Friday, April 29, 2011

Revisiting #Moodle Security - Feedback from Author Darko Milevic


A short time ago, I reviewed Darko Miletic's Moodle Security, published by Packt Publishers, sharing my praise and criticism. Today, Darko was kind enough to email me his response and agreed that I might share it on my blog to further the conversation and learning.

It appears here  unedited:

Hello mr. Guhlin,
I am the author of the book Moodle Security that you where so kind toreview on your blog. And quite a positive review too! I reallyappreciate your praises and criticism.
Just wanted to clear things regarding Windows 2008 and IIS. I chose thatsetup because that is what is being used in professional Windowsinstallations.
a) No serious company would permit installing third-party software notsupported by the principal OS vendor, or any vendor for that matter.Read Apache.b) Apache performance on Windows is inferior to the one on Linux on thesame hardware while IIS 7 is vastly improved over IIS 6, and yes IIS 7can be as fast as well tuned Apache.c) Idea is to help those administrators that can not go against rigidcompany policies of using only what comes with the OS. That is also thereason I did everything with command line approach and basic scripts.Third party software comes and goes but mysqldump for example is with uson every OS.d) Just wanted to demonstrate how to properly setup PHP on Windowsbecause so many people do it wrong.e) I used Windows 2008 because this is latest version that will besupported in years to come, while 2003 although still widely used is onthe life support.
This answers your first and third question presented in the review.
Now in response to your second question I will say that I would not mindwriting updated version of the book as long as Packt is willing topublish it. It will not happen any time soon because CentOS 6 is stillnot out and book was released just this February. In any case if thereis to be any second edition it will deal with Moodle 2 (or 2.1).
Number 4It is not just you. Windows is harder for open source tools. But I wentinto gory details because I wanted to expose the entire process and showthat it is possible to work with Windows using mostly standard or freetools. This also increases performance and security because we are usingonly (at least for the most part) certified standard OS tools.
Number 5I do not think there is not enough material to write separate chaptersfor ClamAV on both Windows and Linux regarding installation. FurthermorePackt was really pushing me to finish the book because IT materialbecomes obsolete so fast. I did not have all the time I wanted to addsome other things - including expanding on the ClamAV where pertinent.
Anyways if you mostly liked this book (and it certainly seems to be thecase) please write to the publisher with your comments so that they havethat into account when planning any potential future update for it.
Should you have any additional questions and/or comments I would be mostanxious to hear them.
Thanks again for your review,
--Darko Miletic
Some great feedback was also provided by Ken Task on the Strategic Open Source (SOS-SIG) Email list, and I share it below since it is pertinent:

Nice write up.
Since CentOS is based upon Red Hat Enterprise is shouldn't be a surprise, after all, RH(the grand-daddy of of Linuxes) has been at it since DAY ONE!  It's true that it'sharder to get some AMP stack apps on CentOS.  But, then again, does one necessarily NEEDone Linux distro to 'do it all'?  Answer: NOPE!  What you want is solid performance,reliable updating to OS - and often (not every 30 days for me, thank you!).  Are theyfortresses - NOPE - but what server OS is?  NONE!  Do they require care and maintaining? YES ... what server OS doesn't?  Is it easy to update?  YES ... yum -y update [ENTER].No rocket science required there! ;) 

Now come the apps and 'addons' ... phpMyAdmin - don't run it.  If you do run it, keep itsecure and patched/updated.  See scans all the time for phpMyAdmin.  Don't need it mostof the time anyway with Linux one has mysqldump, mysqladmin and assundry of other usefulCL utilities what can be scripted (like writing a 'batch file').  Then there is webmin... it's been around for ages.  But, like all things, it too needs care and updates.Darn easy to do too! 

But as far as my feedback and suggestions for Windows configuration, you can forget it.Don't - WON'T - do Windows for Internet servers - not for AMP stack apps.Makes NO sense to do so.  Apache - not native to Windows. MySQL - not native to Windows.PHP - before server 2008 ... not native to Windows and even though one can getpre-installed PHP 5.3.x on them now, does MS update that along with their software?I've asked Windows folks but none reply.  Hmmmmm ... guess not. 

Easy install packages means just that ... but that's just the tip of the iceburg.
Ubuntu (Server LTS versions) - would be second choice to me ... not because CentOS isbetter at everything ... it is, however, equal to and has been doing server much longerthan Ubuntu.  Don't need sound ... don't need Adobe Acrobat Reader, etc., etc., etc.Don't need anything but solid Apache/MySQL/PHP serving.
Thanks to Darko for his feedback and Ken for his reflection.

Find out more about Moodle Security here.


Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner
PingIt!

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

No comments:

The Courage to Lead