Subscribe to PHP Freaks RSS

Hardening PHP with Suhosin

Print
by Thomas Johnson on May 27, 2008 2:14:27 PM - 72,563 views

Introduction

Suhosin is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial.

Contents

  1. Debian etch installation
  2. CentOS 5 installation
  3. Configuration

Debian etch installation

The installation of suhosin on debian etch is really pretty simple. It took me all of 5 minutes or so to have a basic working installation.

First we start by finding the suhosin package for our php version

apt-cache search suhosin
php4-suhosin - advanced protection module for php4
php5-suhosin - advanced protection module for php5

Now install suhosin

apt-get install php5-suhosin

The suhosin.ini should be located in /etc/php5/conf.d .

I assume that this process would also work for Ubuntu. Now we move onto the configuration

CentOS 5 installation

The CentOS installation is not as simple as it is with Debian. The suhosin package is currently only available in the testing repo.

First we have to add the testing repo:

cd /etc/yum.repos.d
wget http://dev.centos.org/centos/5/CentOS-Testing.repo

Now we actually install the php_suhosin package

yum --enablerepo=c5-testing install php-suhosin

The suhosin.ini should be located in /etc/php.d.

Not as simple as it was with debian but still pretty easy. I assume that this same process would work with other versions of CentOS. Now we move onto the configuration

Configuration

The basic configuration that ships with suhosin will work out-of-the-box but I have added a few tweaks.

In the php.ini we add the following:

Enable suhosin

extension=suhosin.so

Disable session encryption (required for most login scripts)

suhosin.session.encrypt = Off

Log all errors

suhosin.log.syslog=511

Max traversal depth ie '../../'

suhosin.executor.include.max_traversal=4

Disable eval

suhosin.executor.disable_eval=On

Disable /e modifier

suhosin.executor.disable_emodifier=On

Disallow newlines in Subject:, To: headers and double newlines in additional headers

suhosin.mail.protect=2

Recommend Settings

Silently fail all failed sql queries

suhosin.sql.bailout_on_error=On

That is it. That was easy, right? For more configuration options see the Suhosin Configuration Documentation.

Comments

Corbin Hughes May 28, 2008 4:49:03 AM

Reading through the tutorials just now, and came across this one. (I say "came across" like it's surprising when there's 3 tutorial at the moment hehe.)

Anyway, i would've liked more of an explanation of what Suhosin is.... I had never heard of it before, so I Googled it.

Their site sounds oddly propagandaish to me, and when ever you visit it sounds like they're trying to tell me the world is going to end if I don't use their patch. (I also think it's funny how they basically make fun of the PHP coders saying even they miss some stuff, but this random guy [group of people maybe?] can magically fix it all! I mean I'm not saying he[/she/they] can't, just saying it's funny how he makes himself sound awesome.)

Anyway, sorry if you didn't want feedback, but I'm bored reading the tutorials lol.

Thomas Johnson May 28, 2008 8:50:44 AM

@Crobin H: It is sad but a fact that php developers miss "stuff" all the time. That comes with being human. Were Suhosin comes in is in preventing most of that before it ever hits your application. The suhosin site says "It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself!" The key here is "potential unknown vulnerabilities".. I don't have any numbers to support this but I would be willing to bet that 99.9% of attacks are exploits from these "unknown vulnerabilities" or they were unknown to the original developers. Checkout the suhosin feature list for more info.

Corbin Hughes May 28, 2008 11:35:55 AM

How often are those problems exploited though? I mean, I guess since PHP is open source, someone could read through the code and spot something, but how likely is it that someone will attack my site with a (forexample) bufferoverflow attack? Hmmm... I guess that's actually likely, but....

Half the features listed sound to me like they should be covered in the actual PHP code... (Hrmmm I guess some of the features are to protect users from each other or themselves now that I read through it again... So that's why those aren't PHP level.)

Hrmm anyway... Thanks for answering, and hopefully you don't think I'm an entire nooby ;p.

Thomas Johnson May 28, 2008 12:18:51 PM

"Half the features listed sound to me like they should be covered in the actual PHP code... "

I completely agree with that statement. If people wrote good code to begin with this wouldn't be needed. However, there are plenty of people that do not write good code and it may be riddled with various vulnerabilities. Suhosin forces proper security standards on applications that may not have otherwise followed those standards. This results in a more secure application. Not to mention the use of third party applications that we do not control the source code. In the end this is just a simple but very effective way of adding another layer of security to a site without having a negative impact on performance.

Corbin Hughes May 28, 2008 3:34:49 PM

Yeah guess so.... It could be especially useful for server hosts, or like you said, when using 3rd party apps....

gizmola May 29, 2008 12:57:20 PM

Corbin,
This comes from Stefan Esser, an individual who is well known in the PHP community for not playing well with others. He has regularly engaged in flame wars with other well known people involved with PHP, and tends to get shrill, self righteous and arrogant. He does however seem to know what he's talking about when it comes to security and web exploits.

Corbin Hughes May 30, 2008 3:22:30 AM

Well.... I guess it's better than being narcissistic and stupid...

(Dunno if you would consider him narcissistic just guessing that from the short description lol)

Jeff Combs Feb 8, 2009 12:13:04 PM

I've noticed that Ubuntu seems to come pre-installed with suhosin. I didn't look at the configuration if they set anything by default but it is there. In any event I think this is a good guide Tom, thanks for putting it up. Some of the configuration settings can be a little confusing on the suhosin website.

Eric Gillette Feb 4, 2011 12:55:33 AM

Thanks!

This was extra helpful. I installed this for a client along with mod_security for extra security and to be super safe.

This tutorial was a good starting point. . .now on to the rest of the server's security!

- Eric Gillette

Add Comment

Login or register to post a comment.