Moodle Security

Chapter 1. Delving into the World of Security

Welcome to Moodle Security!

In the early days of the web, Internet was mostly used for academic purposes. Hence, all communications protocols had very little or no focus on security. The situation started changing as more and more public and commercial services started moving online and common users started actually using Internet in their daily routine. With the increase of user base we see the emerge of the malicious groups of users, the so-called hackers that are focused mostly on information theft and illegal usage. Nowadays it is quite common to be attacked by hacker(s). In fact it is so common and frequent that it is reported that only the USA's cyber attacks generate costs up to 10 billion dollars every year. The purpose of this book is to introduce you to web security while focusing on Moodle.

In this chapter we will cover the following topics:

Moodle and security
Weak points
The secure Moodle installation
Quickly securing Moodle

Moodle and security

Moodle is an open source CMS (Course Management System)/LMS (Learning Management System)/VLE (Virtual Learning Environment). Its primary purpose is to enable educational institutions and individuals to create and publish learning content in a coherent and pedagogically valuable manner, so that it can be used for successful knowledge transfer towards students.

That sounds harmless enough. Why would anybody want to illegally access an educational platform?

There are various motives of computer criminals. In general, they are people committed to the circumvention of computer security. This primarily concerns unauthorized remote computer break-ins via a communication network such as the Internet. Some of the motives could be:

Financial: Stealing user and/or course information and selling it to other third-parties
Personal: Personal grudge, infantile display of power, desire to alter assigned grades, and so on

Weak points

Moodle is a web application and as such must be hosted on a computer connected to some kind of network (private or public—Internet / Intranet). This computer must have the following components:

Operating System (OS)
Web server
PHP
Database server
Moodle

Each of these pieces can be used as a point of attack by a malicious user(s) in order to obtain access to the protected information. Therefore, it is our task to make all of them as secure as possible. The main focus will be directed towards our Moodle and PHP configuration. At the end of the book you can find some recommended literature for additional reading.

The secure installation of Moodle

In this section we follow a secure installation of Moodle. In case you do not already have an installed instance of Moodle, we will show you the quickest way to do that, and at the same time focus on security. If you already have Moodle installed, go to the following section where you will see how to secure an existing installation of Moodle.

Starting from scratch

In order to install Moodle on your server you need to install and configure the web server with support for PHP and the database server. We will not go into the specifics of setting up a particular web server, PHP, and/or database server right now, since it depends on the OS your server has installed. Also we will not explain in detail tasks like creating directories, setting up file permissions, etc as they are OS specific. Later in this book we will address them in detail for both Linux and Windows. If you need to know that right now then I suggest you go directly to the chapter dedicated to the Operating System you plan on using. This section assumes you already know about your OS and have already configured your web server with an empty database. Every installation of Moodle must have:

Web server with PHP support
Dedicated database
Two dedicated directories—one for Moodle and another for platform data

Note

We assume that your web server is Apache (Linux) or IIS (Windows), and that you use PHP 5.1.x or later and MySQL 5.0 or later.

Installation checklist

The following checklist will guide you through the basic installation procedure for Moodle.

1. Download the latest stable version of Moodle from http://download.moodle.org/. (At the time of writing this book it is 1.9.8+). You have two options available on the download page—moodle-weekly-19.tgz or moodle-weekly-19.zip archive. In case you use Linux you can choose either. In case of Windows, ZIP file is the preferred choice. The reason for this is simple. Every Windows server comes, by default, with installed support for managing Zip archives. On the other hand, TGZ is readily available on every Linux distribution.

2. Unpack the compressed file you just downloaded. This will produce a directory with the name moodle which contains all of the platform files. Move that directory to the web-root of your web server. After doing that it is recommended to make all files read-only for safety reasons.
3. Create a directory called moodledata somewhere on the disk. Make sure that it is not in the web-root of your web server since that would incur a serious security breach. Doing that might expose all platform files submitted by course participants and teachers together with the course content to the outside world.
4. Create an empty database (we suggest the name moodle or moodledb). The default database character set must be configured to utf8 and collation set to utf8_general_ci. It is recommended to have a special user for accessing this database with limited permissions. In case of credentials theft, a malicious user could only operate on data from one database, minimizing the potential damage. That database user account will need permissions for creating, altering, and deleting the tables, creating/dropping the indexes and reading/writing the data. Here is what you need to execute in your MySQL console for creating a database and user:

CREATE DATABASE moodle CHARSET 'utf8' COLLATION 'utf8_general_ci';
CREATE USER 'moodle'@'localhost' IDENTIFIED BY 'somepass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON loomdb.\* TO loom@localhost IDENTIFIED BY 'somepass';
FLUSH PRIVILEGES;

5. Start the installation by opening the http://<url to local installation of the moodle> (for example http://localhost/moodle) in your browser. Make sure it is a more recent browser with pop ups and JavaScript enabled. We recommend Internet Explorer 8+ or Firefox 3.6+. You will see the following screenshot:

6. On the next screen, we need to specify the web address of the platform and the location of the moodle directory on the disk.

7. Now, we must configure database access. Choose MySQL as database type, localhost as host server, set the name of the database (moodle), database user, and its password (moodle/moodle). You should leave the table prefix as is.

8. Moodle checks the server configuration on this screen and displays the outcome. We can proceed with the installation only if all of the minimal requirements are met.

9. During installation, Moodle generates a configuration file within the moodle directory called config.php. It is important to make this file read-only after installation for security reasons. In case Moodle cannot save config.php it will offer to download or copy content of the file and manually place it in the appropriate location on the server. See the following screenshot:

10. We are now presented with terms of usage and license agreement. To proceed click yes.
11. We can now start the installation itself. During that process Moodle will create all of the tables in the database, session files in the moodledata directory, and load some initial information. Make sure you check Unattended operation at the bottom. That way, the process will be executed without user intervention.

12. After the database setup is finished, we are offered a new screen where we must configure the administrative account. With this user you manage your platform, so be careful about disclosing this information to other users.

Field name	Description	Recommended action
Username	Defines user name inside the Moodle. By default it is admin.	We recommend leaving the default value unchanged.
New password	Defines user logon password.	Must supply valid password.
First name	Defines name of the admin.	Must supply valid name.
Surname	Defines surname of the admin.	Must supply valid name.
E-mail address	Defines user e-mail address.	Must supply valid e-mail.
E-mail display	Define the visibility of your e-mail address within the platform.	We recommend leaving it as is (visible to all).
E-mail active	Defines whether e-mail is activated or not.	Set it to enable.
City/Town	Defines name of the city where you live.	Moodle requires this value.
Select Country	Name of your country.	Set it to your country name.
Timezone	Sets your time zone so that server can display time calculated for your location in some reports.	If not sure what your time zone is, leave it as is.
Preferred language	Choose the platform language.	By default, Moodle comes only with support for English language. If you want to add more languages visit http://download.moodle.org/lang16/ and download and install the appropriate files.

13. After configuring administrative user there is just one more step to complete and that is setting up the site title and short name. In the Full site name field, place the long name you would like to set for your website; it can have multiple words. In the Short name for the site field put one word without spaces which will represent your website. In the Front Page Description field put a longer description (one paragraph) that explains in more detail the purpose of your site. This is optional and does not affect the Moodle functionality at all.

14. You have now finished installing Moodle and should see the following screenshot:

Quickly securing Moodle

Moodle offers a quick way of detecting major security issues within your platform setup and that is the security overview report. Go to the Reports | Security overview page. A well configured Moodle should display the following screenshot. In case there are discrepancies, then review the explication near each issue that displays a warning and take the appropriate actions.

Right now, we will give you a simple what to do list in order to pass the security check report without going into too much details. Throughout this book, we will explain in more detail each item on this report list.

Note

The security overview report is available starting from Moodle 1.8.9 and 1.9.4. If you have an older version we strongly recommend you perform an upgrade to a more recent one. Meanwhile, follow the instructions and configure your LMS as suggested.

The checklist in security overview report consists of items that compare current configuration of your system with the recommended one and report the status. Some of the items in the checklist apply to the PHP configuration and others apply to the Moodle configuration.

PHP is configured through a special file called php.ini. The location of this file may vary depending on your OS and type of installation. On Linux it may be usually found at /etc/php.ini. To modify this file you can use any text editor available (vi, nano, notepad, etc.).

Note

After every modification of php.ini you must restart your web server so that the changes may be applied to the system.

Moodle can be configured by using the configuration pages in the administrative part of the platform or by modification of a special configuration file called config.php. Some configuration options are exclusive to the config.php file while others are exclusive to administration interface.

Review the Moodle security overview report

We will now go through every option in the security overview report and explain briefly what it means together with the actual steps you need to perform in order to remedy potential security flaw.

Register Globals: This is a PHP setting that can be configured by modifying the PHP configuration file—php.ini. This is the default setting in PHP since version 4.2. Make sure you have the following line in your php.ini:

register_globals = Off

Insecure dataroot: If the status for this item is not OK it means that the moodledata folder is placed in a location accessible from the Web without any protection. The solution to this is either to move this folder to some other location or prevent public access with the appropriate web server configuration. For example, if your Moodle is located in /var/www/html/moodle and your moodledata is located in /var/www/html/moodledata the report will show this as an error. To fix this you need to change the location of moodledata to some other directory, for example to /var/www/moodledata.
Displaying PHP errors (display_errors option): The display_errors directive determines whether error messages generated by PHP code should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to mistrusted sources. Make sure it is configured like this in your php.ini:

display_errors = Off

No authentication: It is a Moodle configuration option. Make sure the "No authentication" plugin is disabled. Go to Administration | Users | Authentication | Manage authentication and configure it as displayed in the following screenshot:

Allow EMBED and OBJECT: A Moodle configuration option. Go to Administration | Security | Site policies in your Moodle and make sure that the option Allow EMBED and OBJECT tags is not checked. EMBED and OBJECT tags are used for inserting third-party web browser plug ins for reproducing multimedia content (Adobe Flash, Apple QuickTime, etc.) or for running special embedded applications like java-applets. Some of these plug ins have well-known security issues and therefore are not recommended for general public usage. By disabling this option we are preventing users to add these elements to their pages or other generated content or responses.
Enabled .swf media filter: Moodle configuration option. This should be disabled on production websites. Visit Administration | Modules | Filters | Multimedia Plugins and make sure it is disabled. This filter transforms any link to the Adobe Flash file to playable content by using integrated flash player. Since Flash has security issues this option is best left disabled.
Open user profiles: Moodle configuration option. Checks if user public profiles are open to anybody. Best practice is to require login before permitting somebody to actually take a look into other people's personal information. Go to Administration | Security | Site policies and make sure Force users to login for profiles is checked.
Open to Google: Moodle configuration option. Visit the Site policies page and uncheck Open to Google. With this option we choose whether we permit Google robots to scan the site's content and index it thereby permitting anybody to perform free-text search. In general, this is not a desired behavior in an LMS.
Password policy: A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. On the Site policies page check Password Policy. By enabling this we enforce usage of "strong" passwords therefore making it impossible to use dictionary attacks.
Password salt: Moodle stores encrypted versions of user passwords into database. Up until Moodle 1.9.8 it used the default way of encrypting user passwords which is prone to dictionary attacks. Password salt increases security of the generated encrypted passwords making a dictionary attack virtually impossible. As of Moodle 1.9.8 use of password salt is enabled by default. However, if you have an older version you can enable this by modifying the config.php file. Place something like this in your Moodle config.php:
```
$CFG->passwordsaltmain = '<randomly generated string>';
```
Be aware that enabling password salt is only possible by editing config.php. You can generate good password salt by going to the special page designed for that purpose—http://dev.moodle.org/gensalt.php.
E-mail change confirmation: Go to the Site policies page and enable E-mail change confirmation. Every user in Moodle must have a valid e-mail address. A common way of fiddling with somebody's personal account is to change his password and registered mail address. To prevent these situations we enable e-mail change confirmation which forces a user to confirm changed e-mail address. This is done through a special e-mail sent to the new account.
Writable config.php: Make config.php read-only. For example, on Linux you would do something like this:

chmod ug=r,o= <Moodle path>/config.php

XSS trusted users: Moodle has a set of seven standard roles. By default, any user with Administrative role on the platform level is completely trusted. Be very careful about which users can have this role. Keep it to a smallest possible group.
Administrators: Platform must have at least one user with Administrative role. By default that is user admin.
Backup of user data: User data are something very sensitive for every educational institution. Under the Family Educational Rights and Privacy Act (FERPA) student information can be disclosed only to limited set of people directly related with either student's family or educational institution. Only very limited group of people should be able to export student information tied to a course.
Default role for all users: This should be set to Authenticated user. If not go to Administration | Users | Permissions | User policies and configure it appropriately.
Guest role: This should be set to Guest.
Frontpage role: By default it is not set. You can leave it that way or create a special non-legacy role.
Default course role (global): The default setting for this is student. This is something that should seldom be changed.
Default course role: Same thing as the previous one but on the course level. Again the default value here is student.