Have something to say yourself about Moodle Security? Contribute Your Video Thoughts via Intervue –  intervue.me/i/301

Note: Another interview to possibly respond to is Moodle in the Classroom – http://intervue.me/i/243

Reflections on the Book

Any book that titles itself Moodle Security sets a high standard for itself. When I pick up a book like this, I want to know that my Moodles will be safe if I implement the recommendations contained. Does Moodle Security achieve this high standard? 

This book really provides some critical insights into Moodle Security. The strongest chapters are the ones on setting up GNU/Linux and Windows servers for Moodle, as well as protection against search bots. This is the kind of book you want to curl up with in a WAN room and use to setup your server (laugh). 

Seriously, the best parts of the book provide that level of detail (consider the FastCGI and PHP or the use of SrvAny setup for Windows servers will be something Windows server admins will jump for…”I wish I’d had this book when…” kind of reaction or, for new folks, this is easily a must-have book). The screenshots that guide you through are particularly relevant. This is a book I can recommend to server admins on two platforms, but it is not a “bible” or complete compendium on the subject.

There is a lot more that could have been covered in regards to other clients that allow you to interact with MySQL (e.g. phpMyAdmin, SQLYog), cron job setup (a whole chapter on this would have been nice), and I felt the book omitted those points. When I pass out a book like this, I pray that it will eliminate the need for having to search for other resources. In this regard, the book, as detailed as it is, could have gone farther. That it went this far, though, makes it a worthy addition to your library and the best I’ve seen short of googling the internet. Another benefit is that it puts a lot of what you need to know in one place with a few minor exceptions (for example, ClamAV configuration, cron configuration for various platforms are dealt with in different chapters where it is appropriate).

Another desire I had for the book– Moodle Security — was the hope that it would explore other less archaic (wait, wait, don’t hack me CentOS Server gurus) distros than CentOS…as powerful as CentOS is, some folks are running their Moodles quite happily on RedHatLinux, UbuntuLinux server and Mac OS X Leopard or Snow Leopard. Why not address those as well? Ah well, maybe a second volume or an in-depth article for each operating system might be planned. In the meantime, this really reminded of Texas’ Ken Task and his eagerness for using CentOS to setup Moodle Servers in schools…nice affirmation of his work and decision to use CentOS.

Is this a book I’d buy if responsible for setting up Moodle-centric server? You bet! The author met the high standard even if he didn’t address every possible security aspect under the sun. It’s a book I will definitely treasure and read time and again. Below are my notes while reading; they include take-aways as well as questions that popped up in my head. I hope they are useful to readers in evaluating whether to purchase the book or not. 

Please be sure to click the link–Moodle Security—and show some “linkmiration” (link+admiration) to Packt Publishing for being kind enough to share the book with reviewers. The Packt Publishing folks have done a wonderful job making their content accessible for review (for example, I received a free copy of this book as an ebook).  

Next book coming up for review is their Moodle as a Curriculum and Information Management System. I’ve already started my notes on this book and I’m looking forward to sharing it. Chock-full of ideas.

Here are some of my take-aways from this excellent read:

1. The operating system, web server, PHP, database server and Moodle are all vulnerable points and must be secured.
2. This book is oriented towards those running Apache on GNU/Linux or Internet Information Server (IIS) on Windows and using PHP 5.1.x and MySQL 5.0 or later.
3. Nice details on setup of a Moodle, including what to type in the command line. 
4. Provides a nice explanation of the Moodle Security Overview Report and what the options should be set to. Explanation of the “insecure dataroot” and “display-errors” are particularly helpful to newbies. The rest of the explanations–including “Password Salt”–are timely and well worth including in the book. Although I’ve discovered these components on my own now, I’m thrilled to find them in one place.
5. “Securing Your Server-Linux” is Chapter 2, and I’m thrilled to be starting it:
1. Discussion of Firewall setting – Great piece to include since, if you’re a newbie, you don’t know what to setup on GNU/Linux! Examples are focused on CentOS distro of GNU/Linux, which is a derivative of Red Hat Enterprise Linux 5 server. Ken Task (in Texas) provides some excellent suggestions on setting this up, so this is some validation for his work.
2. Recommendation to set SSH, WWW, Secure WWW options as exposed.
3. A piece of advice: “An administrator should know exactly what is installed on his system because otherwise it could be difficult to secure everything available, and overall security will be lower than it should be. You should review the list of packages installed and remove unnecessary packages that do not comply with your security policy.” Great advice. This really highlights the need for a dedicated machine as a server, not one that doubles as a workstation for other stuff…a lesson I learned at home when playing around with a server setup. I installed one thing and it messed up my MySQL setup!
4. Securing Apache – advice is shared on this, such as adding ServerTokens Prod and ServerSignature Off to the httpd.conf file to limit the amount of information shared about your server. Other specific suggestions are made that are worthwhile and detailed.
5. In the MySQL Configuration, a recommendation worth taking is how to setup MySQL to use INNODB instead of MyISAM. Great advice given the coming of Moodle 2.0 and ensuring you don’t have to optmize your databases as much.
6. In the PHP Configuration, there is mention of something called Suhosin plugin that provides enhanced protection for PHP installations.
7. Mention is also made that CentOS 6 will probably address some issues discussed in the book…that release is due anytime now (April, 2011), so this raises a question for me.
8. Discussion of directory or folder permissions is great. Although you can find this info easily on the web, it’s nice that the author has compiled it and put it in one place for us with the goal of a Moodle Security book!
6. Chapter 3 – Securing Your Server-Windows
1. Wow, using Windows 2008 Server. Hmm…
2. Use of IIS on Windows. 
3. Discussion of FastCGI and PHP addresses how IIS can be made to run as fast Apache. 
4. Great discussion of FastCGI and PHP installation, configuring php.ini, etc.
5. Very detailed–with screenshots–of what you should be seeing in Windows 2008 server configuration. I’ll have to try these steps out and see how that works. In the meantime, give it a shot!
7. Chapter 4 – Moodle User Authentication is discussed, importance of avoid simple passwords that are subject to dictionary attacks, etc. Lots of good stuff here (e.g. Captcha, email domains) but nothing earth-shattering.
8. Chapter 5 – Roles and Permissions: Nice discussion, especially about creating new roles for specific purposes that don’t necessarily fit into existing roles. For example, one neat tip is about backing up user data – “…through course backup a malicious user could easily obtain all user data together with passwords.” 
9. Chapter 6 – Protection Against Bots: This chapter has some great, specific advice about securing Moodle against search engines, bots, and more. My favorite resource in this chapter is the decision process table that outlines and describes what Moodle is doing depending on the options you’ve chosen. If your site is open to Google Search bots, then you are vulnerable because others can impersonate Googlebot quite simply.
1. Some neat options mentioned about Messaging. That can be set to allow only admins or special roles to use it, rather than just allowing everyone to do so. I’ll have to spend more time studying this. Great!
10. Chapter 7 – Securing User Files
1. There are a few limits suggested by the author that are intriguing. For example, the glossary activity allows users to upload images but you can use it to upload anything–including viruses or virus-infected files. Recommendation is to limit that. Another is to restrict use of the HTML Editor. Of course, I disagree with that, but it’s nice to know where one’s Moodle is vulnerable. Here’s MY rationale: “We’re in K-12. I know who’s uploading and who isn’t. If someone does upload something, then we know who did it and consequences result.”
2. Mention of SrvAny for Windows server is a nice touch. SrvAny turns any executable into a service. Setting up ClamAV involves using regedit. Really, quick aside here, but install seems easier on Linux!
11. Chapter 8 – Securing Moodle Data
1. Great discussion of password salting, backing up courses with user passwords in them, and more. Well worth reading.
12. Chapter 9 – Monitoring User Activity
1. Mentions the use of reports and logs in Moodle to see what’s happening.
2. Discussion of cron jobs and how to set them up. Good to see this! No mention of tools to help you do cron via a GUI, which can be tough for newbies.
3. Command line utilities (like top, although I’m familiar with htop) on GNU/Linux
13. Chapter 10 – Backup
1. Moodle Backup is discussed, but it’s pointed out that it’s not well-implemented and why it’s being rewritten in Moodle 2.0. I prefer to backup the Moodle instance (database, php files, moodledata) rather than mess with individual course backups.
2. This chapter is focused on command line stuff, but using an external tool like phpMyAdmin or SQLYog would be very helpful. I’m sure there’s a reason for it (if you’re on a server) but…why suffer unnecessarily?
3. I wish this chapter had covered monitoring student messaging, etc.

1. The author encourages the use of the MySQL console…why not show readers how to use PHPMyAdmin, SQLYog, or Navicat Lite? I suppose it makes for a more streamlined tutorial–you don’t have to install anything, you can just get going–but it is easier for newbies to use an interface rather than just type stuff into the MySQL console.
2. When CentOS 6 comes out in 2011, will the author publish an update to Chapter 2 on Securing Linux?
3. Why use IIS on Windows when most folks will just install Apache? Can IIS handle the workload? In my experience, it can’t.
4. Is it just me or is configuring Windows more involved than GNU/Linux?
5. Why wasn’t the install of ClamAV (antivirus) for GNU/linux and Windows covered in their respective chapters?

http://goo.gl/t5WhX

Get Blog Updates via Email!

pingthis();

Bookmark this on Delicious

Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure