Security recommendations: Difference between revisions
From MoodleDocs
No edit summary |
m (category added) |
||
| Line 1: | Line 1: | ||
=Simple | ==Simple security measures== | ||
*The best security strategy is a good backup! | *The best security strategy is a good backup! | ||
*Load only software or services you will use | *Load only software or services you will use | ||
| Line 5: | Line 5: | ||
*Model your security after the layers of clothing you wear on a cold winter day | *Model your security after the layers of clothing you wear on a cold winter day | ||
=Run | ==Run regular updates== | ||
*Use auto update systems | *Use auto update systems | ||
*Windows Update | *Windows Update | ||
| Line 13: | Line 13: | ||
*Stay current with php, apache, and moodle | *Stay current with php, apache, and moodle | ||
= Use | ==Use mailing lists to stay updated== | ||
*CERT | *CERT | ||
**http://www.us-cert.gov/cas/signup.html | **http://www.us-cert.gov/cas/signup.html | ||
| Line 23: | Line 23: | ||
**Sign up for MySQL Announcements | **Sign up for MySQL Announcements | ||
=Firewalls= | ==Firewalls== | ||
*Security experts recommend a dual firewall | *Security experts recommend a dual firewall | ||
**Differing hardware/software combinations | **Differing hardware/software combinations | ||
| Line 32: | Line 32: | ||
**80, 443(ssl), and 9111 (for chat), | **80, 443(ssl), and 9111 (for chat), | ||
**Remote admin: ssh 22, or rpd 3389 | **Remote admin: ssh 22, or rpd 3389 | ||
=Be | |||
==Be prepared for the worst== | |||
*Have backups ready | *Have backups ready | ||
*Practice recovery procedures ahead of time | *Practice recovery procedures ahead of time | ||
| Line 39: | Line 40: | ||
***http://www.chkrootkit.org/ | ***http://www.chkrootkit.org/ | ||
**Windows: | **Windows: | ||
***http://www.sysinternals.com/Utilities/RootkitRevealer.html | ***http://www.sysinternals.com/Utilities/RootkitRevealer.html | ||
=Moodle | |||
==Moodle security alerts== | |||
*Register your site with Moodle.org | *Register your site with Moodle.org | ||
**Registered users receive email alerts | **Registered users receive email alerts | ||
| Line 49: | Line 51: | ||
**http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml | **http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml | ||
=Miscellaneous | ==Miscellaneous considerations== | ||
*These are all things you might consider that impact your overall security | *These are all things you might consider that impact your overall security | ||
*Turn off opentogoogle, esp for K12 sites | *Turn off opentogoogle, esp for K12 sites | ||
| Line 59: | Line 61: | ||
*Set the mysql root user password | *Set the mysql root user password | ||
*Turn off mysql network access | *Turn off mysql network access | ||
=Most | |||
==Most secure/paranoid file permissions== | |||
*The moodle folder | *The moodle folder | ||
**Owner apache user | **Owner apache user | ||
| Line 69: | Line 72: | ||
**Group apache group | **Group apache group | ||
**Permissions 750 directories, 640 files | **Permissions 750 directories, 640 files | ||
[[Category:Administrator]] | |||
Revision as of 17:57, 11 February 2006
Simple security measures
- The best security strategy is a good backup!
- Load only software or services you will use
- Perform regular updates
- Model your security after the layers of clothing you wear on a cold winter day
Run regular updates
- Use auto update systems
- Windows Update
- Linux: up2date, yum, apt-get
- Consider automating updates with a script scheduled via cron
- Mac OSX update system
- Stay current with php, apache, and moodle
Use mailing lists to stay updated
- CERT
- PHP
- http://www.php.net/mailing-lists.php
- Sign up for Announcements list
- MySQL
- http://lists.mysql.com
- Sign up for MySQL Announcements
Firewalls
- Security experts recommend a dual firewall
- Differing hardware/software combinations
- Disabling unused services is often as effective as a firewall
- Use netstat -a to review open network ports
- Not a guarantee of protection
- Allow ports
- 80, 443(ssl), and 9111 (for chat),
- Remote admin: ssh 22, or rpd 3389
Be prepared for the worst
- Have backups ready
- Practice recovery procedures ahead of time
- Use a rootkit detector on a regular basis
- Linux/MacOSX:
- Windows:
Moodle security alerts
- Register your site with Moodle.org
- Registered users receive email alerts
- Security alerts also posted online
- Web
- RSS feed
Miscellaneous considerations
- These are all things you might consider that impact your overall security
- Turn off opentogoogle, esp for K12 sites
- Use SSL, httpslogins=yes
- Disable guest access
- Place enrollment keys on all courses
- Use good passwords
- Use the secure forms setting
- Set the mysql root user password
- Turn off mysql network access
Most secure/paranoid file permissions
- The moodle folder
- Owner apache user
- Group apache group
- Permissions 700 directories, 600 files
- The moodledata folder
- Should be placed outside the webroot, or restricted via .htaccess file
- Owner root
- Group apache group
- Permissions 750 directories, 640 files
