[Server-devel] Moodle/Server configuration for static IP external access

Jerry Vonau jvonau at shaw.ca
Thu Jun 18 12:38:36 EDT 2009


On Thu, 2009-06-18 at 16:19 +0200, Martin Langhoff wrote:
> On Thu, Jun 18, 2009 at 3:59 PM, Dave Bauer<dave.bauer at gmail.com> wrote:
> > Most Moodle installs are available to the internet. Does it really make
> > sense to rely only on Moodle being on the internal network to provide
> > security?
> 
> You are right, and a lot of my pre-OLPC work has been in making the
> largest of those installations work smoothly in scale, security,
> performance, customisations... In those cases, Moodle is a webapp.
> 
> In this case, however. Moodle is the central UI for most things XS.
> Some things XS change how the XS behave.
> 
> For example, I am drafting a bit of code that will let you configue
> eth0 and 'domain_config' from a Moodle-based UI. So on first boot, the
> XS comes up in a special mode that lets you set those 2 things.
> 

Just had a thought, couldn't we do something with xs-named.conf.in where
it could source lets say /etc/sysconfig/network looking for forwarders=?
We already have to fiddle with hostname in that file anyway...   

> Once this work is done, you no longer need to login as root. Ever.
> 
> On the other hand, it'd be serious trouble if Moodle started listening
> on the public address. Right now Moodle seems to be reasonably meek...
> but I haven't thought that through actually, it may have risks too.
> 
> The bottom line is:
> 
>    Services that are on the LAN address have not been
>    designed to be on the WAN address -- many (most?)
>    of them are a security risk if exposed to the WAN
>    today. As the XS evolves, _more_ services will pose
>    a risk if exposed to the WAN.
> 
> So -- put your test/dev machines on the LAN to play with things. The
> XS will hand out DHCP leases to non-XOs, you can create "normal" user
> accounts in Moodle (from the 'course creator'-blessed XO) so that
> things work. Using non-Sugar XMPP clients (mostly) works too if you're
> on the LAN.
> 
> hth,

This is where iptables may come in handy, you could allow access to the
local lan, reachable by the external address, only from a pre-defined
set of ipaddresses. I'll work something up if there is interest. The
other alternative is to use a vpn solution, to gain access to services
available on the LAN.

Just a thought,

Jerry
  



More information about the Server-devel mailing list