|
|
| (2人の利用者による、間の32版が非表示) |
| 1行目: |
1行目: |
| '''慎重に翻訳中です。''' [[利用者:Mitsuhiro Yoshida|Mitsuhiro Yoshida]] 2006年7月11日 (火) 19:05 (WST)
| | {{Moodleサイトの管理}} |
| | * [[セキュリティに関する推奨事項]]-サイトを安全に保つための最善の方法に関するアドバイス |
| | * [[セキュリティ概要レポート]]-構成で発生する可能性のあるあらゆる種類の潜在的なセキュリティ問題をチェックします |
| | * [[サイトのセキュリティ設定]]-サイトのセキュリティとプライバシーに影響を与える設定 |
| | * [[サイト通知]]-更新およびログイン失敗の通知に関する情報 |
| | * [[パスワードソルト]]-ハッシュが計算される前にランダムな文字列をパスワードに追加することでパスワードをより安全にする方法の詳細 |
| | * [[Moodleのプライバシーを高める]]-ユーザのプライバシーを高めるための設定変更の提案 |
| | * [[Moodleでスパムを減らす]]-サイトでのスパムのリスクを最小限に抑える方法に関するアドバイス |
|
| |
|
| すべてのウェブアプリケーションソフトウェアは、非常に複雑で、どのアップリケーションにも時々発見されるセキュリティの問題があります。通常、これらの問題は、プログラマが予期することのできない入力の組み合わせに関係しています。Moodleプロジェクトでは、セキュリティを重要な部分であると認識し、随時セキュリティホールに対応する等、継続した改善作業を行っています。
| | ==関連項目== |
|
| |
|
| ==Before all==
| | * [[セキュリティFAQ]] |
| *In this article, you will find important security measures for your Moodle installation. | | * [https://moodle.org/security/ moodle.orgのセキュリティニュース] |
| *You should report security problems directly at http://security.moodle.org - because developers might overlook it elsewhere, and they must not be released to general public until they are solved (to prevent attacks). | | * [[:dev:Moodle security procedures| Moodleセキュリティ手順]]は、セキュリティ問題を報告する方法に関する情報を含む開発ドキュメントにあります |
| *You should not post actual exploits in the bugtracker or forums, for exactly the same reasons. | |
|
| |
|
| ==Simple security measures==
| | [[カテゴリ:セキュリティ]] |
| *The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
| |
| *Load only software or services you will use
| |
| *Perform regular updates
| |
| *Model your security after the layers of clothing you wear on a cold winter day
| |
|
| |
|
| ==Basic recommendations==
| | [[en:Security]] |
| *Update Moodle regularly on each release
| | [[de:Sicherheit]] |
| :Published security holes draw crackers attention after release. The older the version, the more vulnerabilities it is likely to contain.
| | [[es:Seguridad]] |
| *Disable register globals
| | <!--[[it:Sicurezza]]--> |
| :This will help prevent against possible XSS problems in third-party scripts. | |
| *Use strong passwords for admin and teachers
| |
| :Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
| |
| *Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
| |
| :Teacher accounts have much freer permissions and it is easier to create situations where data can be abused or stolen.
| |
| *Separate your systems as much as possible
| |
| :Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.
| |
| | |
| ==Run regular updates==
| |
| *Use auto update systems
| |
| *Windows Update
| |
| *Linux: up2date, yum, apt-get
| |
| :Consider automating updates with a script scheduled via cron
| |
| *Mac OSX update system
| |
| *Stay current with php, apache, and moodle
| |
| | |
| ==Use mailing lists to stay updated==
| |
| *CERT - http://www.us-cert.gov/cas/signup.html
| |
| *PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
| |
| *MySQL - http://lists.mysql.com - sign up for MySQL Announcements
| |
| | |
| ==Firewalls==
| |
| *Security experts recommend a dual firewall
| |
| :Differing hardware/software combinations | |
| *Disabling unused services is often as effective as a firewall
| |
| :Use netstat -a to review open network ports | |
| *Not a guarantee of protection
| |
| *Allow ports
| |
| :80, 443(ssl), and 9111 (for chat),
| |
| :Remote admin: ssh 22, or rpd 3389
| |
| | |
| ==Be prepared for the worst==
| |
| *Have backups ready
| |
| *Practice recovery procedures ahead of time
| |
| *Use a rootkit detector on a regular basis
| |
| **Linux/MacOSX - http://www.chkrootkit.org/
| |
| **Windows - http://www.sysinternals.com/Utilities/RootkitRevealer.html
| |
| | |
| ==Moodle security alerts==
| |
| *Register your site with Moodle.org
| |
| :Registered users receive email alerts
| |
| *Security alerts also posted online
| |
| *Web - http://security.moodle.org/
| |
| *RSS feed - http://security.moodle.org/rss/file.php/1/1/forum/1/rss.xml
| |
| | |
| ==Miscellaneous considerations==
| |
| These are all things you might consider that impact your overall security:
| |
| *Turn off opentogoogle, esp for K12 sites
| |
| *Use SSL, httpslogins=yes
| |
| *Disable guest access
| |
| *Place enrollment keys on all courses
| |
| *Use good passwords
| |
| *Use the secure forms setting
| |
| *Set the mysql root user password
| |
| *Turn off mysql network access
| |
| | |
| ==Most secure/paranoid file permissions==
| |
| Assuming you are running this on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:
| |
| | |
| 1. moodledata directory and all of its contents (and subdirs, includes sessions):
| |
| owner: apache user (apache, httpd, www-data, whatever)
| |
| group: apache group (apache, httpd, www-data, whatever)
| |
| perms: 700 on directories, 600 on files
| |
| | |
| 2. moodle directory and all of its contents and subdirs (including config.php):
| |
| owner: root
| |
| group: root
| |
| perms: 755 on directories, 644 on files.
| |
| | |
| If you allow local logins, then 2. should be:
| |
| owner: root
| |
| group: apache group
| |
| perms: 750 on directories, 640 on files
| |
| | |
| Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).
| |
| | |
| ==See also==
| |
| *Using Moodle [http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server] forum discussion
| |
| | |
| [[Category:Administrator]] | |
