Moodle Security电子书

Moodle Security

Table of Contents

Moodle Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Delving into the World of Security

Moodle and security

Weak points

The secure installation of Moodle

Starting from scratch

Installation checklist

Quickly securing Moodle

Review the Moodle security overview report

Summary

2. Securing Your Server Linux

Securing your Linux—the basics

Firewall

User accounts and passwords

Removing unnecessary software packages

Patching

Apache configuration

Where to start

Directory browsing

Load only a minimal number of modules

Install and configure ModSecurity

MySQL configuration

PHP configuration

Installation

File security permissions

Discretionary Access Control—DAC

Directory permissions

Access Control Lists

Mandatory Access Control (MAC)

Adequate location for a Moodle installation

How to secure Moodle files

DAC

ACL

Summary

3. Securing Your Server—Windows

Securing Windows—the basics

Firewall

Keeping OS updated

Configuring Windows update

Anti-virus

New security model

File security permissions

Adequate location for Moodle installation

Installing and securing PHP under Internet Information Server

Preparing IIS

Getting the right version of PHP

Configuring php.ini

Adding PHP to the IIS

Creating Application pool

Create new website

Adding PHP mapping

Securing MySQL

MySQL configuration wizard

Configure MySQL service to run under low/privileged user

Create a mysql account

Summary

4. Authentication

Basics of authentication

Logon procedure

Common authentication attacks

Weak passwords

Enforcing a good password policy

Protecting user logon

Closing the security breach

Password change

Recover a forgotten password

Preventing a potential security risk

Securing user profile fields

User model in Moodle

Authentication types in Moodle

Manual accounts

E-mail based self-registration

Specifying allowed or denied e-mail domains

Captcha

Session hijacking

No login

Summary

5. Roles and Permissions

Roles and capabilities

Capability

Context

Permissions

Role

How it all fits together

Standard Moodle roles

Customizing roles

Overriding roles

Best practices

Risky capabilities

Summary

6. Protection Against Bots

Internet bots

Search engine content indexing

Harvesting email addresses

Website scraping

Spam generators

Protecting Moodle from unwanted search bots

Search engines

Moodle and search engines

Moodle access check

Protection against spam bots

User profiles

E-mail-based self-registration

User blogs

Moodle messaging system

Cleaning up spam

Protection against brute force attacks

Summary

7. Securing User Files

Uploading files into Moodle

How Moodle stores files

Points of submitting user files

WYSIWYG HTMLArea editor

Upload single file simple/advanced assignment

Forum

Database activity

Dangers and pitfalls

Classic viruses

Macro viruses

Applying protection measures

Disable WYSIWIG editor if you do not need it

Enable file upload in forums only when you really need it

Anti-virus and Moodle

ClamAV on Linux

Configuring Moodle

ClamAV on Windows

Downloading

Configuring clamd service

Setting up virus signature database update

Scheduling updates

Final steps

Summary

8. Securing Moodle Data

User information protection

User profile page

Reaching profile page

People block

Forum topics

Messaging system

Protecting user profile information

Limit information exposed to all users

Completely block ability to view profiles

Disable View participants capability

Hide messaging system

Disable Messaging system

Not using general forums

Disable View user profiles capability

Course information protection

Course backups

Important information for users of Moodle prior to 1.9.7

Password hashes and salt

Enable password policy

Enable password salt

Disable teacher's ability to back up and restore courses

Security issues with course backups

Scheduled backups

Summary

9. Monitoring User Activity

Activity monitoring using Moodle tools

Moodle log

Accessing the Moodle reports

Logs report

IP address look up page setup

Configuring Moodle to use GeoIP database

Live Logs report

Statistics report

Moodle cron

Moodle cron on Windows

Moodle cron on Linux

Enabling statistics report

Activity monitoring using OS native tools

Linux

Server load

Disk space

Web server load

Web server statistics

Configuring The Webalizer

Windows

Server load

Task manager

Performance and Reliability Monitor

The Webalizer on Windows

Summary

10. Backup

Importance of backup

Backup tools in Moodle

Manual backup

Automatic backup

Content export options for automatic backup

Execution configuration options

When to use Moodle automated backup

Site backup

Database

Server log

Linux

Windows

Automating database backup—Linux

Backup script explanation

Automating database backup—Windows

Restoring database

Moodledata directory

Linux

Windows

Moodle directory

Disaster recovery scenario

Summary

A. Authentication Plugins

Plugins less common in production servers

LDAP server

Configuring LDAP PHP extension

CAS server

FirstClass server

IMAP server

Moodle network authentication

NNTP server

No authentication

PAM (Pluggable Authentication Modules)

POP3 server

Shibboleth

Radius

Summary

Index