Install & secure Moodle on Ubuntu Linux

  CMS & Web development, Linux system administration
Installing & Securing Moodle Step-by-Step Ubuntu 18.04 20.04/22.04 Debian Linux

Introduction

Moodle is a free and open-source learning management system (LMS) that is used by schools, universities, businesses and other organizations to provide online courses and training programs. With Moodle, you can create customized learning environments complete with quizzes, forums, assignments, videos and more.

Installing Moodle involves several steps including setting up a web server, database server, PHP, and the Moodle code itself. Properly securing the Moodle installation is also crucial to prevent unauthorized access and other security threats.

This guide will walk through the step-by-step process of installing Moodle on a Linux server running Ubuntu 20.04/22.04 or Debian. It also covers important security considerations and configurations to lock down access and protect data. Following these instructions will result in a fully functioning and secured Moodle environment ready for building courses.

Prerequisites

Before installing Moodle, you should ensure your Ubuntu 20.04/22.04 server is up-to-date and has the necessary packages installed:

$ sudo apt update
$ sudo apt upgrade -y
$ sudo apt install apache2 mariadb-server php8.0 php8.0-curl php8.0-zip php8.0-gd php8.0-mbstring php8.0-xml php8.0-soap php8.0-intl -y

You will also need a domain name pointed at your server’s public IP address. This guide uses example.com.

Once the prerequisites are met, you can move on to installing and configuring the web server.

Install Apache Web Server

Moodle requires the Apache web server to deliver web pages. Install Apache with this command:

$ sudo apt install apache2

Adjust the firewall to allow HTTP and HTTPS traffic:

$ sudo ufw allow in "Apache Full"

Test that Apache is running properly by accessing your server’s domain name or public IP address from a web browser. You should see the default Apache page.

Set Up MariaDB Database

Moodle relies on a MySQL/MariaDB database to store all course data. Install MariaDB with:

$ sudo apt install mariadb-server

Run the security script to remove insecure defaults:

$ sudo mysql_secure_installation

When prompted, set a root password, remove anonymous users, disable remote root login, and remove the test database. Answer ‘y’ to all other questions.

Create a database user and database for Moodle. Change moodleuser and moodlepassword to secure credentials:

$ sudo mysql -u root -p
CREATE DATABASE moodledb;
CREATE USER 'moodleuser'@'localhost' IDENTIFIED BY 'moodlepassword';
GRANT ALL ON moodledb.* TO 'moodleuser'@'localhost';
exit

The MariaDB database is now ready for Moodle.

Configure PHP 8.0 for Moodle

Moodle requires PHP with a few specific modules enabled.

First, edit php.ini to adjust some recommended settings:

$ sudo nano /etc/php/8.0/apache2/php.ini

Find and update the following values:

max_execution_time = 180 
max_input_time = 180
memory_limit = 256M
upload_max_filesize = 100M
post_max_size = 100M
max_input_vars = 3000

Save and exit the file when finished.

Next, enable required PHP modules:

$ sudo phpenmod mysqli pdo pdo_mysql json zip intl mbstring soap

Restart Apache for PHP changes to take effect:

$ sudo systemctl restart apache2

PHP is now ready to run Moodle.

Download and Install Moodle

With the web server, database, and PHP configured, you can now install Moodle itself.

First, switch to the Apache document root directory:

$ cd /var/www/html

Download the latest stable release of Moodle:

$ sudo wget https://download.moodle.org/download.php/stable403/moodle-4.3.2.zip

Unzip the files:

$ sudo unzip moodle-4.3.2.zip

Rename the directory:

$ sudo mv moodle moodle-install

Set permissions:

$ sudo chown -R www-data:www-data /var/www/html/moodle-install
$ sudo chmod -R 755 /var/www/html/moodle-install

Access your server’s domain name followed by /moodle-install in a web browser. You will be taken to the Moodle installation page.

Select your language and proceed to the next step. Provide your database details including host, name, user, and password. For data directory, enter the path /var/www/html/moodledata. Complete the installation process by setting an admin username, password, and site name.

After the configurations are saved, you will be taken to the main Moodle interface. The base system is now installed and must be secured.

