MoodleDocs - User contributions [en]

Active Directory

2015-02-26T00:27:31Z

Moorejon: Updated information regarding PHP support for ldap page controls

{{Authentication}}
Microsoft's Active Directory (AD) provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions. It is included in Windows 2000 Server and later versions of their operating system. The focus of this page will be with the [[LDAP authentication]] functions.

==Troubleshooting AD and LDAP authentication==
===Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.===
This usually means that the main ldap dll or one of the supporting dlls are missing.
Let's start with the main one itself.
Browse to <nowiki>http://(moodleserver)/admin/phpinfo.php</nowiki> and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together!
While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there.
If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.

===LDAP-module cannot connect any LDAP servers===
LDAP-module cannot connect any LDAP servers:
Server: 'ldap://my.ldap.server/'
Connection: 'Resource id #26' Bind result: ''
Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below.
Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message.
Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.

===Getting correct CNs for Contexts and Creators===
For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below.
Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.

===Getting the right user_attribute===
By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id.
In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page.
There are instructions on installing ldp.exe below.

===Installing ldp.exe Server Tool===
ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en here]. Alternatively, a single download of ldp.exe is available [http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm here].

===Example Active Directory Configuration===
Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.

ldap_host_url = ldap://ads.example.com
ldap_version = 3
ldap_preventpassindb = yes
ldap_bind_dn = bind-user@example.com
ldap_bind_pw = bind-password
ldap_user_type = MS ActiveDirectory
ldap_contexts = ou=moodleusers,dc=example,dc=com
ldap_user_attribute = sAMAccountName

Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.

==Global Catalogs==
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

===Enabling the Global Catalog===

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

===Child Domains===
If your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes - see Microsoft [http://support.microsoft.com/kb/248717 KB248717] for more information.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

===MaxPageSize setting===
Modifying the number of Active Directory objects to search:

By default Active Directory only allows searches returning a limited number of objects per search. Since there is currently no Page control support in PHP 5.2.x which would enable smaller page searches you may need to modify your MaxPageSize setting to make sure LDAP Client searches can return enough user objects to support the number of authenticating users.

Note that starting with PHP version 5.4, PHP now supports page control. Newer versions of the LDAP configuration settings provide a value for page side. This value just needs to be set to a value less than the MaxPageSize of the Active Directory.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, follow the instructions [http://support.microsoft.com/kb/315071 here] to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting.

==MS Active Directory + SSL ==

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

See [[LDAP_authentication#Enabling_LDAPS_on_the_client_side_.28Moodle_server.29|Enabling LDAPS on the client side (Moodle server)]] for details on the client side configuration.

==See also==
*[[LDAP authentication]] in Moodle
*[http://en.wikipedia.org/wiki/Directory_service Directory services] overview in Wikipedia
*[http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] in Wikipedia
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=17198 Using multiple LDAP servers - Our students are on separate domain] forum discussion
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=74279 How to use multiple LDAP servers with Moodle 1.8] forum discussion

[[ja:Active Directory]]

Development talk:Course completion

2008-06-21T02:30:39Z

Moorejon: view resources as completion requirement

Many of the users that ask about this also bring up wanting to be able to set resources viewed as a criteria for course completion. Can this be added as one of the features for course completion?

Upgrading

2006-05-03T18:06:41Z

Moorejon:

Moodle is designed to upgrade cleanly from any earlier version to any later version.

When upgrading a Moodle installation you should follow these steps:

== Backup important data ==

Although it is not strictly necessary, it is always a good idea to make a backup of any production system before a major upgrade, just in case you need to revert back to the older version for some reason. In fact, it's a good idea to automate your server to backup your Moodle installation daily, so that you can skip this step.

There are three areas that need backing up:

=== The Moodle software directory itself ===

Make a separate copy of these files before the upgrade, so that you can retrieve your config.php and any modules you have added like themes, languages etc

=== Your data directory ===

This is where uploaded content resides (such as course resources and student assignments) so it is very important to have a backup of these files anyway. Sometimes upgrades may move or rename directories within your data directory.

=== Your database ===

Most Moodle upgrades will alter the database tables, adding or changing fields. Each database has different ways to backup. One way of backing up a MySQL database is to 'dump' it to a single SQL file. The following example shows Unix commands to dump the database called "moodle":

mysqldump -u username -p -C -Q -e -a moodle > moodle-backup-2002-10-26.sql

Substitute your database user account for username. The -p flag will prompt you for the password for the username specified by -u.

You can also use the "Export" feature in Moodle's optional "MySQL Admin" web interface to do the same thing on all platforms. This interface can be downloaded from http://download.moodle.org/modules/integrations.php. It is an integration of PHPMyAdmin for the Moodle administration interface.

== Install the new Moodle software ==

=== Using a downloaded archive ===

Do not overwrite an old installation unless you know what you are doing ... sometimes old files can cause problems in new installations. The best way is to rename the current Moodle directory to something else, then unpack the new Moodle archive into the old location.

mv moodle moodle.backup
tar xvzf moodle-1.1.tgz

Next, copy across your config.php and any other plugins such as custom themes:

cp moodle.backup/config.php moodle
cp -pr moodle.backup/theme/mytheme moodle/theme/mytheme

=== Using CVS ===

You can use CVS for updating or upgrading your Moodle.
First you need to do a CVS checkout in your (empty) Moodle root directory.

''For Linux servers''

To do a CVS checkout of Moodle, you first have to logon to the Moodle CVS server.

<nowiki>cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/moodle login</nowiki>
No password for anonymous, so just hit the Enter button.

Go to the directory where you want the Moodle root to come and type

<nowiki>cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/moodle co -r MOODLE_15_STABLE moodle</nowiki>
(where MOODLE_15_STABLE is the desired version)

To update, just go into the Moodle root directory and update to the new files:

cvs update -dP

Make sure you use the "d" parameter to create new directories if necessary, and the "P" parameter to prune empty directories.

''For Windows servers''

You can use Tortoise CVS to do the initial checkout and the updates.

If you have been editing Moodle files, watch the messages very closely for possible conflicts. All your customised themes and non-standard plugins will be untouched.

Don't forget to visit the admin page after the CVS update proces has completed.

== Finishing the upgrade ==

The last step is to trigger the upgrade processes within Moodle.

To do this just visit the admin page of your installation - '''<nowiki>http://example.com/moodle/admin</nowiki>'''

It doesn't matter if you are logged in as admin or not.

Moodle will automatically detect the new version and perform all the database or filesystem upgrades that are necessary. If there is anything it can't do itself (very rare) then you will see messages telling you what you need to do.

Assuming all goes well (no error messages) then you can start using your new version of Moodle and enjoy the new features!

If you have trouble with the upgrade, visit [http://moodle.org/ moodle.org] and post on the [http://moodle.org/mod/forum/view.php?id=28 Installation Support Forum] in the Using Moodle course.

==See also==

*[[Upgrading to Moodle 1.6]]
*[[Installing Moodle]]
*[[Installation FAQ]]
*[[Installing Apache, MySQL and PHP]]
*[[Step by Step Installation Guide for Windows]]
*[[Step by Step Installation Guide for RedHat]]
*[[Step by Step Installation Guide for Debian GNU/Linux]]
*[http://moodle.org/mod/forum/discuss.php?d=26731&parent=125858 Using cvs] forum discussion

[[Category:Core]]
[[Category:Administrator]]
[[Category:Installation]]

[[es:Actualización de moodle]]
[[nl:Upgraden]]

Upgrading

2006-05-03T04:42:08Z

Moorejon:

Moodle is designed to upgrade cleanly from any earlier version to any later version.

