securing your moodle
If you can't read please download the document
DESCRIPTION
Securing Your Moodle and the underlying server, network, and software.TRANSCRIPT
- 1. Securing Your Moodle Installation
-
- Jonathan Moore
-
-
- Vice President
-
- Remote Learner
2. Simple Security Measures
- Have a safety net.
-
- Backup!
-
- Backup!
-
- Backup!
- Load only software or services you will use
- Perform regular updates
- Model your security after the layers of clothing you wear on a cold winter day
3. Run Regular Updates
- Use auto update systems
-
- Linux: up2date, yum, apt-get
-
-
- Consider automating updates with a script scheduled via cron
-
-
- Windows Update
-
- Mac OSX update system
- Stay current with PHP, Apache, and Moodle
4.
- Use Mailing Lists toStay Updated
-
- CERT
-
-
- http://www.us-cert.gov/cas/signup.html
-
-
- PHP
-
-
- http://www.php.net/mailing-lists.php
-
-
-
- Sign up for Announcements list
-
-
- MySQL
-
-
- http://lists.mysql.com
-
-
-
- Sign up for MySQL Announcements
-
5. Firewalls
- Security experts recommend a dual firewall
-
- Differing hardware/software combinations
- Disabling unused services is often as effective as a firewall
-
- Use netstat -a to review open network ports
- Not a guarantee of protection
- Allow ports
-
- 80, 443(ssl), and 9111 (for chat),
-
- Remote admin: ssh 22, or rpd 3389
6.
- Misc Tools
- Hardened-PHP Project/Suhosin
- Server load monitoring
- Intrusion detection systems
- mod_sec
- mod_dos
7.
- Web Application Firewall
- Application Layer Firewall
- Goes beyond port based security
- SQL Injections and Cross Site Scripting Protection
- Apache
-
- mod_sec url pattern based protection
-
- mod_dos denial of service protection
8. Be Prepared for the Worst
- Have backups ready
- Practice recovery procedures ahead of time
- Use a rootkit detector on a regular basis
-
- Linux/MacOSX:
-
-
- http://www.chkrootkit.org/
-
-
- Windows:
-
-
- http://www.sysinternals.com/Utilities/RootkitRevealer.html
-
9. Moodle Security Alerts
- Register your site with Moodle.org
-
- Registered users receive email alerts
- Security alerts also posted online
-
- Web
-
-
- http://security.moodle.org/
-
-
- RSS feed
-
-
- http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml
-
10.
- Site Administration -> Security
- Site Policies
-
- Force users to login
-
- Force login for profiles
-
- Cron settings
- HTTPS Logins
- Notifications
- Anti-virus
11. Miscellaneous Considerations
- Turn off user self registration
- Keep off opentogoogle, esp for K12 sites
- Use SSL, httpslogins=yes
- Disable guest access
- Place enrollment keys on all courses
- Use good passwords
- Set the mysql root user password
- Turn off mysql network access
12. Most Secure/Paranoid File Permissions
- The Moodle folder
-
- Owner apache user
-
- Group apache group
-
- Permissions 700 directories, 600 files
- The moodledata folder
-
- Should be placed outside the webroot, or restricted via .htaccess file
-
- Owner root
-
- Group apache group
-
- Permissions 750 directories, 640 files
- http://moodle.org/forum/discuss.php?d=36185
13.
- Questions?