Tutorials
Hardening PHP with Suhosin
Introduction
Suhosin [http://www.hardened-php.net/suhosin/] is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.
In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial.
Contents
- Debian etch installation [/tutorial/hardening-php-with-suhosin/page2]
- CentOS 5 installation [/tutorial/hardening-php-with-suhosin/page3]
- Configuration [/tutorial/hardening-php-with-suhosin/page4]
Debian etch installation
The installation of suhosin on debian etch is really pretty simple. It took me all of 5 minutes or so to have a basic working installation.
First we start by finding the suhosin package for our php version
apt-cache search suhosin php4-suhosin - advanced protection module for php4 php5-suhosin - advanced protection module for php5
Now install suhosin
apt-get install php5-suhosin
The suhosin.ini should be located in /etc/php5/conf.d .
I assume that this process would also work for Ubuntu. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]
CentOS 5 installation
The CentOS installation is not as simple as it is with Debian. The suhosin package is currently only available in the testing repo.
First we have to add the testing repo:
cd /etc/yum.repos.d wget http://dev.centos.org/centos/5/CentOS-Testing.repo
Now we actually install the php_suhosin package
yum --enablerepo=c5-testing install php-suhosin
The suhosin.ini should be located in /etc/php.d.
Not as simple as it was with debian but still pretty easy. I assume that this same process would work with other versions of CentOS. Now we move onto the configuration [/tutorial/hardening-php-with-suhosin/page4]
Configuration
The basic configuration that ships with suhosin will work out-of-the-box but I have added a few tweaks.
In the php.ini we add the following:
Enable suhosin
extension=suhosin.so
Disable session encryption (required for most login scripts)
suhosin.session.encrypt = Off
Log all errors
suhosin.log.syslog=511
Max traversal depth ie '../../'
suhosin.executor.include.max_traversal=4
Disable eval
suhosin.executor.disable_eval=On
Disable /e modifier
suhosin.executor.disable_emodifier=On
Disallow newlines in Subject:, To: headers and double newlines in additional headers
suhosin.mail.protect=2
Recommend Settings
Silently fail all failed sql queries
suhosin.sql.bailout_on_error=On
That is it. That was easy, right? For more configuration options see the Suhosin Configuration Documentation [http://www.hardened-php.net/suhosin/configuration.html].