123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 |
- <html lang="en">
- <head>
- <meta charset="utf-8" />
- <title>Chamilo Security Guide</title>
- <link rel="stylesheet" href="../web/assets/bootstrap/dist/css/bootstrap.css" type="text/css" media="screen,projection" />
- <link rel="stylesheet" href="default.css" type="text/css" media="screen,projection" />
- <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
- </head>
- <body>
- <div class="container">
- <h1>Chamilo LMS: Security Guide</h1>
- <a href="index.html">Documentation</a> > Security Guide
- <p>We recommend you don't take security issues too lightly. Chamilo is security-audited at least once a year,
- but you're never too sure. This list is a work in progress. Feel free to recommend additional measures by
- sending us an e-mail at info@chamilo.org.</p>
- <h2><b>Contents</b></h2>
- <ol>
- <li><a href="#1.Disclosing-server-info">Disclosing server info</a></li>
- <li><a href="#2.Keeping-up-to-date">Keeping up to date</a></li>
- <li><a href="#3.Using-safe-browsers">Using safe browsers</a></li>
- <li><a href="#4.Moving-config-file">Moving your configuration file out of the web directory</a></li>
- <li><a href="#5.Files-permissions">Restricting files permissions</a></li>
- <li><a href="#6.HSTS">HTTP Headers Security</a></li>
- </ol>
- <h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
- <p>
- It is considered a safer behaviour not to disclose server information from your Chamilo page. In order to avoid
- both web server and PHP information disclosure, you might want to take the following actions:
- </p>
- <ul>
- <li>Locate the <i>ServerTokens</i> setting inside your Apache configuration and set it to "Prod"</li>
- <li>Locate the <i>ServerSignature</i> setting inside your Apache configuration and set it to "Off"</li>
- <li>Locate the <i>expose_php</i> setting inside your PHP configuration and set it to "Off"</li>
- <li>Reload Apache</li>
- </ul>
- <h2><a name="2.Keeping-up-to-date"></a>2. Keeping up to date</h2>
- <p>
- Make sure you check <a href="http://support.chamilo.org/projects/chamilo-18/wiki/Security_issues">our security
- issues page</a> from time to time.
- Subscribe to our free security alerts mailing-list:
- <a href="http://lists.chamilo.org/listinfo/security">http://lists.chamilo.org/listinfo/security</a> or that you
- follow our security Twitter feed: <a href="http://twitter.com/chamilosecurity">http://twitter.com/chamilosecurity</a>.
- </p>
- <h2><a name="3.Using-safe-browsers"></a>3. Using safe browsers</h2>
- <p> Additionally to lacking the implementation of features that really improve the quality of your browsing the
- Internet, older browsers tend to have many unresolved security flaws. Using an old browser, you put in danger the
- security of your computer and the data it contains, but you can also put others in danger by letting crackers take
- control of it and attacking others.</p>
- <p>To avoid being a risk to yourself and others, you should download and install a recent browser. We recommend
- <a href="http://www.getfirefox.com" target="_blank">the latest stable version of Firefox</a>.</p>
- <h2><a name="4.Moving-config-file"></a>4. Moving your configuration file out of the web directory</h2>
- <p>It is considered unsafe to leave the configuration file inside the app/config/ directory, as it will be directly
- accessible for all users, which could lead crackers to download it, uninterpreted, and read through your
- configuration, which could lead to illicit
- access to your database if that one isn't well protected and many other stuff we'd prefer to avoid. To secure it,
- move the configuration file out of your web directory. If your Chamilo installation is in /var/www/, move your
- configuration to /etc/chamilo/configuration.php, for example. Then create a new app/config/configuration.php
- file, open it, and write the following:</p>
- <pre>
- <?php
- require '/etc/chamilo/configuration.php';
- </pre>
- <p>
- This will prevent direct access to your settings and make it seem totally the same to Chamilo.
- </p>
- <h2><a name="5.Files-permissions"></a>5. Restricting files permissions</h2>
- <p>Making all the Chamilo files world-writable will help you install quickly, and it solves many
- issues for people without much admin experience. However, it's more
- secure to make a distinct user owner of all the chamilo files and folders,
- and only give read access to the web server to all files, and write access
- only to the directories previously mentioned.</p>
- <p>This way, these files need
- only be readable and writable by the Apache process owner, not by the
- entire world. It would also be advisable to make all writable directory
- refuse the interpretation of PHP files (except for the root of the courses
- directories).</p>
- <p>Don't hesitate to hire an experienced administrator to do that,
- it might be a bit more expensive now, but you'll be happy not to have to loose
- all of your data to a hacker who attacked your site.</p>
- <hr />
- <h2><a name="6.HSTS">HTTP Headers Security</a></h2>
- <p>A relatively recent development in web security, HTTP headers can be modified either
- from the web server or from the application (like Chamilo) to increase the security
- of your visitors.</p>
- <p>These implies several aspects, from simple to complex, to deal with, from stuff like
- indicating which websites you say media or libraries can be loaded from, to adding
- extra info about your SSL certificate to make sure a hacked certification authority
- will not immediately make your certificate useless.</p>
- <p>In Chamilo 1.11.6, we have added several parameters, together with recommendations,
- to main/install/configuration.dist.php, that you are free to use or ignore,
- depending on the level of security you want to achieve.</p>>
- <p>To check your portal for possible improvements in terms of headers security,
- we highly recommend the <a href="https://securityheaders.io/">securityheaders.io</a>
- website. If you want to read more about CSP and all related headers
- security techniques, check <a href="https://scotthelme.co.uk/">Scott Helme's blog</a>.
- <h2>Authors</h2>
- <ul>
- <li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,
- <a href="mailto:yannick.warnier@beeznest.com">yannick.warnier@beeznest.com</a></li>
- </ul>
- </div>
- </body>
- </html>
|