When upgrading a Moodle installation you should follow these steps:

== Backup important data ==

Although it is not strictly necessary, it is always a good idea to make a backup of any production system before a major upgrade, just in case you need to revert back to the older version for some reason. In fact, it's a good idea to automate your server to backup your Moodle installation daily, so that you can skip this step.

There are three areas that need backing up:

=== The Moodle software directory itself ===

Make a separate copy of these files before the upgrade, so that you can retrieve your config.php and any modules you have added like themes, languages etc

=== Your data directory ===

This is where uploaded content resides (such as course resources and student assignments) so it is very important to have a backup of these files anyway. Sometimes upgrades may move or rename directories within your data directory.

=== Your database ===

Most Moodle upgrades will alter the database tables, adding or changing fields. Each database has different ways to backup. One way of backing up a MySQL database is to 'dump' it to a single SQL file. The following example shows Unix commands to dump the database called "moodle":

mysqldump moodle -u username -p -C -Q -e -a mysqldump > moodle-backup-2002-10-26.sql

Substitute your database user account for username. The -p flag will prompt you for the password for the username specified by -u.

You can also use the "Export" feature in Moodle's optional "MySQL Admin" web interface to do the same thing on all platforms. This interface can be downloaded from http://download.moodle.org/modules/integrations.php. It is an integration of PHPMyAdmin for the Moodle administration interface.

== Install the new Moodle software ==

=== Using a downloaded archive ===

Do not overwrite an old installation unless you know what you are doing ... sometimes old files can cause problems in new installations. The best way is to rename the current Moodle directory to something else, then unpack the new Moodle archive into the old location.

mv moodle moodle.backup
tar xvzf moodle-1.1.tgz

Next, copy across your config.php and any other plugins such as custom themes:

cp moodle.backup/config.php moodle
cp -pr moodle.backup/theme/mytheme moodle/theme/mytheme

=== Using CVS ===

You can use CVS for updating or upgrading your Moodle.
First you need to do a CVS checkout in your (empty) Moodle root directory.

''For Linux servers''

To do a CVS checkout of Moodle, you first have to logon to the Moodle CVS server.

<nowiki>cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/moodle login</nowiki>
No password for anonymous, so just hit the Enter button.

Go to the directory where you want the Moodle root to come and type

<nowiki>cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/moodle co -r MOODLE_15_STABLE moodle</nowiki>
(where MOODLE_15_STABLE is the desired version)

To update, just go into the Moodle root directory and update to the new files:

cvs update -dP

Make sure you use the "d" parameter to create new directories if necessary, and the "P" parameter to prune empty directories.

''For Windows servers''

You can use Tortoise CVS to do the initial checkout and the updates.

If you have been editing Moodle files, watch the messages very closely for possible conflicts. All your customised themes and non-standard plugins will be untouched.

Don't forget to visit the admin page after the CVS update proces has completed.

== Finishing the upgrade ==

The last step is to trigger the upgrade processes within Moodle.

To do this just visit the admin page of your installation - '''<nowiki>http://example.com/moodle/admin</nowiki>'''

It doesn't matter if you are logged in as admin or not.

Moodle will automatically detect the new version and perform all the database or filesystem upgrades that are necessary. If there is anything it can't do itself (very rare) then you will see messages telling you what you need to do.

Assuming all goes well (no error messages) then you can start using your new version of Moodle and enjoy the new features!

If you have trouble with the upgrade, visit [http://moodle.org/ moodle.org] and post on the [http://moodle.org/mod/forum/view.php?id=28 Installation Support Forum] in the Using Moodle course.

==See also==

*[[Upgrading to Moodle 1.6]]
*[[Installing Moodle]]
*[[Installation FAQ]]
*[[Installing Apache, MySQL and PHP]]
*[[Step by Step Installation Guide for Windows]]
*[[Step by Step Installation Guide for RedHat]]
*[[Step by Step Installation Guide for Debian GNU/Linux]]
*[http://moodle.org/mod/forum/discuss.php?d=26731&parent=125858 Using cvs] forum discussion

[[Category:Core]]
[[Category:Administrator]]
[[Category:Installation]]

[[es:Actualización de moodle]]
[[nl:Upgraden]]

Security recommendations

2006-02-14T16:32:45Z

Moorejon: /* Most secure/paranoid file permissions */

<p class="note">Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.</p>

All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some conbination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Before all==
*In this document, you will find important security measures for your Moodle installation.
*You should report security problems directly at http://security.moodle.org - because developers might overlook it elsewhere, and they must not be released to general public until they are solved (to prevent attacks).
*You should not post actual exploits in the bugtracker or forums, for exactly the same reasons.

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==
*Update Moodle regularly on each release
**Published security holes draw crackers attention after release. The older the version, the more vulnerabilities it is likely to contain.
*Disable register globals
**This will help prevent against possible XSS problems in third-party scripts.
*Use strong passwords for admin and teachers
**Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
*Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
**Teacher accounts have much freer permissions and it is easier to create situations where data can be abused or stolen.
*Separate your systems as much as possible
**Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
**Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT
**http://www.us-cert.gov/cas/signup.html
*PHP
**http://www.php.net/mailing-lists.php
**Sign up for Announcements list
*MySQL
**http://lists.mysql.com
**Sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
**Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
**Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
**80, 443(ssl), and 9111 (for chat),
**Remote admin: ssh 22, or rpd 3389

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX:
***http://www.chkrootkit.org/
**Windows:
***http://www.sysinternals.com/Utilities/RootkitRevealer.html

==Moodle security alerts==
*Register your site with Moodle.org
**Registered users receive email alerts
*Security alerts also posted online
*Web
**http://security.moodle.org/
*RSS feed
**http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml

==Miscellaneous considerations==
*These are all things you might consider that impact your overall security
*Turn off opentogoogle, esp for K12 sites
*Use SSL, httpslogins=yes
*Disable guest access
*Place enrollment keys on all courses
*Use good passwords
*Use the secure forms setting
*Set the mysql root user password
*Turn off mysql network access

==Most secure/paranoid file permissions==
Assuming you are running this on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1.- moodledata directory and all of its contents (and subdirs, includes sessions):
owner: apache user (apache, httpd, www-data, whatever).
group: apache group (apache, httpd, www-data, whatever)
perms: 700 on directories, 600 on files.

2.- moodle directory and all of its contents and subdirs (including config.php):
owner: root
group: root
perms: 755 on directories, 644 on files.

If you allow local logins, then 2.- should be:
owner: root
group: apache group
perms: 750 on directories, 640 on files

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

==See also==
*[http://moodle.org/mod/forum/discuss.php?d=39404 "Guide to Securing your Moodle Server" discussion] at [http://moodle.org http://moodle.org]

[[Category:Administrator]]

Security recommendations

2006-02-12T15:29:11Z

Moorejon:

==Simple security measures==
*The best security strategy is a good backup!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
**Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT
**http://www.us-cert.gov/cas/signup.html
*PHP
**http://www.php.net/mailing-lists.php
**Sign up for Announcements list
*MySQL
**http://lists.mysql.com
**Sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
**Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
**Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
**80, 443(ssl), and 9111 (for chat),
**Remote admin: ssh 22, or rpd 3389

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX:
***http://www.chkrootkit.org/
**Windows:
***http://www.sysinternals.com/Utilities/RootkitRevealer.html

==Moodle security alerts==
*Register your site with Moodle.org
**Registered users receive email alerts
*Security alerts also posted online
*Web
**http://security.moodle.org/
*RSS feed
**http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml

==Miscellaneous considerations==
*These are all things you might consider that impact your overall security
*Turn off opentogoogle, esp for K12 sites
*Use SSL, httpslogins=yes
*Disable guest access
*Place enrollment keys on all courses
*Use good passwords
*Use the secure forms setting
*Set the mysql root user password
*Turn off mysql network access

