Suhosin Install Guide Published: Mar 19, 2007
  • Rating

    5/5

Suhosin is the big brother to the Hardened-PHP patch which adds an extra level of protection to PHP. Installing Suhosin can be a bit confusing so we'll show you how it can be easily installed on Linux

Suhosin Install Guide

 

Suhosin is the big brother to the Hardened-PHP patch which adds an extra level of protection to PHP.  Installing Suhosin can be a bit confusing so we'll show you how it can be easily installed on Linux.

Suhosin for PHP

 

http://www.hardened-php.net/suhosin.127.html

 

What is Suhosin?

There are 2 separate versions on Suhosin. You can run both together or one separately.

 

1) A raw patch where you need to recompile PHP in shell to work. This adds low level protection against things like buffer overflows and format string vulnerabilities.

2) A PHP extension that protects at runtime, easy to install.

Both versions will still you allow you to use other PHP extensions like Zend Optimizer without any issues.

See the full features list comparision here: http://www.hardened-php.net/suhosin/a_feature_list.html

 

This guide we'll show you how to install the Extension ONLY. Recompiling PHP for the patch is a whole guide in itself, so I only recommend that for experienced users or having someone do it for you like a server admin company such as ServerProgress - www.serverprogress.com or click on Hire an Expert.

 

 

 

Installing Suhosin

 

Things to do before getting started and questions you probably have.

1) First off you need to create a phpinfo page on your web server, this is so you can see if Suhosin is installed and working or not.

 

EG: http://mysite.com/phpinfo.php

<?

phpinfo();

?>

 

 

That’s all it should contain. You should bring it up to make sure it works.

 

2) Check to make sure that PHP is NOT compiled with --enable-versioning

 

You will see this in the Configure Command section at the top, make sure you do not see

--enable-versioning

 

If it is, the extension will not work. Versioning breaks extensions. You will need to recompile PHP and make sure versioning is turned OFF.

 

3) This only applies if you are using Zend Optimizer. Make sure you are using at least version 3.2.1 or above of Zend Optimizer. If you are using anything below that there is a known bug in Zend Optimizer that gets caught up in Suhosin while reading zend encoded pages. So be sure to upgrade Optimizer to a more recent release before you install Suhosin to avoid issues.

You can check your version while in shell by doing:

php –v

 

If you have it installed you’ll see something like:

Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

    with Zend Extension Manager v1.0.10, Copyright (c) 2003-2006, by Zend Technologies

    with Zend Optimizer v3.0.1, Copyright (c) 1998-2006, by Zend Technologies

 

So this version is old and needs to be upgraded. See http://www.webhostgear.com/184.html  our Zend Optimizer install guide for more details.

 

 

 

Suhosin works fine on cPanel/WHM servers, DirectAdmin, Plesk and any others. As long as the above mentioned items are met then you should be fine.

 

 

Installing Suhosin Extension

Download the source file for the Suhosin extension

 

cd /usr/local/
wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz

 

tar -zxvf suhosin-0.9.18.tgz

 

cd suhosin-0.9.18

 

phpize

 

OUTPUT will be something like this:

# phpize

Configuring for:

PHP Api Version:         20020918

Zend Module Api No:      20020429

Zend Extension Api No:   20050606

 

./configure

 

make

 

OUTPUT will be something like this:

Libraries have been installed in:

   /usr/local/suhosin-0.9.18/modules

 

make install

 

 

OUTPUT will be something like this:

Installing shared extensions:     /usr/local/lib/php/extensions/no-debug-non-zts-20020429/

Make a note of the directory location and confirm it exists and has suhosin.so in it:

 

ls –lah /usr/local/lib/php/extensions/no-debug-non-zts-20020429/

-rwxr-xr-x    1 root     root         334K Mar 19 09:17 suhosin.so*

 

Now copy suhosin.so to /usr/lib/php/extensions since our php.ini points to that directory and not the one the make install used

 

cp /usr/local/lib/php/extensions/no-debug-non-zts-20020429/suhosin.so /usr/lib/php/extensions/no-debug-non-zts-20020429

 

Checking PHP

Now we need to check PHP to ensure suhosin will be added in.

