systems should provide Identification " Authentication " Access control " Accounting/Auditing " Assurance "
9
Achieving Security, Privacy, & Trust ! Access
control
Strong passwords & secure logins " Minimum access " Policies that address what, by whom, when "
! File
& data control
Integrity & confidentiality " Separation " Backups & policies "
! System
protection
Firewalls, antivirus, intruder detection systems " Frequent updates " Minimal services – hardened servers "
10
Securing Moodle ! Securing "
Server-level security (like any server on Internet)
! Securing "
Moodle server Moodle site
Application-level security
Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/
Source – http://ifreecode.com/java/javatutorials/web-application-security 11
Securing Moodle Server ! Operating
System
Linux or Windows " Remove unwanted services " Access rights " Regular security updates " Antivirus "
! Secure
Network
Firewall " Intruder detection system "
12
Securing Moodle Server (Cont.) ! Web
Server
Enable https " Load only required modules " Access control "
Moodle folder 700 (rwx------)files 600 (rw-------) ! Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----) ! Don’t place Moodle data folder on Web Root !
# e.g., not in www directory
Regular security updates " Application-level firewalls "
Blocks SQL injection attacks & cross-site scripting ! ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX !
13
Securing Moodle Server (Cont.) ! PHP
& MySQL
Regular updates " phpMyAdmin (www.phpmyadmin.net) "
No default password ! Block outside local network !
"
MySQL Use root user password ! Turn off network access – if database in same server as Moodle !
14
Securing Moodle Site ! Force
users to login
Disable guest access " If really needed, use guest access with a key " Enable Captcha "
! Turn "
off user self-registration
Use registration with a key if it’s the only option
! Minimum "
access
Some may be a student/instructor/administrator at the same time
! Strong
password
8+ characters, lower/upper case, numbers, symbols " Frequently update "
15
Securing Moodle Site (Cont.) ! Load
only required services/plug-ins
Disable opentogoogle if not essential Public trainer/trainee profiles Regular updates " Update via Git "
! !
! Backup "
at all levels
Data backup Course backups ! Moodle data folder ! SQL data !
Server backup " Moodle software & configuration backup "
16
Monitoring, Accounting, & Auditing !
Moodle "
Moodle log ! !
" "
!
!
Source – http://binarymuse.g ithub.io/moodle-tools/
"
Server log Server statistics
"
/usr/local/apache/logs, /var/log/apache or /var/log/httpd
Operating system log "
!
Moodle statistics PHP log
Web server "
!
My courses $ Course Name $ Reports Logs, Activity, Participant report
/var/log/syslog, /var/log/messages
Firewall & intruder detection system log Use log analysis tools
17
Best Practices ! Security
first ! Minimum access ! Enforce login ! Use https ! Don't use any module just because it's available ! Use mailing lists to stay updated ! Use forums to find out about modules
18
Resources !
Mailing lists " " " "
!
Forums & web sites " " " "
!
Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/
Other " " "
http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić 19