Security recommendations
From MoodleDocs
Simple security measures
- The best security strategy is a good backup!
- Load only software or services you will use
- Perform regular updates
- Model your security after the layers of clothing you wear on a cold winter day
Run regular updates
- Use auto update systems
- Windows Update
- Linux: up2date, yum, apt-get
- Consider automating updates with a script scheduled via cron
- Mac OSX update system
- Stay current with php, apache, and moodle
Use mailing lists to stay updated
- CERT
- PHP
- http://www.php.net/mailing-lists.php
- Sign up for Announcements list
- MySQL
- http://lists.mysql.com
- Sign up for MySQL Announcements
Firewalls
- Security experts recommend a dual firewall
- Differing hardware/software combinations
- Disabling unused services is often as effective as a firewall
- Use netstat -a to review open network ports
- Not a guarantee of protection
- Allow ports
- 80, 443(ssl), and 9111 (for chat),
- Remote admin: ssh 22, or rpd 3389
Be prepared for the worst
- Have backups ready
- Practice recovery procedures ahead of time
- Use a rootkit detector on a regular basis
- Linux/MacOSX:
- Windows:
Moodle security alerts
- Register your site with Moodle.org
- Registered users receive email alerts
- Security alerts also posted online
- Web
- RSS feed
Miscellaneous considerations
- These are all things you might consider that impact your overall security
- Turn off opentogoogle, esp for K12 sites
- Use SSL, httpslogins=yes
- Disable guest access
- Place enrollment keys on all courses
- Use good passwords
- Use the secure forms setting
- Set the mysql root user password
- Turn off mysql network access
Most secure/paranoid file permissions
- The moodle folder
- Owner apache user
- Group apache group
- Permissions 700 directories, 600 files
- The moodledata folder
- Should be placed outside the webroot, or restricted via .htaccess file
- Owner root
- Group apache group
- Permissions 750 directories, 640 files
