1. Moodle Security
Dilum Bandara, PhD
Dept. of Computer Science & Engineering,
University of Moratuwa
Dilum.Bandara@uom.lk
http://Dilum.Bandara.lk
2. Security & Privacy in LMSs
Used by many trainers & trainees
Most of them aren’t technically savvy
Can be accessible from anywhere, at any time,
on many devices
Lost of features
Chat, forums, pools, quizzes, etc.
Many internal threats
Motivation to alter grades
Motivation to know others grades
2
4. Computer Security
Objective
To protect resources of your computer system
Resources
Source – http://smallbusinessindia.intuit.in
Physical assets
Data & software
Personnel
Trust
A computer system is secure if you can depend
upon it to behave as you expect
4
6. How to Attack a System?
By impersonating a valid user
A student impersonating another student
Wiretapping
Clear passwords
Searching
Human engineering
Simple (username, password) pairs
By exploiting bugs/weaknesses in systems
Default, test, & miss configurations
Unencrypted pages
Targeted attacks
Buffer overflows, SQL injection attacks
6
7. Possible Attacks on Moodle
Tampering grades
Tampering assignment submission times
Accessing quizzes
Answers or access before allowed time
Login as other users
Denial of Service (DoS) attacks
Session hijacking
SQL injection attacks
Cross-site scripting
7
8. Goals in Security – CIA
Key aspects of a computer related security system
Confidentiality
Integrity
Availability
8
9. Achieving CIA
To achieve confidentiality, integrity, &
availability, computer systems should provide
Identification
Authentication
Access control
Accounting/Auditing
Assurance
9
10. Achieving Security, Privacy, & Trust
Access control
File & data control
Strong passwords & secure logins
Minimum access
Policies that address what, by whom, when
Integrity & confidentiality
Separation
Backups & policies
System protection
Firewalls, antivirus, intruder detection systems
Frequent updates
Minimal services – hardened servers
10
11. Securing Moodle
Securing Moodle server
Server-level security (like any server on Internet)
Securing Moodle site
Application-level security
Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/
Source – http://ifreecode.com/java/javatutorials/web-application-security
11
12. Securing Moodle Server
Operating System
Linux or Windows
Remove unwanted services
Access rights
Regular security updates
Antivirus
Secure Network
Firewall
Intruder detection system
12
13. Securing Moodle Server (Cont.)
Web Server
Enable https
Load only required modules
Access control
Moodle folder 700 (rwx------)files 600 (rw-------)
Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)
Don’t place Moodle data folder on Web Root
e.g., not in www directory
Regular security updates
Application-level firewalls
Blocks SQL injection attacks & cross-site scripting
ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX
13
14. Securing Moodle Server (Cont.)
PHP & MySQL
Regular updates
phpMyAdmin (www.phpmyadmin.net)
No default password
Block outside local network
MySQL
Use root user password
Turn off network access – if database in same server as
Moodle
14
15. Securing Moodle Site
Force users to login
Turn off user self-registration
Use registration with a key if it’s the only option
Minimum access
Disable guest access
If really needed, use guest access with a key
Enable Captcha
Some may be a student/instructor/administrator at the
same time
Strong password
8+ characters, lower/upper case, numbers, symbols
Frequently update
15
16. Securing Moodle Site (Cont.)
Load only required services/plug-ins
Disable opentogoogle if not essential
Public trainer/trainee profiles
Regular updates
Update via Git
Backup at all levels
Data backup
Course backups
Moodle data folder
SQL data
Server backup
Moodle software & configuration backup
16
17. Monitoring, Accounting, & Auditing
Moodle
Moodle log
My courses Course Name Reports
Logs, Activity, Participant report
Moodle statistics
PHP log
Web server
Source – http://binarymuse.g
ithub.io/moodle-tools/
Server log
Server statistics
/usr/local/apache/logs, /var/log/apache or /var/log/httpd
Operating system log
/var/log/syslog, /var/log/messages
Firewall & intruder detection system log
Use log analysis tools
17
18. Best Practices
Security first
Minimum access
Enforce login
Use https
Don't use any module just because it's available
Use mailing lists to stay updated
Use forums to find out about modules
18