SlideShare una empresa de Scribd logo
1 de 19
Descargar para leer sin conexión
Moodle Security
Dilum Bandara, PhD
Dept. of Computer Science & Engineering,
University of Moratuwa
Dilum.Bandara@uom.lk
http://Dilum.Bandara.lk
Security & Privacy in LMSs


Used by many trainers & trainees


Most of them aren’t technically savvy

Can be accessible from anywhere, at any time,
on many devices
 Lost of features






Chat, forums, pools, quizzes, etc.

Many internal threats




Motivation to alter grades
Motivation to know others grades

2
Outline
Security review
 Securing Moodle







Moodle server security
Moodle site security

Best practices

3
Computer Security


Objective




To protect resources of your computer system

Resources








Source – http://smallbusinessindia.intuit.in

Physical assets
Data & software
Personnel
Trust

A computer system is secure if you can depend
upon it to behave as you expect
4
Sources of Threats


Outsiders






Hackers/crackers
Associates (customers, contractors)
Former employees

Insiders


Users





Trainers & trainees

System administrators
Programmers
Source – aztechnews.com

Most incidents are due to insiders
5
How to Attack a System?


By impersonating a valid user


A student impersonating another student




Wiretapping




Clear passwords

Searching




Human engineering

Simple (username, password) pairs

By exploiting bugs/weaknesses in systems





Default, test, & miss configurations
Unencrypted pages
Targeted attacks


Buffer overflows, SQL injection attacks

6
Possible Attacks on Moodle
Tampering grades
 Tampering assignment submission times
 Accessing quizzes




Answers or access before allowed time

Login as other users
 Denial of Service (DoS) attacks
 Session hijacking
 SQL injection attacks
 Cross-site scripting


7
Goals in Security – CIA


Key aspects of a computer related security system
Confidentiality

Integrity

Availability
8
Achieving CIA


To achieve confidentiality, integrity, &
availability, computer systems should provide







Identification
Authentication
Access control
Accounting/Auditing
Assurance

9
Achieving Security, Privacy, & Trust


Access control






File & data control






Strong passwords & secure logins
Minimum access
Policies that address what, by whom, when
Integrity & confidentiality
Separation
Backups & policies

System protection




Firewalls, antivirus, intruder detection systems
Frequent updates
Minimal services – hardened servers

10
Securing Moodle


Securing Moodle server




Server-level security (like any server on Internet)

Securing Moodle site


Application-level security

Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/

Source – http://ifreecode.com/java/javatutorials/web-application-security
11
Securing Moodle Server


Operating System









Linux or Windows
Remove unwanted services
Access rights
Regular security updates
Antivirus

Secure Network



Firewall
Intruder detection system

12
Securing Moodle Server (Cont.)


Web Server




Enable https
Load only required modules
Access control


Moodle folder 700 (rwx------)files 600 (rw-------)
Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)



Don’t place Moodle data folder on Web Root



 e.g., not in www directory




Regular security updates
Application-level firewalls



Blocks SQL injection attacks & cross-site scripting
ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX
13
Securing Moodle Server (Cont.)


PHP & MySQL



Regular updates
phpMyAdmin (www.phpmyadmin.net)





No default password
Block outside local network

MySQL



Use root user password
Turn off network access – if database in same server as
Moodle

14
Securing Moodle Site


Force users to login






Turn off user self-registration




Use registration with a key if it’s the only option

Minimum access




Disable guest access
If really needed, use guest access with a key
Enable Captcha

Some may be a student/instructor/administrator at the
same time

Strong password



8+ characters, lower/upper case, numbers, symbols
Frequently update

15
Securing Moodle Site (Cont.)


Load only required services/plug-ins


Disable opentogoogle if not essential



Public trainer/trainee profiles
Regular updates
 Update via Git



Backup at all levels





Data backup







Course backups
Moodle data folder
SQL data

Server backup
Moodle software & configuration backup

16
Monitoring, Accounting, & Auditing


Moodle


Moodle log








My courses  Course Name  Reports
Logs, Activity, Participant report

Moodle statistics
PHP log

Web server
Source – http://binarymuse.g
ithub.io/moodle-tools/



Server log
Server statistics



/usr/local/apache/logs, /var/log/apache or /var/log/httpd





Operating system log





/var/log/syslog, /var/log/messages

Firewall & intruder detection system log
Use log analysis tools

17
Best Practices
Security first
 Minimum access
 Enforce login
 Use https
 Don't use any module just because it's available
 Use mailing lists to stay updated
 Use forums to find out about modules