Secure the Moodle Installation

A default Moodle installation contains multiple security vulnerabilities that must be addressed. This involves settings changes in Moodle itself as well as the web server and database.

Use HTTPS

HTTP traffic is unencrypted and can expose passwords and other sensitive data. To enable HTTPS on Apache:

$ sudo a2enmod ssl 
$ sudo systemctl reload apache2

Acquire an SSL/TLS certificate from a provider like Let’s Encrypt and install it according to their documentation. Redirect all HTTP traffic to HTTPS by editing /etc/apache2/sites-available/000-default.conf:

<VirtualHost *:80>
        Redirect "/" "https://example.com/"
</VirtualHost>

Save the file and reload Apache again. Accessing the domain should now redirect to a secure HTTPS connection.

Set File Permissions

The Moodle files and directories must be owned by the web server user. Run:

$ sudo chown -R www-data:www-data /var/www/html/moodle*

Lock down permissions further with:

$ sudo find /var/www/html/moodle* -type d -exec chmod 750 {} \; 
$ sudo find /var/www/html/moodle* -type f -exec chmod 640 {} \;

This prevents the web user from creating or modifying files in the Moodle folders.

Use a Strong Admin Password

When initially installing Moodle, set a very strong password for the admin account. Make sure it is at least 16 characters, uses numbers, symbols, uppercase and lowercase letters.

You can also improve password policies by enforcing minimum length and complexity under Site Admin > Security > Site Policies.

Limit Course Creators

By default, any logged in user can create new courses in Moodle. This is unnecessary exposure. Instead, limit course creation to just the admin by going to Site Admin > Users > Permissions > Define Roles.

Under the Authenticated User role, uncheck “Create new courses”. Save changes. Now only the admin can create courses.

Disable Guest Access

Guest access allows anyone to log in and see course content without registering a user account. Disable this under Site Admin > Users > Authentication.

Set “Enable guest access” to No and save changes. Require user registration for all access.

Use HTTPS for Database Connection

By default, Moodle connects to the database over unencrypted HTTP. Encrypt this traffic by editing /var/www/html/moodle-install/config.php:

Find the line:

$CFG->dbhost    = 'localhost';

Change it to:

$CFG->dbhost    = 'localhost:3306';

This forces an SSL encrypted connection.

Secure the Database

Lock down the MariaDB database by first setting a strong root password.

Next, restrict remote access with these edits to /etc/mysql/mariadb.conf.d/50-server.cnf:

bind-address            = 127.0.0.1
port                    = 3306

This prevents external connections to the database. Restart MariaDB after making changes.

Also ensure the mysql Unix user has no login shell:

$ sudo usermod -s /usr/sbin/nologin mysql

This prevents any OS-level access with the mysql account.

Limit PHP File Uploads

Uploaded files could contain malicious code and should be limited. Edit /etc/php/8.0/apache2/php.ini and add:

file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 2

This restricts uploads to 2 files of 2MB each. Tweak for your specific needs.

Disable PHP Execution in Uploads

To prevent execution of uploaded PHP files, disable it specifically for the upload directory:

<Directory /var/www/html/moodledata/filedir>
   php_admin_flag engine off
</Directory>

Add this to your Apache config at /etc/apache2/sites-available/000-default.conf inside the VirtualHost tags.

Install a Web Application Firewall (WAF)

A WAF provides deep monitoring and filtering of all web traffic. It can block SQL injection, XSS, CSRF and other attacks before they reach Moodle.

The open source ModSecurity WAF integrates closely with Apache. Follow a guide to install it for robust threat protection.

Use Security Plugins

Moodle provides plugins that enhance security in areas like authentication, permissions, filtering, and more. Consider enabling plugins like No Self Signups, ReCAPTCHA, Access Rule Levels, etc.

Conclusion

You should now have a fully functioning Moodle environment installed on Ubuntu with a secure LAMP stack configured to lock down vulnerabilities. Some next steps are:

  • Create courses, users and content
  • Customize the theme
  • Install additional plugins as needed
  • Set up backups and create a disaster recovery plan
  • Monitor logs for suspicious activity
  • Keep Moodle and dependencies updated

Properly installing and securing Moodle takes effort, but the result is a reliable eLearning platform your users can trust.

LEAVE A COMMENT