Securing Moodle on Linux: Difference between revisions

These steps are essential for a production server containing student passwords and data.

https encryption[edit]

Certbot and virtual host[edit]

File permissions =[edit]

• Reset the permissions on /var/www/html/moodle directories to read, write and execute for the webserver, read and execute for group and others
• Reset the permissions on /var/www/html/moodle files to read, write for the webserver, read only for group and other

Secure database and set the root[edit]

Run the mariadb-secure-installation script to strengthen security by setting a root password, removing anonymous users, disabling remote root login, deleting the test database, and reloading privileges. sudo mariadb-secure-installation

Configure and enable firewall[edit]

       Allow SSH (port 22) for remote access
       Enable the UFW firewall with confirmation
       Set default policy to deny all incoming connections
       Set default policy to allow all outgoing connections
       Allow HTTP traffic on port 80
       Allow full access for Apache (HTTP and HTTPS)

sudo ufw allow 22/tcp sudo ufw --force enable sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow www sudo ufw allow 'Apache Full'

Use SSH authentication keys[edit]

SSH keys are cryptographically stronger than passwords and resist brute-force attacks. The private key remains on the client machine, reducing the risk of interception or theft during transmission. SSH keys allow passwordless login, eliminating the need to remember or type passwords repeatedly.

sudo find /var/www/html/moodle -type d -exec chmod 755 {} \; 
sudo find /var/www/html/moodle -type f -exec chmod 644 {} \;