18
Resources


Mailing lists








Forums & web sites







Moodle – https://moodle.org/security/
PHP – http://php.net/mailing-lists.php
MySQL – http://lists.mysql.com/
Apache – http://httpd.apache.org/lists.html
https://moodle.org/mod/forum/
http://www.moodlenews.com/tag/security/
http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security
http://krypted.com/mac-security/moodle-security/

Other




http://www.inmotionhosting.com/support/edu/moodle
http://www.slideshare.net/moorejon/securing-your-moodle
“Moodle Security” by Darko Miletić
19

Más contenido relacionado

La actualidad más candente

Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
Duo Security
Duo Security Duo Security
Duo Security Amy Shah
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Access control list acl - permissions in linux
Access control list acl  - permissions in linuxAccess control list acl  - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Basic commands for powershell : Configuring Windows PowerShell and working wi...
Basic commands for powershell : Configuring Windows PowerShell and working wi...Basic commands for powershell : Configuring Windows PowerShell and working wi...
Basic commands for powershell : Configuring Windows PowerShell and working wi...Hitesh Mohapatra
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...EyesOpen Association
 
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Danny Liu
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Active directory Hack it & Harden-it
Active directory Hack it & Harden-itActive directory Hack it & Harden-it
Active directory Hack it & Harden-itRémi Escourrou
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology  Security Techniques Evaluation Criteria For It Secrit...Information Technology  Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
 

La actualidad más candente (20)

Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodology
 
Users and groups
Users and groupsUsers and groups
Users and groups
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
Duo Security
Duo Security Duo Security
Duo Security
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Filepermissions in linux
Filepermissions in linuxFilepermissions in linux
Filepermissions in linux
 
Access control list acl - permissions in linux
Access control list acl  - permissions in linuxAccess control list acl  - permissions in linux
Access control list acl - permissions in linux
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
 
Basic commands for powershell : Configuring Windows PowerShell and working wi...
Basic commands for powershell : Configuring Windows PowerShell and working wi...Basic commands for powershell : Configuring Windows PowerShell and working wi...
Basic commands for powershell : Configuring Windows PowerShell and working wi...
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...
L'Art du threat Modeling : Modéliser les menaces informatiques avec la méthod...
 
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4Ise 1 2-bdm-v4
Ise 1 2-bdm-v4
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Active directory Hack it & Harden-it
Active directory Hack it & Harden-itActive directory Hack it & Harden-it
Active directory Hack it & Harden-it
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology  Security Techniques Evaluation Criteria For It Secrit...Information Technology  Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
 

Destacado

VaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub
 
Information System Security
Information System Security Information System Security
Information System Security Syed Asif Sherazi
 
1 security goals
1   security goals1   security goals
1 security goalsdrewz lin
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & CryptographyArun ACE
 
Sequential Logic Circuits
Sequential Logic CircuitsSequential Logic Circuits
Sequential Logic CircuitsDilum Bandara
 
Junli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionJunli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionAI Frontiers
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems Haitham Ahmed
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Autonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesAutonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesJeffrey Funk
 
Driving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change EverythingDriving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change Everythingsparks & honey
 
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Yole Developpement
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 

Destacado (20)

VaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data AnalyticsVaticHub - Vehicular Data Analytics
VaticHub - Vehicular Data Analytics
 
Information System Security
Information System Security Information System Security
Information System Security
 
Chapter 01
Chapter 01Chapter 01
Chapter 01
 
1 security goals
1   security goals1   security goals
1 security goals
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
Sequential Logic
Sequential LogicSequential Logic
Sequential Logic
 
Sequential Logic Circuits
Sequential Logic CircuitsSequential Logic Circuits
Sequential Logic Circuits
 
Junli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving RevolutionJunli Gu at AI Frontiers: Autonomous Driving Revolution
Junli Gu at AI Frontiers: Autonomous Driving Revolution
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
 
Security
SecuritySecurity
Security
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 
Security threats
Security threatsSecurity threats
Security threats
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Autonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and OpportunitiesAutonomous Vehicles: Technologies, Economics, and Opportunities
Autonomous Vehicles: Technologies, Economics, and Opportunities
 
Driving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change EverythingDriving Disrupted: Driverless Cars Change Everything
Driving Disrupted: Driverless Cars Change Everything
 
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
Sensors and Data Management for Autonomous Vehicles report 2015 by Yole Devel...
 
Network security
Network securityNetwork security
Network security
 
Computer Security Threats
Computer Security ThreatsComputer Security Threats
Computer Security Threats
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Similar a Moodle security

Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodlemoorejon
 
3 secure design principles
3   secure design principles3   secure design principles
3 secure design principlesdrewz lin
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Internet Security
Internet SecurityInternet Security
Internet SecurityAnne Adrian
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
302 Content Server Security Challenges And Best Practices
302   Content Server Security   Challenges And Best Practices302   Content Server Security   Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating systemabdullah roomi
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxbagotjesusa
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 

Similar a Moodle security (20)

Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodle
 
3 secure design principles
3   secure design principles3   secure design principles
3 secure design principles
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
302 Content Server Security Challenges And Best Practices
302   Content Server Security   Challenges And Best Practices302   Content Server Security   Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Joomla Security
Joomla  SecurityJoomla  Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
 
How You Can Keep Your Organization Secure
How You Can Keep Your Organization Secure How You Can Keep Your Organization Secure
How You Can Keep Your Organization Secure
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisus
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 

Más de Dilum Bandara

Wired Broadband Communication
Wired Broadband CommunicationWired Broadband Communication
Wired Broadband CommunicationDilum Bandara
 
Wireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksWireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksDilum Bandara
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networksDilum Bandara
 
Distributed Memory Programming with MPI
Distributed Memory Programming with MPIDistributed Memory Programming with MPI
Distributed Memory Programming with MPIDilum Bandara
 
Mutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsMutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsDilum Bandara
 
Solution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingSolution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingDilum Bandara
 
Concurrent Programming Patterns
Concurrent Programming PatternsConcurrent Programming Patterns
Concurrent Programming PatternsDilum Bandara
 
Writing Concurrent Programs
Writing Concurrent ProgramsWriting Concurrent Programs
Writing Concurrent ProgramsDilum Bandara
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Introduction to Accelerators
Introduction to AcceleratorsIntroduction to Accelerators
Introduction to AcceleratorsDilum Bandara
 
Shared Memory Programming with Pthreads and OpenMP
Shared Memory Programming with  Pthreads and OpenMPShared Memory Programming with  Pthreads and OpenMP
Shared Memory Programming with Pthreads and OpenMPDilum Bandara
 
How Much Parallelism?
How Much Parallelism?How Much Parallelism?
How Much Parallelism?Dilum Bandara
 
Introduction to Concurrent Programming
Introduction to Concurrent ProgrammingIntroduction to Concurrent Programming
Introduction to Concurrent ProgrammingDilum Bandara
 
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Dilum Bandara
 
A Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsA Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsDilum Bandara
 

Más de Dilum Bandara (20)

Mobile Services
Mobile ServicesMobile Services
Mobile Services
 
Wired Broadband Communication
Wired Broadband CommunicationWired Broadband Communication
Wired Broadband Communication
 
Mobile IP
Mobile IPMobile IP
Mobile IP
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
Wireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksWireless Metropolitan Area Networks
Wireless Metropolitan Area Networks
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networks
 
Distributed Memory Programming with MPI
Distributed Memory Programming with MPIDistributed Memory Programming with MPI
Distributed Memory Programming with MPI
 
Mutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsMutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory Systems
 
Deadlocks
DeadlocksDeadlocks
Deadlocks
 
Solution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingSolution Patterns for Parallel Programming
Solution Patterns for Parallel Programming
 
Concurrent Programming Patterns
Concurrent Programming PatternsConcurrent Programming Patterns
Concurrent Programming Patterns
 
Writing Concurrent Programs
Writing Concurrent ProgramsWriting Concurrent Programs
Writing Concurrent Programs
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual Exclusion
 
Introduction to Accelerators
Introduction to AcceleratorsIntroduction to Accelerators
Introduction to Accelerators
 
Shared Memory Programming with Pthreads and OpenMP
Shared Memory Programming with  Pthreads and OpenMPShared Memory Programming with  Pthreads and OpenMP
Shared Memory Programming with Pthreads and OpenMP
 
How Much Parallelism?
How Much Parallelism?How Much Parallelism?
How Much Parallelism?
 
Introduction to Concurrent Programming
Introduction to Concurrent ProgrammingIntroduction to Concurrent Programming
Introduction to Concurrent Programming
 
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
 
A Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsA Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based Applications
 

Último

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Último (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Moodle security

  • 1. Moodle Security Dilum Bandara, PhD Dept. of Computer Science & Engineering, University of Moratuwa Dilum.Bandara@uom.lk http://Dilum.Bandara.lk
  • 2. Security & Privacy in LMSs  Used by many trainers & trainees  Most of them aren’t technically savvy Can be accessible from anywhere, at any time, on many devices  Lost of features    Chat, forums, pools, quizzes, etc. Many internal threats   Motivation to alter grades Motivation to know others grades 2
  • 3. Outline Security review  Securing Moodle     Moodle server security Moodle site security Best practices 3
  • 4. Computer Security  Objective   To protect resources of your computer system Resources      Source – http://smallbusinessindia.intuit.in Physical assets Data & software Personnel Trust A computer system is secure if you can depend upon it to behave as you expect 4
  • 5. Sources of Threats  Outsiders     Hackers/crackers Associates (customers, contractors) Former employees Insiders  Users    Trainers & trainees System administrators Programmers Source – aztechnews.com Most incidents are due to insiders 5
  • 6. How to Attack a System?  By impersonating a valid user  A student impersonating another student   Wiretapping   Clear passwords Searching   Human engineering Simple (username, password) pairs By exploiting bugs/weaknesses in systems    Default, test, & miss configurations Unencrypted pages Targeted attacks  Buffer overflows, SQL injection attacks 6
  • 7. Possible Attacks on Moodle Tampering grades  Tampering assignment submission times  Accessing quizzes   Answers or access before allowed time Login as other users  Denial of Service (DoS) attacks  Session hijacking  SQL injection attacks  Cross-site scripting  7
  • 8. Goals in Security – CIA  Key aspects of a computer related security system Confidentiality Integrity Availability 8
  • 9. Achieving CIA  To achieve confidentiality, integrity, & availability, computer systems should provide      Identification Authentication Access control Accounting/Auditing Assurance 9
  • 10. Achieving Security, Privacy, & Trust  Access control     File & data control     Strong passwords & secure logins Minimum access Policies that address what, by whom, when Integrity & confidentiality Separation Backups & policies System protection    Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers 10
  • 11. Securing Moodle  Securing Moodle server   Server-level security (like any server on Internet) Securing Moodle site  Application-level security Source – http://www.altfire.ie/automaticserver-scans-with-security-reports/ Source – http://ifreecode.com/java/javatutorials/web-application-security 11
  • 12. Securing Moodle Server  Operating System       Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus Secure Network   Firewall Intruder detection system 12
  • 13. Securing Moodle Server (Cont.)  Web Server    Enable https Load only required modules Access control  Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----)  Don’t place Moodle data folder on Web Root   e.g., not in www directory   Regular security updates Application-level firewalls   Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX 13
  • 14. Securing Moodle Server (Cont.)  PHP & MySQL   Regular updates phpMyAdmin (www.phpmyadmin.net)    No default password Block outside local network MySQL   Use root user password Turn off network access – if database in same server as Moodle 14
  • 15. Securing Moodle Site  Force users to login     Turn off user self-registration   Use registration with a key if it’s the only option Minimum access   Disable guest access If really needed, use guest access with a key Enable Captcha Some may be a student/instructor/administrator at the same time Strong password   8+ characters, lower/upper case, numbers, symbols Frequently update 15
  • 16. Securing Moodle Site (Cont.)  Load only required services/plug-ins  Disable opentogoogle if not essential  Public trainer/trainee profiles Regular updates  Update via Git  Backup at all levels   Data backup      Course backups Moodle data folder SQL data Server backup Moodle software & configuration backup 16
  • 17. Monitoring, Accounting, & Auditing  Moodle  Moodle log      My courses  Course Name  Reports Logs, Activity, Participant report Moodle statistics PHP log Web server Source – http://binarymuse.g ithub.io/moodle-tools/  Server log Server statistics  /usr/local/apache/logs, /var/log/apache or /var/log/httpd   Operating system log    /var/log/syslog, /var/log/messages Firewall & intruder detection system log Use log analysis tools 17
  • 18. Best Practices Security first  Minimum access  Enforce login  Use https  Don't use any module just because it's available  Use mailing lists to stay updated  Use forums to find out about modules  18
  • 19. Resources  Mailing lists      Forums & web sites      Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/ Other    http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić 19