SlideShare a Scribd company logo
1 of 19
Moodle Security
Dilum Bandara, PhD
Dept. of Computer Science & Engineering,
University of Moratuwa
Dilum.Bandara@uom.lk
http://Dilum.Bandara.lk
Security & Privacy in LMSs


Used by many trainers & trainees


Most of them aren’t technically savvy

Can be accessible from anywhere, at any time,
on many devices
 Lost of features






Chat, forums, pools, quizzes, etc.

Many internal threats




Motivation to alter grades
Motivation to know others grades

2
Outline
Security review
 Securing Moodle







Moodle server security
Moodle site security

Best practices

3
Computer Security


Objective




To protect resources of your computer system

Resources








Source – http://smallbusinessindia.intuit.in

Physical assets
Data & software
Personnel
Trust

A computer system is secure if you can depend
upon it to behave as you expect
4
Sources of Threats


Outsiders






Hackers/crackers
Associates (customers, contractors)
Former employees

Insiders


Users





Trainers & trainees

System administrators
Programmers
Source – aztechnews.com

Most incidents are due to insiders
5
How to Attack a System?


By impersonating a valid user


A student impersonating another student




Wiretapping




Clear passwords

Searching




Human engineering

Simple (username, password) pairs

By exploiting bugs/weaknesses in systems





Default, test, & miss configurations
Unencrypted pages
Targeted attacks


Buffer overflows, SQL injection attacks

6
Possible Attacks on Moodle
Tampering grades
 Tampering assignment submission times
 Accessing quizzes




Answers or access before allowed time

Login as other users
 Denial of Service (DoS) attacks
 Session hijacking
 SQL injection attacks
 Cross-site scripting


7
Goals in Security – CIA


Key aspects of a computer related security system
Confidentiality

Integrity

Availability
8
Achieving CIA


To achieve confidentiality, integrity, &
availability, computer systems should provide







Identification
Authentication
Access control
Accounting/Auditing
Assurance

9
Achieving Security, Privacy, & Trust


Access control






File & data control






Strong passwords & secure logins
Minimum access
Policies that address what, by whom, when
Integrity & confidentiality
Separation
Backups & policies

System protection




Firewalls, antivirus, intruder detection systems
Frequent updates
Minimal services – hardened servers

10
Securing Moodle


Securing Moodle server




Server-level security (like any server on Internet)

Securing Moodle site


Application-level security

Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/

Source – http://ifreecode.com/java/javatutorials/web-application-security
11
Securing Moodle Server


Operating System









Linux or Windows
Remove unwanted services
Access rights
Regular security updates
Antivirus

Secure Network



Firewall
Intruder detection system

12
Securing Moodle Server (Cont.)


Web Server




Enable https
Load only required modules
Access control


Moodle folder 700 (rwx------)files 600 (rw-------)
Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)



Don’t place Moodle data folder on Web Root



 e.g., not in www directory




Regular security updates
Application-level firewalls



Blocks SQL injection attacks & cross-site scripting
ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX
13
Securing Moodle Server (Cont.)


PHP & MySQL



Regular updates
phpMyAdmin (www.phpmyadmin.net)





No default password
Block outside local network

MySQL



Use root user password
Turn off network access – if database in same server as
Moodle

14
Securing Moodle Site


Force users to login






Turn off user self-registration




Use registration with a key if it’s the only option

Minimum access




Disable guest access
If really needed, use guest access with a key
Enable Captcha

Some may be a student/instructor/administrator at the
same time

Strong password



8+ characters, lower/upper case, numbers, symbols
Frequently update

15
Securing Moodle Site (Cont.)


Load only required services/plug-ins


Disable opentogoogle if not essential



Public trainer/trainee profiles
Regular updates
 Update via Git



Backup at all levels





Data backup







Course backups
Moodle data folder
SQL data

Server backup
Moodle software & configuration backup

16
Monitoring, Accounting, & Auditing


Moodle


Moodle log








My courses  Course Name  Reports
Logs, Activity, Participant report

Moodle statistics
PHP log

Web server
Source – http://binarymuse.g
ithub.io/moodle-tools/



Server log
Server statistics



/usr/local/apache/logs, /var/log/apache or /var/log/httpd





Operating system log





/var/log/syslog, /var/log/messages

Firewall & intruder detection system log
Use log analysis tools

17
Best Practices
Security first
 Minimum access
 Enforce login
 Use https
 Don't use any module just because it's available
 Use mailing lists to stay updated
 Use forums to find out about modules


