What is Suhosin?

Suhosin is an advanced protection system for PHP installations.

Designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Suhosin comes in two independent parts:-

The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities .

The second part is a powerful PHP extension that implements all the other protections.

Installing Suhosin:

Download the source file for the Suhosin extension

cd /usr/local/

wget http://www.hardened-php.net/suhosin/sin-0.9.18.tgz

tar -zxvf suhosin-0.9.18.tgz

cd suhosin-0.9.18

phpize

./configure

make

make install

copy suhosin.so to /usr/lib/php/extensions since our php.ini points to that directory.

Checking PHP :

php -i |grep php.ini

Configuration File (php.ini) Path => /usr/local/Zend/etc/php.ini

Edit the php.ini

vi /usr/local/Zend/etc/php.ini

Step 1) Ensure the include path/extension is set properly.Search for: extension_dir

You should see something like this:

include_path = .:/usr/lib/php:/usr/local/lib/php:/usr/lib/php/extensions:/usr/lib/php/extens ions/no-debug-non-zts-20020429: ;extension_dir = /usr/lib/php/extensions/no-debug-non-zts-20020429/ ; directory in which the loadable extensions (modules) reside.

Step 2) Add the suhosin.so extension to php.ini

Search for Dynamic Extensions:

EG you should see:

extension=suhosin.so

Advanced Suhosin Configuration :

Modules:

Logging Configuration

Executor Options

Misc Options

Transparent Encryption Options

Filtering Options

Advantages :

Suhosin is a patch protection for protecting PHP. In clear, you dont need to run apache as cgi to setup suhosin, and this will probably be a very good additional.

Suhosin to control disable_functions per user and set open_basedir.

Disadvantages :

Check to make sure that PHP is not compiled with enable-versioning.

Versioning breaks extensions. You will need to recompile PHP and make sure versioning is turned OFF.

This only applies if you are using Zend Optimizer. Make sure you are using at least version 3.2.1 or above of Zend Optimizer.

The extention has strict security settings and there is no guarantee that even useful, safe functions will not be blocked.

Output of Suhosin:

php -v

PHP 4.4.6 (cli) (built: Mar 19 2007 09:54:33)?

with Zend Extension Manager v1.2.0, Copyright (c) 2003-2006, by Zend Technologies

with Suhosin v0.9.18, Copyright (c) 2002-2006, by Hardened-PHP Project

with Zend Optimizer v3.2.2, Copyright (c) 1998-2006, by Zend Technologies

Note to 64 bit OS users:

Check to make sure php.ini is using the proper extension_dir setting:

extension_dir = /usr/lib64/php4

http://mysite.com/phpinfo.php

Article Authored by Vinu Vijayan

Author, Vinu Vijayan, is a Systems Engineer with SupportPRO. Vinu specializes in L2 and L3 Linux/Windows administration. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.

If you require help, contact SupportPRO Server Admin