How To Harden PHP5 With Suhosin On OpenSuSE 10.2

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Fri, 2007-08-10 15:03. :: SuSE | PHP | Security

How To Harden PHP5 With Suhosin On OpenSuSE 10.2

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 07/20/2007

This tutorial shows how to harden PHP5 with Suhosin on an OpenSuSE 10.2 server. From the Suhosin project page: "Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against buffer overflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested this on an OpenSuSE 10.2 server with the IP address 192.168.0.100.

This tutorial is a bit untypical because there's nothing you need to do to install Suhosin on OpenSuSE 10.2 if you have PHP5 installed, because OpenSuSE's PHP5 already comes with Suhosin by default. Anyway, I think it's still worth writing this tutorial because it answers the question "What do I have to do to install Suhosin?" - nothing, if PHP5 is already installed.

 

2 Installing Apache2 And PHP5 (Optional)

(This chapter is optional if you already have Apache2 and PHP5 installed - to check if Suhosin is enabled in your PHP5, please skip to the next chapter.)

If you don't have Apache2 and PHP5 installed on your server, install it now:

yast2 -i apache2 apache2-devel apache2-mod_perl apache2-mod_php5 apache2-prefork perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib zlib-devel

Now configure your system to start Apache at boot time:

chkconfig --add apache2

Then start Apache2:

/etc/init.d/apache2 start

You now have a PHP5 with basic functionality on your server; if you need special PHP5 modules, you can start YaST and search for PHP5 packages:

yast2

Go to Software > Software Management:

Then use the Search function and search for php5:

Afterwards, you can mark the desired packages for installation:

Alternatively, you can install the packages on the command line like this:

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm

Then restart Apache:

/etc/init.d/apache2 restart

 

3 Getting Details About Your PHP5 Installation

Unless you have already created virtual hosts in your Apache installation, the document root of the default web site is /srv/www/htdocs. We will now create a small PHP file (info.php) in that directory (if you have created virtual hosts, place it in any of the virtual hosts that has PHP enabled) and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.

vi /srv/www/htdocs/info.php

<?php
phpinfo();
?>

Now we call that file in a browser (e.g. http://192.168.0.100/info.php):

As you see, our PHP version is 5.2.0.

If everything went ok, you should now see Suhosin mentioned in two places on the page:

That's it. If you like you can configure Suhosin (see http://www.hardened-php.net/suhosin/configuration.html), although Suhosin will work out of the box with its default configuration, so be sure that you know what you're doing.

 

4 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.