Tutorials

Hardening PHP with Suhosin

Views: 48459
Rating: 4/5
Votes: 3

Introduction

Suhosin [http://www.hardened-php.net/suhosin/] is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial.

Contents

  1. Debian etch installation [/tutorial/hardening-php-with-suhosin/page2]
  2. CentOS 5 installation [/tutorial/hardening-php-with-suhosin/page3]
  3. Configuration [/tutorial/hardening-php-with-suhosin/page4]

Debian etch installation

The installation of suhosin on debian etch is really pretty simple. It took me all of 5 minutes or so to have a basic working installation.

First we start by finding the suhosin package for our php version

apt-cache search suhosin
php4-suhosin - advanced protection module for php4
php5-suhosin - advanced protection module for php5

Now install suhosin

apt-get install php5-suhosin

The suhosin.ini should be located in /etc/php5/conf.d .

I assume that this process would also work for Ubuntu. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]

CentOS 5 installation

The CentOS installation is not as simple as it is with Debian. The suhosin package is currently only available in the testing repo.

First we have to add the testing repo:

cd /etc/yum.repos.d
wget http://dev.centos.org/centos/5/CentOS-Testing.repo

Now we actually install the php_suhosin package

yum --enablerepo=c5-testing install php-suhosin

The suhosin.ini should be located in /etc/php.d.

Not as simple as it was with debian but still pretty easy. I assume that this same process would work with other versions of CentOS. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]

Configuration

The basic configuration that ships with suhosin will work out-of-the-box but I have added a few tweaks.

In the php.ini we add the following:

Enable suhosin

extension=suhosin.so

Disable session encryption (required for most login scripts)

suhosin.session.encrypt = Off

Log all errors

suhosin.log.syslog=511

Max traversal depth ie '../../'

suhosin.executor.include.max_traversal=4

Disable eval

suhosin.executor.disable_eval=On

Disable /e modifier

suhosin.executor.disable_emodifier=On

Disallow newlines in Subject:, To: headers and double newlines in additional headers

suhosin.mail.protect=2

Recommend Settings

Silently fail all failed sql queries

suhosin.sql.bailout_on_error=On

That is it. That was easy, right? For more configuration options see the Suhosin Configuration Documentation [http://www.hardened-php.net/suhosin/configuration.html].