==Most secure/paranoid file permissions==
*The moodle directory
**Owner root
**Group root
**Permissions 755 directories, 644 files
*The moodledata directory
**Should be placed outside the webroot, or restricted via .htaccess file
**Owner root
**Group apache group
**Permissions 700 directories, 600 files

[[Category:Administrator]]

Security recommendations

2006-02-10T21:50:54Z

Moorejon:

=Simple Security Measures=
*The best security strategy is a good backup!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

=Run Regular Updates=
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
**Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

= Use Mailing Lists to Stay Updated =
*CERT
**http://www.us-cert.gov/cas/signup.html
*PHP
**http://www.php.net/mailing-lists.php
**Sign up for Announcements list
*MySQL
**http://lists.mysql.com
**Sign up for MySQL Announcements

=Firewalls=
*Security experts recommend a dual firewall
**Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
**Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
**80, 443(ssl), and 9111 (for chat),
**Remote admin: ssh 22, or rpd 3389
=Be Prepared for the Worst=
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX:
***http://www.chkrootkit.org/
**Windows:
***http://www.sysinternals.com/Utilities/RootkitRevealer.html
=Moodle Security Alerts=
*Register your site with Moodle.org
**Registered users receive email alerts
*Security alerts also posted online
*Web
**http://security.moodle.org/
*RSS feed
**http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml

=Miscellaneous Considerations=
*These are all things you might consider that impact your overall security
*Turn off opentogoogle, esp for K12 sites
*Use SSL, httpslogins=yes
*Disable guest access
*Place enrollment keys on all courses
*Use good passwords
*Use the secure forms setting
*Set the mysql root user password
*Turn off mysql network access
=Most Secure/Paranoid File Permissions=
*The moodle folder
**Owner apache user
**Group apache group
**Permissions 700 directories, 600 files
*The moodledata folder
**Should be placed outside the webroot, or restricted via .htaccess file
**Owner root
**Group apache group
**Permissions 750 directories, 640 files
*Reference forum thread http://moodle.org/forum/discuss.php?d=36185

Administrator documentation

2006-02-10T21:38:24Z

Moorejon:

<p class="note">'''Note for contributors:''' Design and/or style improvements to this page are welcome :-)</p>

== Site management ==

==== Installation ====

*[[Installing Moodle]]
*[[Windows installation]]
*[[Installation FAQ]]
*[[Installing AMP|Installing Apache, MySQL and PHP]]
*[[Upgrading|Upgrading Moodle]]

==== Configuration ====

*[[admin/config|Variables]]
*[[admin/site|Site settings]]
*[[Themes]]
*[[admin/lang|Language]]
*[[admin/modules|Modules]]
*[[admin/blocks|Blocks]]
*[[admin/filters|Filters]]
*[[admin/backup|Backup]]
*[[admin/editor|Editor settings]]
*[[admin/calendar|Calendar]]
*[[admin/maintenance|Maintenance mode]]

==== Performance ====

*Please see [[Performance]]
*[[Large installations|List of large Moodle installations (1000 or more users)]]

==== Security ====
*[[Security]]

==== See also ====

*[[Administration FAQ]]
*[[Backup FAQ]]
*[[Block layout]]
*[[CVS|CVS documentation]]
*[[Email processing]]
*[[Messaging]]
*[[Migration]]
*[[Search engine optimization]]
*[[Presentations]]
*[[Moodle manuals]]
*[[Using Moodle book]]

== Users ==

*[[User Authentication|Authentication]]
*[[admin/uploaduser|Upload users]]
*[[admin/enrol|Enrolments]]
*[[admin/admin|Assign admins]]

==Course management==

*[[Course Categories|Course categories]]
*[[Metacourses]]

[[Category: Administrator]]