Security advice

Security advice

by neil watson -
Number of replies: 2

Hi,

I am about to go live with our moodle server, which will be hosted at our college. I will be using 2003 server on a dual zeon, raid 5 with 4 GB memory. I am using Apache as my webserver. I have an 8m NTL business connection.

I am seeking advice on how to protect my server from hacking. What security permissions should I put on the moodle folder and moodle data folder? I have decided to store the moodle data folder on another partition.

Any advice will be much appreciated.

Thanks in advance,

Neil

 

 

Average of ratings: -
In reply to neil watson

Re: Security advice

by Maik Riecken -
Hi Neil,

Permissions depend on your setup (e.g. mod_php or fastCGI). Minimal permissions (700 for /moodledata and 400 for /moodle) only can be realized in connection with fastCGI.

I am using linux and my /moodledata-folder is located on an extra partition, too. Using linux it is possible to mount this partition noexec which means that no programms located on this partition can be executed. The PHP-/tmp-folder should be there, too. Maybe there is a similar mechanism when using windows.

The /moodledata-folder in my opinion is the most critical thing.  If it  is possible to put executables there started through any kind of security leaks from moodle or PHP - not good - but the implemented moodle filters mechanisms are becoming rapidly better. Most rootkits require executables inside the /tmp-folder.

You should have a look on mod_security for apache. With a good ruleset you can protect your installation before malicious code is even reaching it.


regards,

Maik
Average of ratings: -