Hardening PHP with Suhosin

Views: 65480
Rating: 4/5
Votes: 3


Suhosin [http://www.hardened-php.net/suhosin/] is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial.


  1. Debian etch installation [/tutorial/hardening-php-with-suhosin/page2]
  2. CentOS 5 installation [/tutorial/hardening-php-with-suhosin/page3]
  3. Configuration [/tutorial/hardening-php-with-suhosin/page4]

Debian etch installation

The installation of suhosin on debian etch is really pretty simple. It took me all of 5 minutes or so to have a basic working installation.

First we start by finding the suhosin package for our php version

apt-cache search suhosin
php4-suhosin - advanced protection module for php4
php5-suhosin - advanced protection module for php5

Now install suhosin

apt-get install php5-suhosin

The suhosin.ini should be located in /etc/php5/conf.d .

I assume that this process would also work for Ubuntu. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]

CentOS 5 installation

The CentOS installation is not as simple as it is with Debian. The suhosin package is currently only available in the testing repo.

First we have to add the testing repo:

cd /etc/yum.repos.d
wget http://dev.centos.org/centos/5/CentOS-Testing.repo

Now we actually install the php_suhosin package

yum --enablerepo=c5-testing install php-suhosin

The suhosin.ini should be located in /etc/php.d.

Not as simple as it was with debian but still pretty easy. I assume that this same process would work with other versions of CentOS. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]


The basic configuration that ships with suhosin will work out-of-the-box but I have added a few tweaks.

In the php.ini we add the following:

Enable suhosin


Disable session encryption (required for most login scripts)

suhosin.session.encrypt = Off

Log all errors


Max traversal depth ie '../../'


Disable eval


Disable /e modifier


Disallow newlines in Subject:, To: headers and double newlines in additional headers


Recommend Settings

Silently fail all failed sql queries


That is it. That was easy, right? For more configuration options see the Suhosin Configuration Documentation [http://www.hardened-php.net/suhosin/configuration.html].