Securing Your Moodle Installation
Jonathan Moore Vice President Remote Learner
Simple Security Measures ●
●
● ●
Have a safety net. –
Backup!
–
Backup!
–
Backup!
Load only software or services you will use Perform regular updates Model your security after the layers of clothing you wear on a cold winter day
Run Regular Updates ●
Use auto update systems –
Linux: up2date, yum, apt-get ●
●
Consider automating updates with a script scheduled via cron
–
Windows Update
–
Mac OSX update system
Stay current with PHP, Apache, and Moodle
Use Mailing Lists to Stay Updated
!
–
CERT ●
–
–
http://www.us-cert.gov/cas/signup.html
PHP ●
http://www.php.net/mailing-lists.php
●
Sign up for Announcements list
MySQL ●
http://lists.mysql.com
●
Sign up for MySQL Announcements
Firewalls ●
Security experts recommend a dual firewall –
●
Differing hardware/software combinations
Disabling unused services is often as effective as a firewall –
Use netstat -a to review open network ports
●
Not a guarantee of protection
●
Allow ports –
80, 443(ssl), and 9111 (for chat),
Misc Tools
!
●
Hardened-PHP Project/Suhosin
●
Server load monitoring
●
Intrusion detection systems
●
mod_sec
●
mod_dos
Web Application Firewall
!
●
Application Layer Firewall
●
Goes beyond port based security
●
●
SQL Injections and Cross Site Scripting Protection Apache –
mod_sec – url pattern based protection
–
mod_dos – denial of service protection
Be Prepared for the Worst ● ●
●
Have backups ready Practice recovery procedures ahead of time Use a rootkit detector on a regular basis –
Linux/MacOSX: ●
–
http://www.chkrootkit.org/
Windows: ●
http://www.sysinternals.com/Utilities/ RootkitRevealer.html
Moodle Security Alerts ●
Register your site with Moodle.org –
●
Registered users receive email alerts
Security alerts also posted online –
Web ●
–
http://security.moodle.org/
RSS feed ●
http://security.moodle.org/rss/file.php/1/1/forum/ 1/rss.xml
Site Administration -> Security
!
●
Site Policies –
Force users to login
–
Force login for profiles
–
Cron settings
●
HTTPS Logins
●
Notifications
●
Anti-virus
Miscellaneous Considerations ● ●
Turn off user self registration Keep off opentogoogle, esp for K12 sites
●
Use SSL, httpslogins=yes
●
Disable guest access
●
Place enrollment keys on all courses
●
Use good passwords
●
Set the mysql root user password
●
Turn off mysql network access
Most Secure/Paranoid File Permissions ●
●
The Moodle folder –
Owner apache user
–
Group apache group
–
Permissions 700 directories, 600 files
The moodledata folder –
Should be placed outside the webroot, or restricted via .htaccess file
–
Owner root
–
Group apache group
–
Permissions 750 directories, 640 files
Questions?
!