User:James Steerpike

From MoodleDocs

Requirements

  • A RedHat Minimal Install Linux server, RHEL, Alma or Rocky Linux 9.
  • Sudo or root access

LAMP Installation

Update packages and enable repositories for php 8.1 and MariaDb 10.6

* sudo yum -y update
* sudo subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
* sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y

sudo dnf -y update
sudo dnf install epel-release -y
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y

dnf config-manager --set-enabled crb
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
dnf module switch-to php:remi-8.1
dnf module install php:remi-8.1

cat <<EOF > /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = https://rpm.mariadb.org/10.6/rhel/9/\$basearch
gpgkey=https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

dnf clean all
dnf makecache

Install LAMP and other packages

sudo dnf -y install httpd php-sodium php-mysqlnd php-curl php-gd php-intl ghostscript php-xml php-ldap php-zip php-soap php-mbstring MariaDB-server MariaDB-client unzip firewalld nano git graphviz aspell openssl clamav  

<syntaxhighlight lang="bash">
sudo systemctl enable httpd
sudo systemctl start httpd
sudo systemctl enable mariadb
sudo systemctl start mariadb

Moodle Installation

Use git to obtain Moodle Code

cd /var/www/html
sudo git clone https://github.com/moodle/moodle.git
cd moodle
sudo git checkout origin/MOODLE_405_STABLE
sudo git config pull.ff only


Set Permissions and ownership for Moodle Code

sudo chown -R apache:apache /var/www/html/moodle
sudo mkdir -p /var/www/moodledata
sudo chown -R apache:apache /var/www/moodledata
sudo chmod -R 2770 /var/www/moodledata
sudo find /var/www/moodledata -type d -exec chmod 700 {} \;
sudo find /var/www/moodledata -type f -exec chmod 600 {} \;

Configure php and set up Cron

PHP_INI_APACHE="/etc/php.ini"
sudo sed -i 's/^\s*;*\s*max_input_vars\s*=.*/max_input_vars = 5000/' $PHP_INI_APACHE
sudo sed -i 's/^\s*post_max_size\s*=.*/post_max_size = 256M/' $PHP_INI_APACHE
sudo sed -i 's/^\s*upload_max_filesize\s*=.*/upload_max_filesize = 256M/' $PHP_INI_APACHE
# Set up cron job for Apache user (usually 'apache' user on Red Hat)
(crontab -u apache -l 2>/dev/null; echo "* * * * * /usr/bin/php /var/www/html/moodle/admin/cli/cron.php >/dev/null") | crontab -u apache -
(crontab -u root -l 2>/dev/null; echo "0 3 * * * apt-get update && apt-get -y upgrade && apt-get -y autoremove && echo \"Updated successfully on \$(date)\" >> /var/log/auto-update.log 2>&1") | crontab -u root -
mkdir -p /root/.cache
chmod 700 /root/.cache

(crontab -u root -l 2>/dev/null; echo "0 3 * * * dnf -y update && echo \"Updated successfully on \$(date)\" >> /var/log/auto-update.log 2>&1") | crontab -u root -


(crontab -u root -l 2>/dev/null; echo "0 3 * * * cd /var/www/html/moodle && sudo -u apache php admin/cli/maintenance.php --enable && git pull && sudo -u apache php admin/cli/upgrade.php --non-interactive && sudo -u apache php admin/cli/maintenance.php --disable >> /var/log/moodle_update.log 2>&1") | crontab -u root -

Create database and user

MYSQL_MOODLEUSER_PASSWORD=$(openssl rand -base64 6)
sudo mysql -e "CREATE DATABASE moodle DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
sudo mysql -e "CREATE USER 'moodleuser'@'localhost' IDENTIFIED BY '$MYSQL_MOODLEUSER_PASSWORD';"
sudo mysql -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, DROP, INDEX, ALTER ON moodle.* TO 'moodleuser'@'localhost';"
echo "Your Moodle user password is $MYSQL_MOODLEUSER_PASSWORD. Write this down as you will need it in a web browser install"

Configure SELinux

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/moodle(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/moodledata(/.*)?'
sudo restorecon -Rv /var/www/html/moodle
sudo restorecon -Rv /var/www/moodledata
sudo setsebool -P httpd_can_network_connect on

Obtain Moodle IP address or domain name

PROTOCOL="http://";
read -p "Enter the web address (without the http:// prefix, eg domain name mymoodle123.com or IP address 192.168.1.1.): " WEBSITE_ADDRESS

