How To Harden PHP5 With Suhosin On Mandriva 2007 Spring

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Fri, 2007-07-20 15:50. :: Mandriva | PHP | Security

How To Harden PHP5 With Suhosin On Mandriva 2007 Spring

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 07/19/2007

This tutorial shows how to harden PHP5 with Suhosin on a Mandriva 2007 Spring server. From the Suhosin project page: "Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against buffer overflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested this on a Mandriva 2007 Spring server with the IP address 192.168.0.100.

This tutorial is a bit untypical because there's nothing you need to do to install Suhosin on Mandriva 2007 Spring if you have PHP5 installed, because Mandriva's PHP5 already comes with Suhosin by default. Anyway, I think it's still worth writing this tutorial because it answers the question "What do I have to do to install Suhosin?" - nothing, if PHP5 is already installed.

 

2 Installing Apache2 And PHP5 (Optional)

(This chapter is optional if you already have Apache2 and PHP5 installed - to check if Suhosin is enabled in your PHP5, please skip to the next chapter.)

First, if you use Mandriva's online repository (and not the Mandriva DVD) to install packages, you should update your packages database:

urpmi.update -a

If you don't have Apache2 and PHP5 installed on your server, install it now:

urpmi apache-mod_php libphp5_common5

A lot o other packages will be installed as dependencies together with these two packages, as you can see in the output:

[root@server1 ~]# urpmi apache-mod_php libphp5_common5
To satisfy dependencies, the following packages are going to be installed:
apache-base-2.2.4-6.2mdv2007.1.i586
apache-conf-2.2.4-4mdv2007.1.i586
apache-mod_php-5.2.1-4mdv2007.1.i586
apache-modules-2.2.4-6.2mdv2007.1.i586
apache-mpm-prefork-2.2.4-6.2mdv2007.1.i586
ccp-0.4.1-1mdk.noarch
libmm14-1.4.2-1mdv2007.1.i586
libphp5_common5-5.2.1-4.2mdv2007.1.i586
php-ctype-5.2.1-1mdv2007.1.i586
php-filter-5.2.1-0.1mdv2007.1.i586
php-ftp-5.2.1-1.1mdv2007.1.i586
php-gettext-5.2.1-1mdv2007.1.i586
php-hash-5.2.1-1mdv2007.1.i586
php-ini-5.2.1-2mdv2007.1.i586
php-json-1.2.1-3mdv2007.1.i586
php-openssl-5.2.1-4.2mdv2007.1.i586
php-posix-5.2.1-1mdv2007.1.i586
php-session-5.2.1-1mdv2007.1.i586
php-simplexml-5.2.1-1mdv2007.1.i586
php-suhosin-0.9.18-4mdv2007.1.i586
php-sysvsem-5.2.1-1mdv2007.1.i586
php-sysvshm-5.2.1-1mdv2007.1.i586
php-timezonedb-2007.3-1mdv2007.1.i586
php-tokenizer-5.2.1-1mdv2007.1.i586
php-xmlreader-5.2.1-1mdv2007.1.i586
php-xmlwriter-5.2.1-1mdv2007.1.i586
php-zlib-5.2.1-4.2mdv2007.1.i586
Proceed with the installation of the 27 packages? (6 MB) (Y/n)
[...]

As you see, the package php-suhosin gets installed automatically, so your PHP5 will be hardened by Suhosin by default.

Then start Apache2:

/etc/init.d/httpd restart

You now have a PHP5 with basic functionality on your server; if you need special PHP5 modules, you can search for them like this:

urpmi --fuzzy php

From the output, pick the modules you need, install them like this and restart Apache2:

urpmi php-bz2 php-calendar php-ctype php-curl php-dio php-dom php-eaccelerator php-enchant php-esmtp php-event php-exif php-fam php-ffmpeg php-fileinfo php-filepro php-ftp php-gd php-gettext php-gmp php-iconv php-id3 php-idn php-imap php-imlib2 php-mailparse php-mbstring php-mcache php-mcrypt php-mhash php-ming php-mysql php-mysqli php-ncurses php-newt php-odbc php-oggvorbis php-pam_auth php-pcntl php-pcre php-pear-Net_IDNA php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-ssh2 php-sysvmsg php-sysvsem php-sysvshm php-tclink php-tcpwrap php-tidy php-xml php-xmlrpc php-zip php5-ini

/etc/init.d/httpd restart

 

3 Getting Details About Your PHP5 Installation

Unless you have already created virtual hosts in your Apache installation, the document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory (if you have created virtual hosts, place it in any of the virtual hosts that has PHP enabled) and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.

vi /var/www/html/info.php

<?php
phpinfo();
?>

Now we call that file in a browser (e.g. http://192.168.0.100/info.php):

As you see, our PHP version is 5.2.1.

If everything went ok, you should now see Suhosin mentioned in two places on the page:

That's it. If you like you can configure Suhosin (see http://www.hardened-php.net/suhosin/configuration.html), although Suhosin will work out of the box with its default configuration, so be sure that you know what you're doing.

 

4 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.