Moodle security

3,904 views
3,636 views

Published on

Tips & best practices on securing your Moodle LMS deployment

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,904
On SlideShare
0
From Embeds
0
Number of Embeds
1,265
Actions
Shares
0
Downloads
53
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Moodle security

  1. 1. Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Dilum.Bandara@uom.lk http://Dilum.Bandara.lk
  2. 2. Security & Privacy in LMSs  Used by many trainers & trainees  Most of them aren’t technically savvy Can be accessible from anywhere, at any time, on many devices  Lost of features    Chat, forums, pools, quizzes, etc. Many internal threats   Motivation to alter grades Motivation to know others grades 2
  3. 3. Outline Security review  Securing Moodle     Moodle server security Moodle site security Best practices 3
  4. 4. Computer Security  Objective   To protect resources of your computer system Resources      Source – http://smallbusinessindia.intuit.in Physical assets Data & software Personnel Trust A computer system is secure if you can depend upon it to behave as you expect 4
  5. 5. Sources of Threats  Outsiders     Hackers/crackers Associates (customers, contractors) Former employees Insiders  Users    Trainers & trainees System administrators Programmers Source – aztechnews.com Most incidents are due to insiders 5
  6. 6. How to Attack a System?  By impersonating a valid user  A student impersonating another student   Wiretapping   Clear passwords Searching   Human engineering Simple (username, password) pairs By exploiting bugs/weaknesses in systems    Default, test, & miss configurations Unencrypted pages Targeted attacks  Buffer overflows, SQL injection attacks 6
  7. 7. Possible Attacks on Moodle Tampering grades  Tampering assignment submission times  Accessing quizzes   Answers or access before allowed time Login as other users  Denial of Service (DoS) attacks  Session hijacking  SQL injection attacks  Cross-site scripting  7
  8. 8. Goals in Security – CIA  Key aspects of a computer related security system Confidentiality Integrity Availability 8
  9. 9. Achieving CIA  To achieve confidentiality, integrity, & availability, computer systems should provide      Identification Authentication Access control Accounting/Auditing Assurance 9
  10. 10. Achieving Security, Privacy, & Trust  Access control     File & data control     Strong passwords & secure logins Minimum access Policies that address what, by whom, when Integrity & confidentiality Separation Backups & policies System protection    Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers 10
  11. 11. Securing Moodle  Securing Moodle server   Server-level security (like any server on Internet) Securing Moodle site  Application-level security Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/ Source – http://ifreecode.com/java/javatutorials/web-application-security 11
  12. 12. Securing Moodle Server  Operating System       Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus Secure Network   Firewall Intruder detection system 12
  13. 13. Securing Moodle Server (Cont.)  Web Server    Enable https Load only required modules Access control  Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)  Don’t place Moodle data folder on Web Root   e.g., not in www directory   Regular security updates Application-level firewalls   Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX 13
  14. 14. Securing Moodle Server (Cont.)  PHP & MySQL   Regular updates phpMyAdmin (www.phpmyadmin.net)    No default password Block outside local network MySQL   Use root user password Turn off network access – if database in same server as Moodle 14
  15. 15. Securing Moodle Site  Force users to login     Turn off user self-registration   Use registration with a key if it’s the only option Minimum access   Disable guest access If really needed, use guest access with a key Enable Captcha Some may be a student/instructor/administrator at the same time Strong password   8+ characters, lower/upper case, numbers, symbols Frequently update 15
  16. 16. Securing Moodle Site (Cont.)  Load only required services/plug-ins  Disable opentogoogle if not essential  Public trainer/trainee profiles Regular updates  Update via Git  Backup at all levels   Data backup      Course backups Moodle data folder SQL data Server backup Moodle software & configuration backup 16
  17. 17. Monitoring, Accounting, & Auditing  Moodle  Moodle log      My courses  Course Name  Reports Logs, Activity, Participant report Moodle statistics PHP log Web server Source – http://binarymuse.g ithub.io/moodle-tools/  Server log Server statistics  /usr/local/apache/logs, /var/log/apache or /var/log/httpd   Operating system log    /var/log/syslog, /var/log/messages Firewall & intruder detection system log Use log analysis tools 17
  18. 18. Best Practices Security first  Minimum access  Enforce login  Use https  Don't use any module just because it's available  Use mailing lists to stay updated  Use forums to find out about modules  18
  19. 19. Resources  Mailing lists      Forums & web sites      Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/ Other    http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić 19

×