Install Moodle on webpage

MOODLE_ADMIN_PASSWORD=$(openssl rand -base64 6)
sudo chmod -R 0777 /var/www/html/moodle
sudo -u apache /usr/bin/php /var/www/html/moodle/admin/cli/install.php --non-interactive \
  --lang=en \
  --wwwroot="$PROTOCOL$WEBSITE_ADDRESS/moodle" \
  --dataroot=/var/www/moodledata \
  --dbtype=mariadb \
  --dbhost=localhost \
  --dbname=moodle \
  --dbuser=moodleuser \
  --dbpass="$MYSQL_MOODLEUSER_PASSWORD" \
  --fullname="Moodle Docs Step by Step Guide" \
  --shortname="SG" \
  --adminuser=admin \
  --summary="" \
  --adminpass="$MOODLE_ADMIN_PASSWORD" \
  --adminemail=joe@123.com \
  --agree-license

 echo "Moodle installation completed successfully. You can now log on to your new Moodle at $PROTOCOL$WEBSITE_ADDRESS/moodle as admin with $MOODLE_ADMIN_PASSWORD and complete your site registration"
sudo find /var/www/html/moodle -type d -exec chmod 755 {} \;
sudo find /var/www/html/moodle -type f -exec chmod 644 {} \;

Update this development server to a production server

Thia Moodle installation is not secure enough for teaching students. There are a number of steps to take to reduce the risk of data breaches, unauthorized access, service disruption, and full system compromise. You must make the changes described here before allowing student access to this Moodle,

Use HTTPS exclusively

Configure SSL/TLS certificates (e.g., via Let’s Encrypt) to secure all traffic, not just login pages, protecting user data and credentials

For a Apache server

  • Open the /etc/apache2/sites-available/000-default.conf file with a text editor
  • Set the server name to your domain
  • Set the server alias to www.(your domain)
  • Call the certbot and enter the admin email, answer
  • Restart Apache
sudo sed -i '/ServerName/c\    ServerName $WEBSITE_ADDRESS' /etc/apache2/sites-available/000-default.conf
sudo sed -i '/ServerAlias/c\    ServerAlias www.$WEBSITE_ADDRESS' /etc/apache2/sites-available/000-default.conf
sudo certbot --apache
sudo systemctl reload apache2

Keep the system and Moodle updated

Regularly apply OS updates and update Moodle and its plugins to patch vulnerabilities

Configure a firewall

Allow only necessary ports (typically 80 and 443 for HTTP/HTTPS) and block others to reduce attack surface

Change default SSH port and disable root login

Move SSH from port 22 to a non-standard port, disable root login, and use SSH keys for authentication to prevent brute-force attacks

Regular backups and monitoring

Configure SSL/TLS certificates (e.g., via Let’s Encrypt) to secure all traffic, not just login pages, protecting user data and credentials Move SSH from port 22 to a non-standard port, disable root login, and use SSH keys for authentication to prevent brute-force attacks

To secure Moodle on a Linux VPS, follow these essential steps:

  • Keep the system and Moodle updated: Regularly apply OS updates (yum update or apt-get update && apt-get upgrade) and update Moodle and its plugins to patch vulnerabilities13.
  • Use HTTPS exclusively: Configure SSL/TLS certificates (e.g., via Let’s Encrypt) to secure all traffic, not just login pages, protecting user data and credentials34.
  • Configure a firewall: Allow only necessary ports (typically 80 and 443 for HTTP/HTTPS) and block others to reduce attack surface24.
  • Change default SSH port and disable root login: Move SSH from port 22 to a non-standard port, disable root login, and use SSH keys for authentication to prevent brute-force attacks1256.
  • Enforce strong passwords and limit privileged accounts: Use complex passwords for all users, especially admins and teachers, and restrict teacher roles to trusted users only3.
  • Install malware scanning tools: Use Linux-compatible antivirus like ClamAV for periodic malware scans to detect infections early26.
  • Regular backups and monitoring: Maintain frequent backups and monitor logs for suspicious activity to enable quick recovery and detection of breaches57.
  • Restrict file access and permissions: Limit access to sensitive Moodle files and directories to prevent unauthorized modifications4.

Implementing these layered security measures will significantly reduce risks and harden your Moodle installation on a Linux VPS.

  1. https://www.vps-mart.com/blog/7-ways-to-secure-your-vps
  2. https://moodle.org/mod/forum/discuss.php?d=462489&parent=1856902
  3. https://docs.moodle.org/en/Security_recommendations
  4. https://www.scalahosting.com/blog/a-guide-to-moodle-security/
  5. https://www.inmotionhosting.com/support/product-guides/vps-hosting/ways-to-harden-your-vps-hosting/
  6. https://www.scalahosting.com/blog/how-to-secure-your-cpanel-vps-actionable-tips/
  7. https://moodle.org/mod/forum/discuss.php?d=39404
  8. https://accuweb.cloud/blog/best-practices-for-moodle-developers
Retrieved from "https://docs.moodle.org/500/en/index.php?title=User:James_Steerpike&oldid=153568"
Powered by MediaWiki