Like anyone else responsible for a Moodle server and working with multiple Moodle instances, maintaining a secure installation can be a daunting task. For the one thing, while I’ve had the opportunity to work on multiple servers, I’m not a certified security expert. That’s why, when I received my evaluation copy of Moodle Security (Darko Miletic) via Packt Publishing (as an ebook, which is wonderful since it can be loaded on my Nook and other mobile devices), the anticipation of reading this book gave me thrill.
- Present and suggest answers to questions I didn’t have a clue about in regards to Moodle security.
- Be readable and easy to understand for a novice reader…I’ve found highly technical manuals for experts unreadable. As a technical writer myself, I’m looking for easy to understand texts.
- How to best secure a GNU/Linux installation – This is something that many are recognizing, or have recognized, as the best OS to setup Moodle. I’ve noticed Windows installations often fail because IIS can’t handle the pressure (share your story if you have a different one), but Mac and GNU/Linux can.
- How to best install PHP, MySQL, and Apache on a server, no matter what your flavor (although this book focuses on GNU/Linux and Windows). I wish they had an addendum for Mac.
Have something to say yourself about Moodle Security? Contribute Your Video Thoughts via Intervue – intervue.me/i/301
Note: Another interview to possibly respond to is Moodle in the Classroom – http://intervue.me/i/243
Reflections on the Book
- The operating system, web server, PHP, database server and Moodle are all vulnerable points and must be secured.
- This book is oriented towards those running Apache on GNU/Linux or Internet Information Server (IIS) on Windows and using PHP 5.1.x and MySQL 5.0 or later.
- Nice details on setup of a Moodle, including what to type in the command line.
- Provides a nice explanation of the Moodle Security Overview Report and what the options should be set to. Explanation of the “insecure dataroot” and “display-errors” are particularly helpful to newbies. The rest of the explanations–including “Password Salt”–are timely and well worth including in the book. Although I’ve discovered these components on my own now, I’m thrilled to find them in one place.
- “Securing Your Server-Linux” is Chapter 2, and I’m thrilled to be starting it:
- Discussion of Firewall setting – Great piece to include since, if you’re a newbie, you don’t know what to setup on GNU/Linux! Examples are focused on CentOS distro of GNU/Linux, which is a derivative of Red Hat Enterprise Linux 5 server. Ken Task (in Texas) provides some excellent suggestions on setting this up, so this is some validation for his work.
- Recommendation to set SSH, WWW, Secure WWW options as exposed.
- A piece of advice: “An administrator should know exactly what is installed on his system because otherwise it could be difficult to secure everything available, and overall security will be lower than it should be. You should review the list of packages installed and remove unnecessary packages that do not comply with your security policy.” Great advice. This really highlights the need for a dedicated machine as a server, not one that doubles as a workstation for other stuff…a lesson I learned at home when playing around with a server setup. I installed one thing and it messed up my MySQL setup!
- Securing Apache – advice is shared on this, such as adding ServerTokens Prod and ServerSignature Off to the httpd.conf file to limit the amount of information shared about your server. Other specific suggestions are made that are worthwhile and detailed.
- In the MySQL Configuration, a recommendation worth taking is how to setup MySQL to use INNODB instead of MyISAM. Great advice given the coming of Moodle 2.0 and ensuring you don’t have to optmize your databases as much.
- In the PHP Configuration, there is mention of something called Suhosin plugin that provides enhanced protection for PHP installations.
- Mention is also made that CentOS 6 will probably address some issues discussed in the book…that release is due anytime now (April, 2011), so this raises a question for me.
- Discussion of directory or folder permissions is great. Although you can find this info easily on the web, it’s nice that the author has compiled it and put it in one place for us with the goal of a Moodle Security book!
- Chapter 3 – Securing Your Server-Windows
- Wow, using Windows 2008 Server. Hmm…
- Use of IIS on Windows.
- Discussion of FastCGI and PHP addresses how IIS can be made to run as fast Apache.
- Great discussion of FastCGI and PHP installation, configuring php.ini, etc.
- Very detailed–with screenshots–of what you should be seeing in Windows 2008 server configuration. I’ll have to try these steps out and see how that works. In the meantime, give it a shot!
- Chapter 4 – Moodle User Authentication is discussed, importance of avoid simple passwords that are subject to dictionary attacks, etc. Lots of good stuff here (e.g. Captcha, email domains) but nothing earth-shattering.
- Chapter 5 – Roles and Permissions: Nice discussion, especially about creating new roles for specific purposes that don’t necessarily fit into existing roles. For example, one neat tip is about backing up user data – “…through course backup a malicious user could easily obtain all user data together with passwords.”
- Chapter 6 – Protection Against Bots: This chapter has some great, specific advice about securing Moodle against search engines, bots, and more. My favorite resource in this chapter is the decision process table that outlines and describes what Moodle is doing depending on the options you’ve chosen. If your site is open to Google Search bots, then you are vulnerable because others can impersonate Googlebot quite simply.
- Some neat options mentioned about Messaging. That can be set to allow only admins or special roles to use it, rather than just allowing everyone to do so. I’ll have to spend more time studying this. Great!
- Chapter 7 – Securing User Files
- There are a few limits suggested by the author that are intriguing. For example, the glossary activity allows users to upload images but you can use it to upload anything–including viruses or virus-infected files. Recommendation is to limit that. Another is to restrict use of the HTML Editor. Of course, I disagree with that, but it’s nice to know where one’s Moodle is vulnerable. Here’s MY rationale: “We’re in K-12. I know who’s uploading and who isn’t. If someone does upload something, then we know who did it and consequences result.”
- Mention of SrvAny for Windows server is a nice touch. SrvAny turns any executable into a service. Setting up ClamAV involves using regedit. Really, quick aside here, but install seems easier on Linux!
- Chapter 8 – Securing Moodle Data
- Great discussion of password salting, backing up courses with user passwords in them, and more. Well worth reading.
- Chapter 9 – Monitoring User Activity
- Mentions the use of reports and logs in Moodle to see what’s happening.
- Discussion of cron jobs and how to set them up. Good to see this! No mention of tools to help you do cron via a GUI, which can be tough for newbies.
- Command line utilities (like top, although I’m familiar with htop) on GNU/Linux
- Chapter 10 – Backup
- Moodle Backup is discussed, but it’s pointed out that it’s not well-implemented and why it’s being rewritten in Moodle 2.0. I prefer to backup the Moodle instance (database, php files, moodledata) rather than mess with individual course backups.
- This chapter is focused on command line stuff, but using an external tool like phpMyAdmin or SQLYog would be very helpful. I’m sure there’s a reason for it (if you’re on a server) but…why suffer unnecessarily?
- I wish this chapter had covered monitoring student messaging, etc.
- The author encourages the use of the MySQL console…why not show readers how to use PHPMyAdmin, SQLYog, or Navicat Lite? I suppose it makes for a more streamlined tutorial–you don’t have to install anything, you can just get going–but it is easier for newbies to use an interface rather than just type stuff into the MySQL console.
- When CentOS 6 comes out in 2011, will the author publish an update to Chapter 2 on Securing Linux?
- Why use IIS on Windows when most folks will just install Apache? Can IIS handle the workload? In my experience, it can’t.
- Is it just me or is configuring Windows more involved than GNU/Linux?
- Why wasn’t the install of ClamAV (antivirus) for GNU/linux and Windows covered in their respective chapters?
Enter your email address:
Delivered by FeedBurner