Install & Secure Moodle on Ubuntu Linux

By Posted on

Install & Secure Moodle on Ubuntu Linux

Install & Secure Moodle on Ubuntu Linux

Introduction

Moodle is a powerful, open-source Learning Management System (LMS) that empowers educators to create engaging online learning experiences. From schools and universities to businesses and other organizations, Moodle offers a versatile platform for delivering online courses and training programs. With Moodle, you can design customized learning environments complete with interactive quizzes, collaborative forums, assignment submissions, integrated video lectures, and a wealth of other features.

The installation process for Moodle involves several key steps, including the configuration of a web server (such as Apache), a database server (like MariaDB), PHP (the scripting language that powers Moodle), and the deployment of the Moodle code itself. Equally crucial is the proper securing of the Moodle installation to prevent unauthorized access, data breaches, and other security threats.

This comprehensive guide provides a step-by-step walkthrough of installing Moodle on a Linux server running Ubuntu 20.04/22.04 or Debian. It also delves into critical security considerations and configurations to lock down access and safeguard sensitive data. By diligently following these instructions, you will establish a fully functional and secured Moodle environment, ready for building and delivering impactful online courses.

Prerequisites

Before embarking on the Moodle installation, ensure that your Ubuntu 20.04/22.04 server is up-to-date and has the necessary software packages installed. Run the following commands in your terminal:

$ sudo apt update
$ sudo apt upgrade -y
$ sudo apt install apache2 mariadb-server php8.0 php8.0-curl php8.0-zip php8.0-gd php8.0-mbstring php8.0-xml php8.0-soap php8.0-intl -y

You will also need a domain name pointed at your server’s public IP address. This guide uses example.com.

Once the prerequisites are met, you can move on to installing and configuring the web server.

Install Apache Web Server

Moodle requires the Apache web server to deliver web pages. Install Apache with this command:

$ sudo apt install apache2

Adjust the firewall to allow HTTP and HTTPS traffic:

$ sudo ufw allow in "Apache Full"

Test that Apache is running properly by accessing your server’s domain name or public IP address from a web browser. You should see the default Apache page.

Set Up MariaDB Database

Moodle relies on a MySQL/MariaDB database to store all course data. Install MariaDB with:

$ sudo apt install mariadb-server

Run the security script to remove insecure defaults:

$ sudo mysql_secure_installation

When prompted, set a root password, remove anonymous users, disable remote root login, and remove the test database. Answer ‘y’ to all other questions.

Create a database user and database for Moodle. Change moodleuser and moodlepassword to secure credentials:

$ sudo mysql -u root -p
CREATE DATABASE moodledb;
CREATE USER 'moodleuser'@'localhost' IDENTIFIED BY 'moodlepassword';
GRANT ALL ON moodledb.* TO 'moodleuser'@'localhost';
exit

The MariaDB database is now ready for Moodle.

Configure PHP 8.0 for Moodle

Moodle requires PHP with a few specific modules enabled.

First, edit php.ini to adjust some recommended settings:

$ sudo nano /etc/php/8.0/apache2/php.ini

Find and update the following values:

max_execution_time = 180
max_input_time = 180
memory_limit = 256M
upload_max_filesize = 100M
post_max_size = 100M
max_input_vars = 3000

Save and exit the file when finished.

Next, enable required PHP modules:

$ sudo phpenmod mysqli pdo pdo_mysql json zip intl mbstring soap

Restart Apache for PHP changes to take effect:

$ sudo systemctl restart apache2

PHP is now ready to run Moodle.

Download and Install Moodle

With the web server, database, and PHP configured, you can now install Moodle itself.

First, switch to the Apache document root directory:

$ cd /var/www/html

Download the latest stable release of Moodle:

$ sudo wget https://download.moodle.org/download.php/stable403/moodle-4.3.2.zip

Unzip the files:

$ sudo unzip moodle-4.3.2.zip

Rename the directory:

$ sudo mv moodle moodle-install

Set permissions:

$ sudo chown -R www-data:www-data /var/www/html/moodle-install
$ sudo chmod -R 755 /var/www/html/moodle-install

Access your server’s domain name followed by /moodle-install in a web browser. You will be taken to the Moodle installation page.

Select your language and proceed to the next step. Provide your database details including host, name, user, and password. For data directory, enter the path /var/www/html/moodledata. Complete the installation process by setting an admin username, password, and site name.

After the configurations are saved, you will be taken to the main Moodle interface. The base system is now installed and must be secured.

Secure the Moodle Installation

A default Moodle installation contains multiple security vulnerabilities that must be addressed. This involves settings changes in Moodle itself as well as the web server and database.

Use HTTPS

HTTP traffic is unencrypted and can expose passwords and other sensitive data. To enable HTTPS on Apache:

$ sudo a2enmod ssl
$ sudo systemctl reload apache2

Acquire an SSL/TLS certificate from a provider like Let’s Encrypt and install it according to their documentation. Redirect all HTTP traffic to HTTPS by editing /etc/apache2/sites-available/000-default.conf:

<VirtualHost *:80>
        Redirect "/" "https://example.com/"
</VirtualHost>

Save the file and reload Apache again. Accessing the domain should now redirect to a secure HTTPS connection.

Set File Permissions

The Moodle files and directories must be owned by the web server user. Run:

$ sudo chown -R www-data:www-data /var/www/html/moodle*

Lock down permissions further with:

$ sudo find /var/www/html/moodle* -type d -exec chmod 750 {} ;
$ sudo find /var/www/html/moodle* -type f -exec chmod 640 {} ;

This prevents the web user from creating or modifying files in the Moodle folders.

Use a Strong Admin Password

When initially installing Moodle, set a very strong password for the admin account. Make sure it is at least 16 characters, uses numbers, symbols, uppercase and lowercase letters.

You can also improve password policies by enforcing minimum length and complexity under Site Admin > Security > Site Policies.

Limit Course Creators

By default, any logged in user can create new courses in Moodle. This is unnecessary exposure. Instead, limit course creation to just the admin by going to Site Admin > Users > Permissions > Define Roles.

Under the Authenticated User role, uncheck “Create new courses”. Save changes. Now only the admin can create courses.

Disable Guest Access

Guest access allows anyone to log in and see course content without registering a user account. Disable this under Site Admin > Users > Authentication.

Set “Enable guest access” to No and save changes. Require user registration for all access.

Use HTTPS for Database Connection

By default, Moodle connects to the database over unencrypted HTTP. Encrypt this traffic by editing /var/www/html/moodle-install/config.php:

Find the line:

$CFG->dbhost    = 'localhost';

Change it to:

$CFG->dbhost    = 'localhost:3306';

This forces an SSL encrypted connection.

Secure the Database

Lock down the MariaDB database by first setting a strong root password.

Next, restrict remote access with these edits to /etc/mysql/mariadb.conf.d/50-server.cnf:

bind-address            = 127.0.0.1
port                    = 3306

This prevents external connections to the database. Restart MariaDB after making changes.

Also ensure the mysql Unix user has no login shell:

$ sudo usermod -s /usr/sbin/nologin mysql

This prevents any OS-level access with the mysql account.

Limit PHP File Uploads

Uploaded files could contain malicious code and should be limited. Edit /etc/php/8.0/apache2/php.ini and add:

file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 2

This restricts uploads to 2 files of 2MB each. Tweak for your specific needs.

Disable PHP Execution in Uploads

To prevent execution of uploaded PHP files, disable it specifically for the upload directory:

<Directory /var/www/html/moodledata/filedir>
   php_admin_flag engine off
</Directory>

Add this to your Apache config at /etc/apache2/sites-available/000-default.conf inside the VirtualHost tags.

Install a Web Application Firewall (WAF)

A WAF provides deep monitoring and filtering of all web traffic. It can block SQL injection, XSS, CSRF and other attacks before they reach Moodle.

The open source ModSecurity WAF integrates closely with Apache. Follow a guide to install it for robust threat protection.

