Moodle Security: Learn how to install and configure Moodle in the most secure way possible

We will try to explain the basic elements of Linux on which you should focus your attention during initial configuration.

Apache web server is one of the most popular implementations of web server on UNIX-like operating systems. As of February 2010, Apache served over 54 percent of all websites on the Internet. It is a stable and reliable software recommended for both high and small load websites. It is easily configurable and highly flexible because it features modular design which permits to use only parts of the functionality that we really need. This reduces memory footprint and makes server faster to operate and respond. We still must be sure that it is properly configured in terms of basic functionality and security.

Database is a crucial element of any LMS. In this way, Moodle is no different than all the other platforms. The recommended database for Moodle is MySQL. Most of the development is done using that RDBMS which makes it therefore less error prone and better tested than the other options. This, of course, does not imply that we can just sit back and enjoy the benefits of the default installation that comes with CentOS. Here is the checklist we should go over that improves our setup of MySQL:

PHP stands for PHP: Hypertext Preprocessor. This kind of idiom is known as a recursive acronym. A recursive acronym is an acronym that refers to itself in the expression for which it stands. It is widely used in programming since recursion is one of the common methods used in everyday programming. PHP is an open source, general purpose scripting language widely used for web development. Moodle is completely written in PHP and therefore to run Moodle we need to install and configure PHP. As any other software PHP has potential and real security problems. Because of that we need to be sure that it is configured properly in order to reduce potential security issues.

yum install php php-cli php-common php-gd php-mysql php-mbstring php-xml php-xmlrpc php-tidy

A computer server is a source of many services, resources, and facilities. Some of these are open for public use while others may be protected. The system that permits an authority to specify and control access of individuals to areas and resources in a server is called the Access Control System (ACS). In Linux almost every resource available in the system is defined as a file-system object. Therefore a crucial part of Linux security is file system permission. The following sections describe the several types of ACS available today.

RedHat-based Linux distributions closely follow the File System Hierarchy Standard. This standard contains a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. According to this standard any variable set of data should be placed in the /var directory. This directory is assumed to be on a separate partition (whenever possible) and it is mounted as read/write. Under CentOS, Apache web server has a special directory designated to its needs —/var/www. The default directory for any web file is /var/www/html. Files placed in that directory are located on the www root of the web server.

As we already know, Moodle has two major directories. One contains Moodle itself (usually called Moodle) while the other has all user and platform data that can change during the course of usage (usually Moodledata).

There are numerous options available as to where to install Moodle files. Three such possible options...

Securing Moodle files means to permit only the needed users and groups to access the files in both the Moodle and the moodledata folder. We will approach this task by using standard DAC methods, and later mention alternatives available with ACL.

/bin/chown -R root:apache /var/www/moodledata/
/bin/chmod -R ug=rwX,o= /var/www/moodledata/

We learned some basic facts about securing a Linux-based Moodle server: What web server and database server we need to use, how to install and configure MySQL, PHP, and Apache,.and what hat alternatives are available for MySQL and PHP. Explanation was given about file security system in Linux and the reader will feel more comfortable next time he sees acronyms like DAC, ACL, MAC, and SELinux. Next stop—how to transform your Windows server into an impenetrable fortress!