Post on 03-Nov-2014
description
transcript
Moodle Security
Dilum Bandara, PhDDept. of Computer Science & Engineering,
University of Moratuwa
Dilum.Bandara@uom.lk
http://Dilum.Bandara.lk
2
Security & Privacy in LMSs Used by many trainers & trainees
Most of them aren’t technically savvy Can be accessible from anywhere, at any time,
on many devices Lost of features
Chat, forums, pools, quizzes, etc. Many internal threats
Motivation to alter grades Motivation to know others grades
3
Outline Security review Securing Moodle
Moodle server security Moodle site security
Best practices
4
Computer Security Objective
To protect resources of your computer system Resources
Physical assets Data & software Personnel Trust
A computer system is secure if you can depend upon it to behave as you expect
Source – http://smallbusinessindia.intuit.in
5
Sources of Threats Outsiders
Hackers/crackers Associates (customers, contractors) Former employees
Insiders Users
Trainers & trainees System administrators Programmers
Most incidents are due to insiders
Source – aztechnews.com
6
How to Attack a System? By impersonating a valid user
A student impersonating another student Human engineering
Wiretapping Clear passwords
Searching Simple (username, password) pairs
By exploiting bugs/weaknesses in systems Default, test, & miss configurations Unencrypted pages Targeted attacks
Buffer overflows, SQL injection attacks
7
Possible Attacks on Moodle Tampering grades Tampering assignment submission times Accessing quizzes
Answers or access before allowed time Login as other users Denial of Service (DoS) attacks Session hijacking SQL injection attacks Cross-site scripting
8
Goals in Security – CIA Key aspects of a computer related security system
Confidentiality
Integrity Availability
9
Achieving CIA To achieve confidentiality, integrity, & availability,
computer systems should provide Identification Authentication Access control Accounting/Auditing Assurance
10
Achieving Security, Privacy, & Trust Access control
Strong passwords & secure logins Minimum access Policies that address what, by whom, when
File & data control Integrity & confidentiality Separation Backups & policies
System protection Firewalls, antivirus, intruder detection systems Frequent updates Minimal services – hardened servers
11
Securing Moodle Securing Moodle server
Server-level security (like any server on Internet) Securing Moodle site
Application-level security
Source – http://ifreecode.com/java/java-tutorials/web-application-security
Source – http://www.altfire.ie/automatic-server-scans-with-security-reports/
12
Securing Moodle Server Operating System
Linux or Windows Remove unwanted services Access rights Regular security updates Antivirus
Secure Network Firewall Intruder detection system
13
Securing Moodle Server (Cont.) Web Server
Enable https Load only required modules Access control
Moodle folder 700 (rwx------)files 600 (rw-------) Moodle data folder 750 (rwxr-x---)files 640 (rw-r-----) Don’t place Moodle data folder on Web Root
e.g., not in www directory
Regular security updates Application-level firewalls
Blocks SQL injection attacks & cross-site scripting ModSecurity (www.modsecurity.org) for Apache, IIS, & NGINX
14
Securing Moodle Server (Cont.) PHP & MySQL
Regular updates phpMyAdmin (www.phpmyadmin.net)
No default password Block outside local network
MySQL Use root user password Turn off network access – if database in same server as
Moodle
15
Securing Moodle Site Force users to login
Disable guest access If really needed, use guest access with a key Enable Captcha
Turn off user self-registration Use registration with a key if it’s the only option
Minimum access Some may be a student/instructor/administrator at the
same time Strong password
8+ characters, lower/upper case, numbers, symbols Frequently update
16
Securing Moodle Site (Cont.) Load only required services/plug-ins
Disable opentogoogle if not essential Public trainer/trainee profiles Regular updates
Update via Git Backup at all levels
Data backup Course backups Moodle data folder SQL data
Server backup Moodle software & configuration backup
17
Monitoring, Accounting, & Auditing Moodle
Moodle log My courses Course Name Reports Logs, Activity, Participant report
Moodle statistics PHP log
Web server Server log Server statistics /usr/local/apache/logs, /var/log/apache or /var/log/httpd
Operating system log /var/log/syslog, /var/log/messages
Firewall & intruder detection system log Use log analysis tools
Source – http://binarymuse.g ithub.io/moodle-tools/
18
Best Practices Security first Minimum access Enforce login Use https Don't use any module just because it's available Use mailing lists to stay updated Use forums to find out about modules
19
Resources Mailing lists
Moodle – https://moodle.org/security/ PHP – http://php.net/mailing-lists.php MySQL – http://lists.mysql.com/ Apache – http://httpd.apache.org/lists.html
Forums & web sites https://moodle.org/mod/forum/ http://www.moodlenews.com/tag/security/ http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security http://krypted.com/mac-security/moodle-security/
Other http://www.inmotionhosting.com/support/edu/moodle http://www.slideshare.net/moorejon/securing-your-moodle “Moodle Security” by Darko Miletić