Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing Your Moodle Installation <ul><ul><li>Jonathan Moore </li></ul></ul><ul><ul><li>Vice President </li></ul></ul><ul>...
Simple Security Measures <ul><li>Have a safety net.  </li></ul><ul><ul><li>Backup!  </li></ul></ul><ul><ul><li>Backup! </l...
Run Regular Updates  <ul><li>Use auto update systems </li></ul><ul><ul><li>Linux: up2date, yum, apt-get </li></ul></ul><ul...
<ul><li>Use Mailing Lists to  Stay Updated </li></ul><ul><ul><li>CERT  </li></ul></ul><ul><ul><ul><li>http://www.us-cert.g...
Firewalls <ul><li>Security experts recommend a dual firewall </li></ul><ul><ul><li>Differing hardware/software combination...
<ul><li>Misc Tools </li></ul><ul><li>Hardened-PHP Project/Suhosin </li></ul><ul><li>Server load monitoring </li></ul><ul><...
<ul><li>Web Application Firewall </li></ul><ul><li>Application Layer Firewall </li></ul><ul><li>Goes beyond port based sec...
Be Prepared for the Worst <ul><li>Have backups ready  </li></ul><ul><li>Practice recovery procedures ahead of time  </li><...
Moodle Security Alerts <ul><li>Register your site with Moodle.org </li></ul><ul><ul><li>Registered users receive email ale...
<ul><li>Site Administration -> Security </li></ul><ul><li>Site Policies </li></ul><ul><ul><li>Force users to login </li></...
Miscellaneous Considerations <ul><li>Turn off user self registration </li></ul><ul><li>Keep off opentogoogle, esp for K12 ...
Most Secure/Paranoid File Permissions <ul><li>The Moodle folder </li></ul><ul><ul><li>Owner apache user </li></ul></ul><ul...
<ul><li>Questions? </li></ul>
Upcoming SlideShare
Loading in …5
×

Securing Your Moodle

6,383 views

Published on

Securing Your Moodle and the underlying server, network, and software.