 

Find where your current PHP.ini is:

php -i |grep php.ini

Configuration File (php.ini) Path => /usr/local/Zend/etc/php.ini

 

Edit the php.ini

vi /usr/local/Zend/etc/php.ini

 

Step 1) Ensure the include path/extension is set properly.

Search for: extension_dir

 

You should see something like this:

;;;;;;;;;;;;;;;;;;;;;;;;;

; Paths and Directories ;

;;;;;;;;;;;;;;;;;;;;;;;;;

include_path = ".:/usr/lib/php:/usr/local/lib/php:/usr/lib/php/extensions:/usr/lib/php/extensions/no-debug-non-zts-20020429:"   ;

extension_dir = /usr/lib/php/extensions/no-debug-non-zts-20020429/  ; directory in which the loadable extensions (modules) reside

 

Note the exact path is the same as what we wrote down when we did “make install”

If not, you will need to add it or COPY the file to the new location as mentioned above.

 

Step 2) Add the suhosin.so extension to php.ini

While still in php.ini search for Dynamic Extensions

 

/Dynamic Extensions

 

EG you should see:
;;;;;;;;;;;;;;;;;;;;;;

; Dynamic Extensions ;

;;;;;;;;;;;;;;;;;;;;;;

 

Add this below:

 

extension=suhosin.so

 

 

 

Note to 64 bit OS users:

Check to make sure php.ini is using the proper extension_dir setting:

extension_dir = /usr/lib64/php4

 

Then copy the suhosin.so to that directory after you do "make install"

cp -v /usr/local/lib/php/extensions/no-debug-non-zts-20020429/*.so /usr/lib64/php4/

End 64 Bit OS note:

 

 

Now save php.ini and check PHP from shell:

php -v

PHP 4.4.6 (cli) (built: Mar 19 2007 09:54:33)

Copyright (c) 1997-2007 The PHP Group

Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

    with Zend Extension Manager v1.2.0, Copyright (c) 2003-2006, by Zend Technologies

    with Suhosin v0.9.18, Copyright (c) 2002-2006, by Hardened-PHP Project

    with Zend Optimizer v3.2.2, Copyright (c) 1998-2006, by Zend Technologies

 

 

Excellent! We managed to get the Suhosin extension module working. NOTE if checking using phpinfo.php page make SURE you RESTART the apache web server: service httpd restart

Otherwise you won’t see the changes.

 

Suhosin in PHPinfo page – Screenshot 1

Click to enlarge

 Suhosin PHPINFO

 

Suhosin in PHPinfo page – Screenshot 2 configuration details
Click to enlarge

 Suhosin phpinfo details

 

 

 

Suhosin Logs and reports

 

Check your /var/log/messages for logs of Suhosin

 

EG:

Mar 19 10:28:23 ocean suhosin[32652]: ALERT - Include filename ('http://tutorialgeek.com/slimstat/inc.stats.php') is an URL that is not allowed (attacker '74.6.73.61', file '/home/lireland/public_html/index.php', line 3)

 

 

 

Advanced Suhosin Configuration

Configuring Suhosin – example suhosin configuration

 

You can manually configure options for Suhosin in the php.ini for PHP.  This is the most confusing part that most people get lost at.

If you want advanced configuration to change the default settings form Suhosin you can edit the PHP.ini and add in these values below the extension=suhosin.so

 

Note this part isn’t required, only for your own liking.

