Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: Security recommendations.

Security recommendations

From MoodleDocs

Revision as of 21:50, 10 February 2006 by Jonathan Moore (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to:navigation, search

Simple Security Measures

The best security strategy is a good backup!
Load only software or services you will use
Perform regular updates
Model your security after the layers of clothing you wear on a cold winter day

Run Regular Updates

Use auto update systems
Windows Update
Linux: up2date, yum, apt-get
- Consider automating updates with a script scheduled via cron
Mac OSX update system
Stay current with php, apache, and moodle

Use Mailing Lists to Stay Updated

CERT
- http://www.us-cert.gov/cas/signup.html
PHP
- http://www.php.net/mailing-lists.php
- Sign up for Announcements list
MySQL
- http://lists.mysql.com
- Sign up for MySQL Announcements

Firewalls

Security experts recommend a dual firewall
- Differing hardware/software combinations
Disabling unused services is often as effective as a firewall
- Use netstat -a to review open network ports
Not a guarantee of protection
Allow ports
- 80, 443(ssl), and 9111 (for chat),
- Remote admin: ssh 22, or rpd 3389

Be Prepared for the Worst

Have backups ready
Practice recovery procedures ahead of time
Use a rootkit detector on a regular basis
- Linux/MacOSX:
  - http://www.chkrootkit.org/
- Windows:
  - http://www.sysinternals.com/Utilities/RootkitRevealer.html

Moodle Security Alerts

Register your site with Moodle.org
- Registered users receive email alerts
Security alerts also posted online
Web
- http://security.moodle.org/
RSS feed
- http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml

Miscellaneous Considerations

These are all things you might consider that impact your overall security
Turn off opentogoogle, esp for K12 sites
Use SSL, httpslogins=yes
Disable guest access
Place enrollment keys on all courses
Use good passwords
Use the secure forms setting
Set the mysql root user password
Turn off mysql network access

Most Secure/Paranoid File Permissions

The moodle folder
- Owner apache user
- Group apache group
- Permissions 700 directories, 600 files
The moodledata folder
- Should be placed outside the webroot, or restricted via .htaccess file
- Owner root
- Group apache group
- Permissions 750 directories, 640 files
Reference forum thread http://moodle.org/forum/discuss.php?d=36185

Retrieved from "https://docs.moodle.org/24/en/index.php?title=Security_recommendations&oldid=5131"