18
Resources


Mailing lists








Forums & web sites







Moodle – https://moodle.org/security/
PHP – http://php.net/mailing-lists.php
MySQL – http://lists.mysql.com/
Apache – http://httpd.apache.org/lists.html
https://moodle.org/mod/forum/
http://www.moodlenews.com/tag/security/
http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security
http://krypted.com/mac-security/moodle-security/

Other




http://www.inmotionhosting.com/support/edu/moodle
http://www.slideshare.net/moorejon/securing-your-moodle
“Moodle Security” by Darko Miletić
19

More Related Content

What's hot

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Cloudstack vs Openstack
Cloudstack vs OpenstackCloudstack vs Openstack
Cloudstack vs OpenstackHuzefa Husain
 
Apache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel QuarkusApache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel QuarkusClaus Ibsen
 
Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Darian Rizaludin
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)Kai Wähner
 
Building flexible ETL pipelines with Apache Camel on Quarkus
Building flexible ETL pipelines with Apache Camel on QuarkusBuilding flexible ETL pipelines with Apache Camel on Quarkus
Building flexible ETL pipelines with Apache Camel on QuarkusIvelin Yanev
 
DevOps Meetup ansible
DevOps Meetup   ansibleDevOps Meetup   ansible
DevOps Meetup ansiblesriram_rajan
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
Camel Day Italy 2021 - What's new in Camel 3
Camel Day Italy 2021 - What's new in Camel 3Camel Day Italy 2021 - What's new in Camel 3
Camel Day Italy 2021 - What's new in Camel 3Claus Ibsen
 
KSQL Deep Dive - The Open Source Streaming Engine for Apache Kafka
KSQL Deep Dive - The Open Source Streaming Engine for Apache KafkaKSQL Deep Dive - The Open Source Streaming Engine for Apache Kafka
KSQL Deep Dive - The Open Source Streaming Engine for Apache KafkaKai Wähner
 
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...TomBarron
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Processing IoT Data from End to End with MQTT and Apache Kafka
Processing IoT Data from End to End with MQTT and Apache Kafka Processing IoT Data from End to End with MQTT and Apache Kafka
Processing IoT Data from End to End with MQTT and Apache Kafka confluent
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsLightbend
 

What's hot (20)

Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Cloudstack vs Openstack
Cloudstack vs OpenstackCloudstack vs Openstack
Cloudstack vs Openstack
 
Tools kali
Tools kaliTools kali
Tools kali
 
Apache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel QuarkusApache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel Quarkus
 
Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)
Apache Kafka vs. Integration Middleware (MQ, ETL, ESB)
 
Building flexible ETL pipelines with Apache Camel on Quarkus
Building flexible ETL pipelines with Apache Camel on QuarkusBuilding flexible ETL pipelines with Apache Camel on Quarkus
Building flexible ETL pipelines with Apache Camel on Quarkus
 
Ansible - Hands on Training
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on Training
 
DevOps Meetup ansible
DevOps Meetup   ansibleDevOps Meetup   ansible
DevOps Meetup ansible
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Camel Day Italy 2021 - What's new in Camel 3
Camel Day Italy 2021 - What's new in Camel 3Camel Day Italy 2021 - What's new in Camel 3
Camel Day Italy 2021 - What's new in Camel 3
 
KSQL Deep Dive - The Open Source Streaming Engine for Apache Kafka
KSQL Deep Dive - The Open Source Streaming Engine for Apache KafkaKSQL Deep Dive - The Open Source Streaming Engine for Apache Kafka
KSQL Deep Dive - The Open Source Streaming Engine for Apache Kafka
 
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Nagios intro
Nagios intro Nagios intro
Nagios intro
 
Processing IoT Data from End to End with MQTT and Apache Kafka
Processing IoT Data from End to End with MQTT and Apache Kafka Processing IoT Data from End to End with MQTT and Apache Kafka
Processing IoT Data from End to End with MQTT and Apache Kafka
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
 

Viewers also liked

VaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub
 
Information System Security
Information System Security Information System Security
Information System Security Syed Asif Sherazi
 
1 security goals
1   security goals1   security goals
1 security goalsdrewz lin
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & CryptographyArun ACE
 
Sequential Logic Circuits
Sequential Logic CircuitsSequential Logic Circuits
Sequential Logic CircuitsDilum Bandara
 
Junli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionJunli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionAI Frontiers
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems Haitham Ahmed
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Autonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesAutonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesJeffrey Funk
 
Driving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change EverythingDriving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change Everythingsparks & honey
 
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Yole Developpement
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 

Viewers also liked (20)

VaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data Analytics
 
Information System Security
Information System Security Information System Security
Information System Security
 
Chapter 01
Chapter 01Chapter 01
Chapter 01
 
1 security goals
1   security goals1   security goals
1 security goals
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
Sequential Logic
Sequential LogicSequential Logic
Sequential Logic
 
Sequential Logic Circuits
Sequential Logic CircuitsSequential Logic Circuits
Sequential Logic Circuits
 
Junli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionJunli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving Revolution
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
 
Security
SecuritySecurity
Security
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 
Security threats
Security threatsSecurity threats
Security threats
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Autonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesAutonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and Opportunities
 
Driving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change EverythingDriving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change Everything
 
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
 
Network security
Network securityNetwork security
Network security
 
Computer Security Threats
Computer Security ThreatsComputer Security Threats
Computer Security Threats
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Similar to Moodle security

Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodlemoorejon
 
3 secure design principles
3   secure design principles3   secure design principles
3 secure design principlesdrewz lin
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Internet Security
Internet SecurityInternet Security
Internet SecurityAnne Adrian
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
302 Content Server Security Challenges And Best Practices
302   Content Server Security   Challenges And Best Practices302   Content Server Security   Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating systemabdullah roomi
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxbagotjesusa
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityFredReynolds2
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend
 

Similar to Moodle security (20)

Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodle
 
3 secure design principles
3   secure design principles3   secure design principles
3 secure design principles
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
302 Content Server Security Challenges And Best Practices
302   Content Server Security   Challenges And Best Practices302   Content Server Security   Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Joomla Security
Joomla  SecurityJoomla  Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
 
How You Can Keep Your Organization Secure
How You Can Keep Your Organization Secure How You Can Keep Your Organization Secure
How You Can Keep Your Organization Secure
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database Security
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisus
 

More from Dilum Bandara

Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine LearningDilum Bandara
 
Time Series Analysis and Forecasting in Practice
Time Series Analysis and Forecasting in PracticeTime Series Analysis and Forecasting in Practice
Time Series Analysis and Forecasting in PracticeDilum Bandara
 
Introduction to Dimension Reduction with PCA
Introduction to Dimension Reduction with PCAIntroduction to Dimension Reduction with PCA
Introduction to Dimension Reduction with PCADilum Bandara
 
Introduction to Descriptive & Predictive Analytics
Introduction to Descriptive & Predictive AnalyticsIntroduction to Descriptive & Predictive Analytics
Introduction to Descriptive & Predictive AnalyticsDilum Bandara
 
Introduction to Concurrent Data Structures
Introduction to Concurrent Data StructuresIntroduction to Concurrent Data Structures
Introduction to Concurrent Data StructuresDilum Bandara
 
Hard to Paralelize Problems: Matrix-Vector and Matrix-Matrix
Hard to Paralelize Problems: Matrix-Vector and Matrix-MatrixHard to Paralelize Problems: Matrix-Vector and Matrix-Matrix
Hard to Paralelize Problems: Matrix-Vector and Matrix-MatrixDilum Bandara
 
Introduction to Map-Reduce Programming with Hadoop
Introduction to Map-Reduce Programming with HadoopIntroduction to Map-Reduce Programming with Hadoop
Introduction to Map-Reduce Programming with HadoopDilum Bandara
 
Embarrassingly/Delightfully Parallel Problems
Embarrassingly/Delightfully Parallel ProblemsEmbarrassingly/Delightfully Parallel Problems
Embarrassingly/Delightfully Parallel ProblemsDilum Bandara
 
Introduction to Warehouse-Scale Computers
Introduction to Warehouse-Scale ComputersIntroduction to Warehouse-Scale Computers
Introduction to Warehouse-Scale ComputersDilum Bandara
 
Introduction to Thread Level Parallelism
Introduction to Thread Level ParallelismIntroduction to Thread Level Parallelism
Introduction to Thread Level ParallelismDilum Bandara
 
CPU Memory Hierarchy and Caching Techniques
CPU Memory Hierarchy and Caching TechniquesCPU Memory Hierarchy and Caching Techniques
CPU Memory Hierarchy and Caching TechniquesDilum Bandara
 
Data-Level Parallelism in Microprocessors
Data-Level Parallelism in MicroprocessorsData-Level Parallelism in Microprocessors
Data-Level Parallelism in MicroprocessorsDilum Bandara
 
Instruction Level Parallelism – Hardware Techniques
Instruction Level Parallelism – Hardware TechniquesInstruction Level Parallelism – Hardware Techniques
Instruction Level Parallelism – Hardware TechniquesDilum Bandara
 
Instruction Level Parallelism – Compiler Techniques
Instruction Level Parallelism – Compiler TechniquesInstruction Level Parallelism – Compiler Techniques
Instruction Level Parallelism – Compiler TechniquesDilum Bandara
 
CPU Pipelining and Hazards - An Introduction
CPU Pipelining and Hazards - An IntroductionCPU Pipelining and Hazards - An Introduction
CPU Pipelining and Hazards - An IntroductionDilum Bandara
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
High Performance Networking with Advanced TCP
High Performance Networking with Advanced TCPHigh Performance Networking with Advanced TCP
High Performance Networking with Advanced TCPDilum Bandara
 
Introduction to Content Delivery Networks
Introduction to Content Delivery NetworksIntroduction to Content Delivery Networks
Introduction to Content Delivery NetworksDilum Bandara
 
Peer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingPeer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingDilum Bandara
 

More from Dilum Bandara (20)

Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine Learning
 
Time Series Analysis and Forecasting in Practice
Time Series Analysis and Forecasting in PracticeTime Series Analysis and Forecasting in Practice
Time Series Analysis and Forecasting in Practice
 
Introduction to Dimension Reduction with PCA
Introduction to Dimension Reduction with PCAIntroduction to Dimension Reduction with PCA
Introduction to Dimension Reduction with PCA
 
Introduction to Descriptive & Predictive Analytics
Introduction to Descriptive & Predictive AnalyticsIntroduction to Descriptive & Predictive Analytics
Introduction to Descriptive & Predictive Analytics
 
Introduction to Concurrent Data Structures
Introduction to Concurrent Data StructuresIntroduction to Concurrent Data Structures
Introduction to Concurrent Data Structures
 
Hard to Paralelize Problems: Matrix-Vector and Matrix-Matrix
Hard to Paralelize Problems: Matrix-Vector and Matrix-MatrixHard to Paralelize Problems: Matrix-Vector and Matrix-Matrix
Hard to Paralelize Problems: Matrix-Vector and Matrix-Matrix
 
Introduction to Map-Reduce Programming with Hadoop
Introduction to Map-Reduce Programming with HadoopIntroduction to Map-Reduce Programming with Hadoop
Introduction to Map-Reduce Programming with Hadoop
 
Embarrassingly/Delightfully Parallel Problems
Embarrassingly/Delightfully Parallel ProblemsEmbarrassingly/Delightfully Parallel Problems
Embarrassingly/Delightfully Parallel Problems
 
Introduction to Warehouse-Scale Computers
Introduction to Warehouse-Scale ComputersIntroduction to Warehouse-Scale Computers
Introduction to Warehouse-Scale Computers
 
Introduction to Thread Level Parallelism
Introduction to Thread Level ParallelismIntroduction to Thread Level Parallelism
Introduction to Thread Level Parallelism
 
CPU Memory Hierarchy and Caching Techniques
CPU Memory Hierarchy and Caching TechniquesCPU Memory Hierarchy and Caching Techniques
CPU Memory Hierarchy and Caching Techniques
 
Data-Level Parallelism in Microprocessors
Data-Level Parallelism in MicroprocessorsData-Level Parallelism in Microprocessors
Data-Level Parallelism in Microprocessors
 
Instruction Level Parallelism – Hardware Techniques
Instruction Level Parallelism – Hardware TechniquesInstruction Level Parallelism – Hardware Techniques
Instruction Level Parallelism – Hardware Techniques
 
Instruction Level Parallelism – Compiler Techniques
Instruction Level Parallelism – Compiler TechniquesInstruction Level Parallelism – Compiler Techniques
Instruction Level Parallelism – Compiler Techniques
 
CPU Pipelining and Hazards - An Introduction
CPU Pipelining and Hazards - An IntroductionCPU Pipelining and Hazards - An Introduction
CPU Pipelining and Hazards - An Introduction
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
High Performance Networking with Advanced TCP
High Performance Networking with Advanced TCPHigh Performance Networking with Advanced TCP
High Performance Networking with Advanced TCP
 
Introduction to Content Delivery Networks
Introduction to Content Delivery NetworksIntroduction to Content Delivery Networks
Introduction to Content Delivery Networks
 
Peer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingPeer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and Streaming
 
Mobile Services
Mobile ServicesMobile Services
Mobile Services
 

Recently uploaded

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Moodle security

  • 1. Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Dilum.Bandara@uom.lk http://Dilum.Bandara.lk
  • 2. Security & Privacy in LMSs  Used by many trainers & trainees  Most of them aren’t technically savvy Can be accessible from anywhere, at any time, on many devices  Lost of features    Chat, forums, pools, quizzes, etc. Many internal threats   Motivation to alter grades Motivation to know others grades 2
  • 3. Outline Security review  Securing Moodle     Moodle server security Moodle site security Best practices 3
  • 4. Computer Security  Objective   To protect resources of your computer system Resources      Source – http://smallbusinessindia.intuit.in Physical assets Data & software Personnel Trust A computer system is secure if you can depend upon it to behave as you expect 4
  • 5. Sources of Threats  Outsiders     Hackers/crackers Associates (customers, contractors) Former employees Insiders  Users    Trainers & trainees System administrators Programmers Source – aztechnews.com Most incidents are due to insiders 5
  • 6. How to Attack a System?  By impersonating a valid user  A student impersonating another student   Wiretapping   Clear passwords Searching   Human engineering Simple (username, password) pairs By exploiting bugs/weaknesses in systems    Default, test, & miss configurations Unencrypted pages Targeted attacks  Buffer overflows, SQL injection attacks 6
  • 7. Possible Attacks on Moodle Tampering grades  Tampering assignment submission times  Accessing quizzes   Answers or access before allowed time Login as other users  Denial of Service (DoS) attacks  Session hijacking  SQL injection attacks  Cross-site scripting  7
  • 8. Goals in Security – CIA  Key aspects of a computer related security system Confidentiality Integrity Availability 8
  • 9. Achieving CIA  To achieve confidentiality, integrity, & availability, computer systems should provide      Identification Authentication Access control Accounting/Auditing Assurance 9
  • 10. Achieving Security, Privacy, & Trust  Access control     File & data control     Strong passwords & secure logins Minimum access Policies that address what, by whom, when Integrity & confidentiality Separation Backups & policies System protection    Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers 10
  • 11. Securing Moodle  Securing Moodle server   Server-level security (like any server on Internet) Securing Moodle site  Application-level security Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/ Source – http://ifreecode.com/java/javatutorials/web-application-security 11
  • 12. Securing Moodle Server  Operating System       Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus Secure Network   Firewall Intruder detection system 12
  • 13. Securing Moodle Server (Cont.)  Web Server    Enable https Load only required modules Access control  Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)  Don’t place Moodle data folder on Web Root   e.g., not in www directory   Regular security updates Application-level firewalls   Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX 13
  • 14. Securing Moodle Server (Cont.)  PHP & MySQL   Regular updates phpMyAdmin (www.phpmyadmin.net)    No default password Block outside local network MySQL   Use root user password Turn off network access – if database in same server as Moodle 14
  • 15. Securing Moodle Site  Force users to login     Turn off user self-registration   Use registration with a key if it’s the only option Minimum access   Disable guest access If really needed, use guest access with a key Enable Captcha Some may be a student/instructor/administrator at the same time Strong password   8+ characters, lower/upper case, numbers, symbols Frequently update 15
  • 16. Securing Moodle Site (Cont.)  Load only required services/plug-ins  Disable opentogoogle if not essential  Public trainer/trainee profiles Regular updates  Update via Git  Backup at all levels   Data backup      Course backups Moodle data folder SQL data Server backup Moodle software & configuration backup 16
  • 17. Monitoring, Accounting, & Auditing  Moodle  Moodle log      My courses  Course Name  Reports Logs, Activity, Participant report Moodle statistics PHP log Web server Source – http://binarymuse.g ithub.io/moodle-tools/  Server log Server statistics  /usr/local/apache/logs, /var/log/apache or /var/log/httpd   Operating system log    /var/log/syslog, /var/log/messages Firewall & intruder detection system log Use log analysis tools 17
  • 18. Best Practices Security first  Minimum access  Enforce login  Use https  Don't use any module just because it's available  Use mailing lists to stay updated  Use forums to find out about modules  18
  • 19. Resources  Mailing lists      Forums & web sites      Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/ Other    http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić 19