Seguridad en servidores locales conectados al internet

Saltar a: navegación, buscar

Nota: Pendiente de Traducir. ¡Anímese a traducir esta página!.     ( y otras páginas pendientes)


Windows

... falta de escribir ...

Mac

Servidor en su red local

In various workshops we used Moodle4Mac as a quick server installation for our local network. Make sure that you change the passwords for Moodle and MySQL before you allow access to this server ... otherwise, you'll be amazed how creative your user group can be. Please read the safety instructions of Moodle4Mac.

In this section you will see all required settings to use the server in the local network. Only three steps are required. The first step is to change one line in the config.php for Moodle. In the second step you need to adjust the base address in Moodle. And in your third step you open the firewall for httpd.

To get your Moodle to another computer in your local network your Mac must be clearly addressable. You may use a fixed IP address or a DNS name. In local networks usually ip addresses of the private sections 10.xxx , 172.xxx , or 192.168.xx are assigned. If your Moodle4Mac gets an ip address this address must never change. Please do not use any static ip address if you do not know exactly what you do ... in case of doubt ask the administrator of the local network.

You can't use Moodle4Mac as a local server which is intended to work on different networks.


Editar config.php

For the following your computer should be a Mac in a computer lab. For this example it has the the fixed ip address 192.168.0.200. You must edit now the configuration /Applications/MAMP/htdocs/moodle24/config.php and change the wwwroot from localhost to 192.168.0.200. You must use your own address for your own network!!

After your changes you should get your Moodle with the address http://192.168.0.200/moodle24/

<?php  /// Moodle Configuration File 

unset($CFG);

$CFG->dbtype    = 'mysql';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle24';
$CFG->dbuser    = 'moodle';
$CFG->dbpass    = 'moodle';
$CFG->dbpersist =  false;
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbsocket' => 1,
);

// Use the ip address of your computer instead of localhost
$CFG->wwwroot   = 'http://192.168.0.200:8888/moodle24';
// $CFG->wwwroot   = 'http://localhost:8888/moodle24';
$CFG->dataroot  = '/Applications/MAMP/data/moodle24';
$CFG->admin     = 'admin';

$CFG->passwordsaltmain = 'some_very_long_secret!#A12345678901234567890!';
$CFG->directorypermissions = 00777;  // try 02777 on a server in Safe Mode

require_once("$CFG->dirroot/lib/setup.php");

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!


Remplazar la dirección base

The original base address localhost is stored in many places within the database, your Moodle will not work properly with the modified base address. But images can not be displayed because they are accessible only from their correct address. From your local computer you might not see the problems but if you are outside on a computer getting access to the site.

Moodle has a tool that allows you to replace the database entries from http://localhost:8888/moodle24/ to http://192.168.0.200:8888/moodle24/ .

Moodle4Mac 6.png

You call this tool via the address http://192.168.0.200:8888/moodle24/admin/tool/replace/

No ... there is no menu option for it, probably because at thoughtless action with this tool also can shred the database ... in the first field enter http://localhost:8888/moodle24/, in the second field http://192.168.0.200:8888/moodle24/ (or the ip address that you have assigned in your installation). Use the correct spelling in both fields! With the hook you acknowledge that you know about the risk ...

Abrir el cortafuegos (firewall)

The firewall in OS X 10.6, 10.7 and 10.8 can be enabled and disabled the System Preferences > Security > Firewall. If the firewall is disabled, although Moodle4Mac works without further settings in the network, but your computer is vulnerable to all requests from the outside ... the latter you should not do!

Moodle4Mac Firewall1.png

The the system firewall of OS X is a packet filter that determines for each program if a data packet should be passed or blocked. If the firewall is enabled every program must be entered on a list to respond to requests from outside. Moodle4Mac (or MAMP) uses the httpd program to deliver the sites. You will find httpd in the MAMP folder ... the path is /Application/MAMP/Library/bin/httpd. To enter httpd into the whitelist of the firewall you must click forward on this path ... no idea if there would be a configuration file which you can edit.

You need to get this setting for the firewall only once. If httpd is approved then all computers in your local network can access to Moodle ... by the way it is not important which is used by httpd ... port 8888 or port 80.

Do not open the firewall for mysqld because Moodle itself gets a connection to mysql on the server but no user should communicate with mysql directly from the client.

Moodle4Mac Firewall2.png

Connect Moodle from your network ...

Your web server can be connected with the url http://192.168.0.200:8888/moodle24/ in your local network, where 192.168.0.200 is an example address which your Mac got from the local router on your LAN. Usually such numbers start with 10.x.x.x, 172.x.x.x, or 192.168.x.x. All users from any computer in your network can use your Moodle via this address.

This also works if your computer is connected to the internet directly. If you open the firewall in your internet router and if you forward the port 8888 to your computer then any user everywhere on the world would be able to work with your Moodle ... but please remember also that there are a lot of security risks if you do this ... it would be better if you don't do this!!

Moodle4Mac Network1.png

Moodle4Mac Network2.png

Moodle4Mac Network3.png

Some words about the security ...

MAMP is designed for local computers

MAMP can be used for testing and developing websites locally on their Apple computers. MAMP should not be used in a production environment because everybody knows all the settings and all the predefined passwords. It's prepared for an easy start and not for a public web server!! But with some careful modfications, you can sufficiently secure MAMP and Moodle4Mac to use them in public development environments.

¿ Cómo asegurar MAMP?

I found some ideas in the following document: How to secure MAMP?. It's really old and some of the instructions are not correct for the current version.

There is also a new package MAMP Pro that will let you do a lot of settings for a more secure web server. Please look to the web page for this product. You can find a describtion for MAMP Pro on the MAMP internet server. It's commertial and not free!

Paso a paso,cómo asegurar Moodle4Mac


 

Asegurar conexiones con HTTPS

The text is copied from webopius web site (excepted the last steps).

  1. stop MAMP
  2. backup your /Applications/MAMP/conf folder
  3. open a terminal
  4. enter: openssl genrsa -des3 -out server.key 1024. Enter a password twice.
  5. enter: openssl req -new -key server.key -out server.csr. Enter the previous password. You need to answer some questions. Common name expects your local name (for me it was jerome.moodle.local)
  6. enter: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  7. enter: cp server.key server.tmp
  8. enter: openssl rsa -in server.tmp -out server.key. Enter the previous password.
  9. enter: mkdir /Applications/MAMP/conf/ssl
  10. enter: cp server.crt /Applications/MAMP/conf/ssl
  11. enter: cp server.key /Applications/MAMP/conf/ssl
  12. Edit Applications/MAMP/conf/apache/ssl.conf:
    1. comment <IfDefine SSL> tag to closing tag (but not the content)
    2. SSLCertificateFile /Applications/MAMP/conf/ssl/server.crt
    3. SSLCertificateKeyFile /Applications/MAMP/conf/ssl/server.key
  13. Edit /Applications/MAMP/conf/apache/httpd.conf:
    1. Listen 80
    2. comment <IfDefine SSL> tag to closing tag (but not the content)
  14. Edit /Application/MAMP/conf/apache/ssl.conf, change the document root (DocumentRoot) for the one you have into /Application/MAMP/conf/apache/httpd.conf
  15. in a terminal enter: cd /Applications/MAMP/bin/apache2/bin
  16. enter: sudo ./apachectl startssl
  17. start MAMP

From now MAMP should start/stop with the SSL support activated. Note that these steps have only be tested with Apache port set to 80 into MAMP preferences.


Vea también