[Server-devel] Password-less authentication with moodle (Martin Langhoff)

Andrés Ambrois andresambrois at gmail.com
Mon Oct 6 18:22:48 EDT 2008 

Hi Greg!

  Thanks for your insight. Currently, the scope of our project is restricted 
to the application (id est Moodle) layer, and my question was directed towards 
authentication at that level.But your notes are very relevant for 
installations in the future. Thank you!

  In reply to your comments, school servers in Uruguay have no public 
presence. I dont know the details but I would think this is done with a 
firewall blocking everything but monitoring services used by LATU. 

  With some luck we will be able to work on these lower layer problems in 
deployment at later stages. 

  Cheers!

On Monday 06 October 2008 11:58:49 Greg Smith wrote:
> Hi Andres,
>
> I missed one key one.
>
> Have a known clean backup. Add user data to it if you can, but backup
> regularly. Be ready to restore to a clean backup on short notice if you
> are compromised and need to start from scratch.
>
> Thanks,
>
> Greg S
>
> Greg Smith wrote:
> > Hi Andres,
> >
> > A few comments to get you warmed up. I will ask the current EduBlog team
> > to give you more suggestions and details too.
> >
> > 1 - My understanding of the current XS design is that it has one
> > interface visible to the Internet and another visible to the school
> > only. It seems pretty secure that way but it can open up a bunch of
> > security issues if you expose the School side interface to the Internet.
> >  You may need to do that in order to run EduBlog on the Internet so let
> > us know ASAP which services are available on public routed interfaces.
> >
> > 2 - Use denyhosts (http://denyhosts.sourceforge.net/) or some other
> > protection against dictionary style attacks on any public facing
> > interfaces.
> >
> > 3 - Put an anti-virus tool on the box. e.g. clamAV. Especially if your
> > PHP, Apache, Moodle, SQL services are visible publicly its important to
> > have a second line of defense in case some virus SW gets on the box.
> >
> > 4 - Run a port scan yourself (e.g. Nessus). Also, watch and protect
> > yourself against being port scanned by an attacker.
> >
> > Those are some suggestion off the top of my head.  I'll try to collect
> > all suggestions from EduBlog round 1 and get those to you as well.
> >
> > HTHs.
> >
> > Thanks,
> >
> > Greg S
> >
> > ************
> >
> > Date: Sun, 5 Oct 2008 14:52:25 +1300 From: "Martin Langhoff"
> > <martin.langhoff at gmail.com> Subject: Re: [Server-devel] Password-less
> > authentication with moodle To: " Andr?s Ambrois "
> > <andresambrois at gmail.com> Cc: server-devel at lists.laptop.org Message-ID:
> > <46a038f90810041852y7ba08ddcv4d1f0595ca82926a at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1 On Sun, Oct 5, 2008 at 5:29
> >
> > AM, Andr?s Ambrois <andresambrois at gmail.com> wrote:
> >  >> >> - What's your timeframe?
> >  > >
> >  > > The timeframe for our project is 5 weeks starting from last
> >
> > Wednesday, in
> >
> >  > > which I need to cover the interface (Moodle and Wordpress theming),
> >
> > course
> >
> >  > > configuration, authentication, modifying Write to enable blog
> >
> > posting, and
> >
> >  > > document all this for a manual.
> >
> > Ouch - that's very tight!
> >
> >  > > I'm glad I wasn't that far off  :) . Are these required
> >
> > modifications documented
> >
> >  > > somewhere?
> >
> > Not yet. We're finishing off 0.5 - will be looking into this for 0.6
> > or 0.7, not too far away, unlikely to be "done" in the next 5 weeks
> > either :-/
> >
> > cheers,
> >
> >
> >
> > m
>
> _______________________________________________
> Server-devel mailing list
> Server-devel at lists.laptop.org
> http://lists.laptop.org/listinfo/server-devel

-- 
  -Andrés

More information about the Server-devel mailing list