Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Moodle security

4,841 views

Published on

Tips & best practices on securing your Moodle LMS deployment

Published in: Technology
  • Be the first to comment

Moodle security

  1. 1. Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Dilum.Bandara@uom.lk http://Dilum.Bandara.lk
  2. 2. Security & Privacy in LMSs  Used by many trainers & trainees  Most of them aren’t technically savvy Can be accessible from anywhere, at any time, on many devices  Lost of features    Chat, forums, pools, quizzes, etc. Many internal threats   Motivation to alter grades Motivation to know others grades 2
  3. 3. Outline Security review  Securing Moodle     Moodle server security Moodle site security Best practices 3
  4. 4. Computer Security  Objective   To protect resources of your computer system Resources      Source – http://smallbusinessindia.intuit.in Physical assets Data & software Personnel Trust A computer system is secure if you can depend upon it to behave as you expect 4
  5. 5. Sources of Threats  Outsiders     Hackers/crackers Associates (customers, contractors) Former employees Insiders  Users    Trainers & trainees System administrators Programmers Source – aztechnews.com Most incidents are due to insiders 5
  6. 6. How to Attack a System?  By impersonating a valid user  A student impersonating another student   Wiretapping   Clear passwords Searching   Human engineering Simple (username, password) pairs By exploiting bugs/weaknesses in systems    Default, test, & miss configurations Unencrypted pages Targeted attacks  Buffer overflows, SQL injection attacks 6
  7. 7. Possible Attacks on Moodle Tampering grades  Tampering assignment submission times  Accessing quizzes   Answers or access before allowed time Login as other users  Denial of Service (DoS) attacks  Session hijacking  SQL injection attacks  Cross-site scripting  7
  8. 8. Goals in Security – CIA  Key aspects of a computer related security system Confidentiality Integrity Availability 8
  9. 9. Achieving CIA  To achieve confidentiality, integrity, & availability, computer systems should provide      Identification Authentication Access control Accounting/Auditing Assurance 9
  10. 10. Achieving Security, Privacy, & Trust  Access control     File & data control     Strong passwords & secure logins Minimum access Policies that address what, by whom, when Integrity & confidentiality Separation Backups & policies System protection    Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers 10
  11. 11. Securing Moodle  Securing Moodle server   Server-level security (like any server on Internet) Securing Moodle site  Application-level security Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/ Source – http://ifreecode.com/java/javatutorials/web-application-security 11
  12. 12. Securing Moodle Server  Operating System       Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus Secure Network   Firewall Intruder detection system 12
  13. 13. Securing Moodle Server (Cont.)  Web Server    Enable https Load only required modules Access control  Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)  Don’t place Moodle data folder on Web Root   e.g., not in www directory   Regular security updates Application-level firewalls   Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX 13
  14. 14. Securing Moodle Server (Cont.)  PHP & MySQL   Regular updates phpMyAdmin (www.phpmyadmin.net)    No default password Block outside local network MySQL   Use root user password Turn off network access – if database in same server as Moodle 14
  15. 15. Securing Moodle Site  Force users to login     Turn off user self-registration   Use registration with a key if it’s the only option Minimum access   Disable guest access If really needed, use guest access with a key Enable Captcha Some may be a student/instructor/administrator at the same time Strong password   8+ characters, lower/upper case, numbers, symbols Frequently update 15
  16. 16. Securing Moodle Site (Cont.)  Load only required services/plug-ins  Disable opentogoogle if not essential  Public trainer/trainee profiles Regular updates  Update via Git  Backup at all levels   Data backup      Course backups Moodle data folder SQL data Server backup Moodle software & configuration backup 16
  17. 17. Monitoring, Accounting, & Auditing  Moodle  Moodle log      My courses  Course Name  Reports Logs, Activity, Participant report Moodle statistics PHP log Web server Source – http://binarymuse.g ithub.io/moodle-tools/  Server log Server statistics  /usr/local/apache/logs, /var/log/apache or /var/log/httpd   Operating system log    /var/log/syslog, /var/log/messages Firewall & intruder detection system log Use log analysis tools 17
  18. 18. Best Practices Security first  Minimum access  Enforce login  Use https  Don't use any module just because it's available  Use mailing lists to stay updated  Use forums to find out about modules  18
  19. 19. Resources  Mailing lists      Forums & web sites      Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/ Other    http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić 19

×