Use Security Plugins

Moodle provides plugins that enhance security in areas like authentication, permissions, filtering, and more. Consider enabling plugins like No Self Signups, ReCAPTCHA, Access Rule Levels, etc.

Alternative Solutions for Enhanced Security

While the previous steps provide a solid foundation for securing your Moodle installation, there are alternative approaches and technologies that can further enhance your security posture. Here are two such alternative solutions:

1. Containerization with Docker and Orchestration with Kubernetes:

Instead of directly installing Moodle on the host operating system, consider containerizing it using Docker. Docker allows you to package Moodle, its dependencies (Apache, PHP, MariaDB), and configurations into a self-contained unit called a container. This isolation significantly reduces the risk of conflicts with other applications on the server and enhances security by limiting the container’s access to the host system.

For larger deployments, Kubernetes can be used to orchestrate multiple Moodle containers across a cluster of servers. Kubernetes provides features like automated deployment, scaling, and self-healing, making it easier to manage and maintain a highly available and secure Moodle environment.

  • Explanation: Docker provides isolation, reducing the attack surface. Kubernetes automates deployment and management, ensuring consistent security configurations.

  • Example Dockerfile:

    FROM php:8.0-apache

# Install dependencies
RUN apt-get update && apt-get install -y 
    mariadb-client 
    libzip-dev 
    libpng-dev 
    && docker-php-ext-install mysqli pdo pdo_mysql zip gd intl mbstring soap

# Copy Moodle code
COPY . /var/www/html/

# Set permissions
RUN chown -R www-data:www-data /var/www/html/
RUN chmod -R 755 /var/www/html/

# Apache configuration (optional)
<VirtualHost *:80>
        DocumentRoot /var/www/html/
        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>
    </VirtualHost>

# Set environment variables
ENV MOODLE_DB_HOST=db
ENV MOODLE_DB_NAME=moodledb
ENV MOODLE_DB_USER=moodleuser
ENV MOODLE_DB_PASS=moodlepassword

# Expose port 80
EXPOSE 80

    This Dockerfile sets up a basic Apache and PHP environment, installs the necessary PHP extensions for Moodle, copies the Moodle code, and sets the appropriate permissions. This creates a lightweight and isolated environment for Moodle.

2. Using a Managed Cloud Provider with Built-in Security Features:

Instead of self-managing the Moodle installation on a VPS, consider leveraging a managed cloud provider like AWS, Google Cloud Platform (GCP), or Azure. These platforms offer services specifically designed for hosting web applications, including Moodle, with built-in security features such as:

  • Firewall Services: Cloud providers offer robust firewall services that allow you to control network access to your Moodle instance, preventing unauthorized connections.

  • Intrusion Detection and Prevention Systems (IDPS): These systems monitor network traffic and system logs for malicious activity, automatically blocking or alerting administrators to potential threats.

  • Automated Patching and Updates: Managed cloud providers handle patching and updating the underlying infrastructure and operating system, ensuring that your Moodle instance is protected against the latest vulnerabilities.

  • Data Encryption: Cloud providers offer encryption at rest and in transit, protecting your Moodle data from unauthorized access.

  • Explanation: Managed cloud providers abstract away much of the security burden, providing a secure and scalable environment for Moodle.

    • Example: AWS offers the RDS (Relational Database Service) which automatically handles backups, patching, and scaling of your MariaDB database, removing the need for manual configuration and greatly reducing the risk of security vulnerabilities. Similar services exist for web servers (like EC2) that can be preconfigured with security best practices.

By adopting these alternative solutions, you can significantly strengthen the security of your Moodle environment and reduce the operational overhead associated with self-managing the infrastructure.

Conclusion

You should now have a fully functioning Moodle environment installed on Ubuntu with a secure LAMP stack configured to lock down vulnerabilities. Some next steps are:

  • Configure regular backups of your Moodle data and database.
  • Monitor Moodle logs for suspicious activity.
  • Stay up-to-date with the latest Moodle security patches and updates.
  • Enforce strong password policies for all users.
  • Provide security awareness training to your users.

Properly installing and securing Moodle takes effort, but the result is a reliable eLearning platform your users can trust.

Related posts: