Moodle security

19
Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa [email protected] http://Dilum.Bandara.lk

description

Tips & best practices on securing your Moodle LMS deployment

Transcript of Moodle security

Page 1: Moodle security

Moodle Security

Dilum Bandara, PhDDept. of Computer Science & Engineering,

University of Moratuwa

[email protected]

http://Dilum.Bandara.lk

Page 2: Moodle security

2

Security & Privacy in LMSs Used by many trainers & trainees

Most of them aren’t technically savvy Can be accessible from anywhere, at any time,

on many devices Lost of features

Chat, forums, pools, quizzes, etc. Many internal threats

Motivation to alter grades Motivation to know others grades

Page 3: Moodle security

3

Outline Security review Securing Moodle

Moodle server security Moodle site security

Best practices

Page 4: Moodle security

4

Computer Security Objective

To protect resources of your computer system Resources

Physical assets Data & software Personnel Trust

A computer system is secure if you can depend upon it to behave as you expect

Source – http://smallbusinessindia.intuit.in

Page 5: Moodle security

5

Sources of Threats Outsiders

Hackers/crackers Associates (customers, contractors) Former employees

Insiders Users

Trainers & trainees System administrators Programmers

Most incidents are due to insiders

Source – aztechnews.com

Page 6: Moodle security

6

How to Attack a System? By impersonating a valid user

A student impersonating another student Human engineering

Wiretapping Clear passwords

Searching Simple (username, password) pairs

By exploiting bugs/weaknesses in systems Default, test, & miss configurations Unencrypted pages Targeted attacks

Buffer overflows, SQL injection attacks

Page 7: Moodle security

7

Possible Attacks on Moodle Tampering grades Tampering assignment submission times Accessing quizzes

Answers or access before allowed time Login as other users Denial of Service (DoS) attacks Session hijacking SQL injection attacks Cross-site scripting

Page 8: Moodle security

8

Goals in Security – CIA Key aspects of a computer related security system

Confidentiality

Integrity Availability

Page 9: Moodle security

9

Achieving CIA To achieve confidentiality, integrity, & availability,

computer systems should provide Identification Authentication Access control Accounting/Auditing Assurance

Page 10: Moodle security

10

Achieving Security, Privacy, & Trust Access control

Strong passwords & secure logins Minimum access Policies that address what, by whom, when

File & data control Integrity & confidentiality Separation Backups & policies

System protection Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers

Page 11: Moodle security

11

Securing Moodle Securing Moodle server

Server-level security (like any server on Internet) Securing Moodle site

Application-level security

Source – http://ifreecode.com/java/java-tutorials/web-application-security

Source – http://www.altfire.ie/automatic-server-scans-with-security-reports/

Page 12: Moodle security

12

Securing Moodle Server Operating System

Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus

Secure Network Firewall Intruder detection system

Page 13: Moodle security

13

Securing Moodle Server (Cont.) Web Server

Enable https Load only required modules Access control

Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----) Don’t place Moodle data folder on Web Root

e.g., not in www directory

Regular security updates Application-level firewalls

Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX

Page 14: Moodle security

14

Securing Moodle Server (Cont.) PHP & MySQL

Regular updates phpMyAdmin (www.phpmyadmin.net)

No default password Block outside local network

MySQL Use root user password Turn off network access – if database in same server as

Moodle

Page 15: Moodle security

15

Securing Moodle Site Force users to login

Disable guest access If really needed, use guest access with a key Enable Captcha

Turn off user self-registration Use registration with a key if it’s the only option

Minimum access Some may be a student/instructor/administrator at the

same time Strong password

8+ characters, lower/upper case, numbers, symbols Frequently update

Page 16: Moodle security

16

Securing Moodle Site (Cont.) Load only required services/plug-ins

Disable opentogoogle if not essential Public trainer/trainee profiles Regular updates

Update via Git Backup at all levels

Data backup Course backups Moodle data folder SQL data

Server backup Moodle software & configuration backup

Page 17: Moodle security

17

Monitoring, Accounting, & Auditing Moodle

Moodle log My courses Course Name Reports Logs, Activity, Participant report

Moodle statistics PHP log

Web server Server log Server statistics /usr/local/apache/logs, /var/log/apache or /var/log/httpd

Operating system log /var/log/syslog, /var/log/messages

Firewall & intruder detection system log Use log analysis tools

Source – http://binarymuse.g ithub.io/moodle-tools/

Page 18: Moodle security

18

Best Practices Security first Minimum access Enforce login Use https Don't use any module just because it's available Use mailing lists to stay updated Use forums to find out about modules

Page 19: Moodle security

19

Resources Mailing lists

Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html

Forums & web sites https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/

Other http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić