Moodle Security
上QQ阅读APP看书,第一时间看更新

MySQL configuration

Database is a crucial element of any LMS. In this way, Moodle is no different than all the other platforms. The recommended database for Moodle is MySQL. Most of the development is done using that RDBMS which makes it therefore less error prone and better tested than the other options. This, of course, does not imply that we can just sit back and enjoy the benefits of the default installation that comes with CentOS. Here is the checklist we should go over that improves our setup of MySQL:

  1. Don't use MyISAM engine: CentOS 5.4 comes with MySQL 5.0.77. By default, this version uses the MyISAM engine for storing data. MyISAM is good as a storage engine for most of the read-oriented websites, but as soon as we get a lot of writing it tends to break. Apart from security, we also need reliability. Therefore we should switch the default DB engine to the much better InnoDB. To do that, open the MySQL configuration file located in /etc/my.cnf and add these lines in the [mysqld] section:
    default-character-set=utf8
    default-storage-engine=innodb
    
  2. Change the default password of superuser: The default superuser with complete rights over a database is called root. In the default configuration, that user does not have a password. We must not permit that to happen. We should at least change the password of that user to something more complex, or even better, rename the user root to something else. This will create an additional level of obfuscation if an attacker attempts to obtain the password for the root account by brute force.
  3. Remove the sample database: MySQL installs a sample database by default called "test". Best practice dictates that we should remove this. Always provide only the minimal necessary level of resources and services that permit your server to operate correctly.
  4. Access Moodle database as unprivileged user and grant only minimum of privileges to that account. Please refer back to Chapter 1 for further explanation.
  5. Restrict or disable remote access to the database: If you host MySQL on the same machine where Moodle is installed then you will never need external access to your database. You can disable the TCP/IP protocol support and all of the communication will be done through UNIX sockets. Add or uncomment this line in /etc/my.cnf.
    skip-networking
    
  6. If you use additional web applications or other programs that do not support connections through UNIX Sockets, do not disable TCP/IP. Just force the server to accept connections only from localhost.
    bind-address=127.0.0.1
    
  7. Disable symbolic links: Add the following option to your configuration file.
    symbolic-links=0
    
  8. Make sure you have the latest updates installed for your distribution.

    Note

    If you want to have a more recent version of MySQL you can obtain certified builds from MySQL free of charge. You will need the following packages:

    MySQL-client-community, MySQL-server-community, and MySQL-shared-community.

  9. Have in mind that MySQL does not provide rpm repository so you will have to manually download and install these packages. Visit http://dev.mysql.com/downloads/mysql/ for more information.