Published in: Technology
  • Be the first to comment

Securing Your Moodle

  1. 1. Securing Your Moodle Installation <ul><ul><li>Jonathan Moore </li></ul></ul><ul><ul><li>Vice President </li></ul></ul><ul><ul><li>Remote Learner </li></ul></ul>
  2. 2. Simple Security Measures <ul><li>Have a safety net. </li></ul><ul><ul><li>Backup! </li></ul></ul><ul><ul><li>Backup! </li></ul></ul><ul><ul><li>Backup! </li></ul></ul><ul><li>Load only software or services you will use </li></ul><ul><li>Perform regular updates </li></ul><ul><li>Model your security after the layers of clothing you wear on a cold winter day </li></ul>
  3. 3. Run Regular Updates <ul><li>Use auto update systems </li></ul><ul><ul><li>Linux: up2date, yum, apt-get </li></ul></ul><ul><ul><ul><li>Consider automating updates with a script scheduled via cron </li></ul></ul></ul><ul><ul><li>Windows Update </li></ul></ul><ul><ul><li>Mac OSX update system </li></ul></ul><ul><li>Stay current with PHP, Apache, and Moodle </li></ul>
  4. 4. <ul><li>Use Mailing Lists to Stay Updated </li></ul><ul><ul><li>CERT </li></ul></ul><ul><ul><ul><li>http://www.us-cert.gov/cas/signup.html </li></ul></ul></ul><ul><ul><li>PHP </li></ul></ul><ul><ul><ul><li>http://www.php.net/mailing-lists.php </li></ul></ul></ul><ul><ul><ul><li>Sign up for Announcements list </li></ul></ul></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><ul><li>http://lists.mysql.com </li></ul></ul></ul><ul><ul><ul><li>Sign up for MySQL Announcements </li></ul></ul></ul>
  5. 5. Firewalls <ul><li>Security experts recommend a dual firewall </li></ul><ul><ul><li>Differing hardware/software combinations </li></ul></ul><ul><li>Disabling unused services is often as effective as a firewall </li></ul><ul><ul><li>Use netstat -a to review open network ports </li></ul></ul><ul><li>Not a guarantee of protection </li></ul><ul><li>Allow ports </li></ul><ul><ul><li>80, 443(ssl), and 9111 (for chat), </li></ul></ul><ul><ul><li>Remote admin: ssh 22, or rpd 3389 </li></ul></ul>
  6. 6. <ul><li>Misc Tools </li></ul><ul><li>Hardened-PHP Project/Suhosin </li></ul><ul><li>Server load monitoring </li></ul><ul><li>Intrusion detection systems </li></ul><ul><li>mod_sec </li></ul><ul><li>mod_dos </li></ul>
  7. 7. <ul><li>Web Application Firewall </li></ul><ul><li>Application Layer Firewall </li></ul><ul><li>Goes beyond port based security </li></ul><ul><li>SQL Injections and Cross Site Scripting Protection </li></ul><ul><li>Apache </li></ul><ul><ul><li>mod_sec – url pattern based protection </li></ul></ul><ul><ul><li>mod_dos – denial of service protection </li></ul></ul>
  8. 8. Be Prepared for the Worst <ul><li>Have backups ready </li></ul><ul><li>Practice recovery procedures ahead of time </li></ul><ul><li>Use a rootkit detector on a regular basis </li></ul><ul><ul><li>Linux/MacOSX: </li></ul></ul><ul><ul><ul><li>http://www.chkrootkit.org/ </li></ul></ul></ul><ul><ul><li>Windows: </li></ul></ul><ul><ul><ul><li>http://www.sysinternals.com/Utilities/RootkitRevealer.html </li></ul></ul></ul>
  9. 9. Moodle Security Alerts <ul><li>Register your site with Moodle.org </li></ul><ul><ul><li>Registered users receive email alerts </li></ul></ul><ul><li>Security alerts also posted online </li></ul><ul><ul><li>Web </li></ul></ul><ul><ul><ul><li>http://security.moodle.org/ </li></ul></ul></ul><ul><ul><li>RSS feed </li></ul></ul><ul><ul><ul><li>http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml </li></ul></ul></ul>
  10. 10. <ul><li>Site Administration -> Security </li></ul><ul><li>Site Policies </li></ul><ul><ul><li>Force users to login </li></ul></ul><ul><ul><li>Force login for profiles </li></ul></ul><ul><ul><li>Cron settings </li></ul></ul><ul><li>HTTPS Logins </li></ul><ul><li>Notifications </li></ul><ul><li>Anti-virus </li></ul>
  11. 11. Miscellaneous Considerations <ul><li>Turn off user self registration </li></ul><ul><li>Keep off opentogoogle, esp for K12 sites </li></ul><ul><li>Use SSL, httpslogins=yes </li></ul><ul><li>Disable guest access </li></ul><ul><li>Place enrollment keys on all courses </li></ul><ul><li>Use good passwords </li></ul><ul><li>Set the mysql root user password </li></ul><ul><li>Turn off mysql network access </li></ul>
  12. 12. Most Secure/Paranoid File Permissions <ul><li>The Moodle folder </li></ul><ul><ul><li>Owner apache user </li></ul></ul><ul><ul><li>Group apache group </li></ul></ul><ul><ul><li>Permissions 700 directories, 600 files </li></ul></ul><ul><li>The moodledata folder </li></ul><ul><ul><li>Should be placed outside the webroot, or restricted via .htaccess file </li></ul></ul><ul><ul><li>Owner root </li></ul></ul><ul><ul><li>Group apache group </li></ul></ul><ul><ul><li>Permissions 750 directories, 640 files </li></ul></ul><ul><li>http://moodle.org/forum/discuss.php?d=36185 </li></ul>
  13. 13. <ul><li>Questions? </li></ul>

×