 

;;;;;;;;;;;;;;;;;;;

; Module Settings ;

;;;;;;;;;;;;;;;;;;;

[suhosin]

; Logging Configuration

suhosin.log.syslog.facility = 9

suhosin.log.use-x-forwarded-for = Off

 

; Executor Options

suhosin.executor.max_depth = 0

suhosin.executor.include.max_traversal = 4

suhosin.executor.disable_emodifier = Off

suhosin.executor.allow_symlink = Off

 

; Misc Options

suhosin.simulation = Off

 

;

suhosin.apc_bug_workaround = Off

suhosin.sql.bailout_on_error = Off

suhosin.multiheader = Off

suhosin.mail.protect = 1

suhosin.memory_limit = 20

 

; Transparent Encryption Options

suhosin.session.encrypt = On

suhosin.session.cryptua = On

suhosin.session.cryptdocroot = On

suhosin.session.cryptraddr = 0

suhosin.cookie.encrypt = On

suhosin.cookie.cryptua = On

suhosin.cookie.cryptraddr = 0

 

; Filtering Options

suhosin.filter.action = 406

suhosin.cookie.max_array_depth = 100

suhosin.cookie.max_array_index_length = 64

suhosin.cookie.max_name_length = 64

suhosin.cookie.max_totalname_length = 256

suhosin.cookie.max_value_length = 10000

suhosin.cookie.max_vars = 100

suhosin.cookie.disallow_nul = On

suhosin.get.max_array_depth = 50

suhosin.get.max_array_index_length = 64

suhosin.get.max_name_length = 64

suhosin.get.max_totalname_length = 256

suhosin.get.max_value_length = 512

suhosin.get.max_vars = 100

suhosin.get.disallow_nul = On

suhosin.post.max_array_depth = 100

suhosin.post.max_array_index_length = 64

suhosin.post.max_totalname_length = 256

suhosin.post.max_value_length = 65000

suhosin.post.max_vars = 200

suhosin.post.disallow_nul = On

suhosin.request.max_array_depth = 100

suhosin.request.max_array_index_length = 64

suhosin.request.max_totalname_length = 256

suhosin.request.max_value_length = 65000

suhosin.request.max_vars = 200

suhosin.request.max_varname_length = 64

suhosin.request.disallow_nul = On

suhosin.upload.max_uploads = 25

suhosin.upload.disallow_elf = On

suhosin.upload.disallow_binary = Off

suhosin.upload.remove_binary = Off

suhosin.session.max_id_length = 128

 

 

 

That should about do it for this tutorial on Suhosin. I hope you enjoyed, reading and it helps you secure your server even more. If you need professional help installing this contact www.serverprogress.com or click on Hire an Expert.

 

  • Rating

    5/5

Related Articles

Comments (5)

  • Gravatar - ogy
    ogy 07:14, May 6, 2007
    does it work with on cpanel servers with phpsuexec
  • Gravatar - Steve
    Steve 15:44, May 17, 2007
    Yes Suhosin works on cPanel servers with PHPSuexec
  • Gravatar - hassson
    hassson 00:43, June 17, 2007
    I added<br />
    <br />
    include_path = ".:/usr/lib/php:/usr/local/lib/php:/usr/lib/php/extensions:/usr/lib/php/extensions/no-debug-non-zts-20020429:" ;<br />
    <br />
    And when I add<br />
    <br />
    extension_dir = /usr/lib/php/extensions/no-debug-non-zts-20020429/ ; directory in which the loadable extensions (modules) reside<br />
    <br />
    Httpd Failed
  • Gravatar - Mohammed ALHAJRI
    Mohammed ALHAJRI 22:24, July 11, 2007
    Hi,<br />
    <br />
    Good informatins and thankyou for that :)<br />
    <br />
    i have installed it and evrything is ok , just i want to know how can i make error page that appearant when any user uploade some dangrous file eg : r57.php and c99.php<br />
    <br />
    can you tell me where should i change?><br />
    <br />
    Best Regards
  • Gravatar - Intasar
    Intasar 05:40, May 28, 2011
    Thank you very much, the advanced configuration ++++++Reputation. you saved loads of time of peoples.

    Thanks again.

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com