1. Securing Your Moodle Installation

• • Jonathan Moore

• Vice President

• Remote Learner

2. Simple Security Measures

Have a safety net.

• Backup!

• Backup!

• Backup!

Load only software or services you will use

Perform regular updates

Model your security after the layers of clothing you wear on a cold winter day

3. Run Regular Updates

Use auto update systems

• Linux: up2date, yum, apt-get

• • Consider automating updates with a script scheduled via cron

• Windows Update

• Mac OSX update system

Stay current with PHP, Apache, and Moodle

4.

Use Mailing Lists toStay Updated

• CERT

• • http://www.us-cert.gov/cas/signup.html

• PHP

• • http://www.php.net/mailing-lists.php

• • Sign up for Announcements list

• MySQL

• • http://lists.mysql.com

• • Sign up for MySQL Announcements

5. Firewalls

Security experts recommend a dual firewall

• Differing hardware/software combinations

Disabling unused services is often as effective as a firewall

• Use netstat -a to review open network ports

Not a guarantee of protection

Allow ports

• 80, 443(ssl), and 9111 (for chat),

• Remote admin: ssh 22, or rpd 3389

6.

Misc Tools

Hardened-PHP Project/Suhosin

Server load monitoring

Intrusion detection systems

mod_sec

mod_dos

7.

Web Application Firewall

Application Layer Firewall

Goes beyond port based security

SQL Injections and Cross Site Scripting Protection

Apache

• mod_sec url pattern based protection

• mod_dos denial of service protection

8. Be Prepared for the Worst

Have backups ready

Practice recovery procedures ahead of time

Use a rootkit detector on a regular basis

• Linux/MacOSX:

• • http://www.chkrootkit.org/

• Windows:

• • http://www.sysinternals.com/Utilities/RootkitRevealer.html

9. Moodle Security Alerts

Register your site with Moodle.org

• Registered users receive email alerts

Security alerts also posted online

• Web

• • http://security.moodle.org/

• RSS feed

• • http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml

10.

Site Administration -> Security

Site Policies

• Force users to login

• Force login for profiles

• Cron settings

HTTPS Logins

Notifications

Anti-virus

11. Miscellaneous Considerations

Turn off user self registration

Keep off opentogoogle, esp for K12 sites

Use SSL, httpslogins=yes

Disable guest access

Place enrollment keys on all courses

Use good passwords

Set the mysql root user password

Turn off mysql network access

12. Most Secure/Paranoid File Permissions

The Moodle folder

• Owner apache user

• Group apache group

• Permissions 700 directories, 600 files

The moodledata folder

• Should be placed outside the webroot, or restricted via .htaccess file

• Owner root

• Group apache group

• Permissions 750 directories, 640 files

http://moodle.org/forum/discuss.php?d=36185

13.

Questions?