How To Harden PHP5 With Suhosin (Debian Etch/Ubuntu) - Page 2
4 Installing Suhosin
First we install the Suhosin PHP extension which is available as a package in the Debian Etch and Ubuntu repositories:
apt-get install php5-suhosin
Now on for the Suhosin patch. To install the patch, we need to recompile PHP5 on our system. Fortunately there's an easy way to do this: we download the PHP5 source package from our Debian/Ubuntu repository. That's the package from which our current PHP5 installation was compiled. Then we apply the Suhosin patch to the sources, and create new PHP5 .deb packages with dpkg-buildpackage. That way, we don't have to worry about the right PHP5 configuration options, and we stay in sync with our apt package database.
First we install everything we need to compile PHP5 from the sources:
apt-get install dpkg-dev build-essential
Then we go to the /usr/src directory and download the PHP5 sources:
Next we install the Hardened PHP-Project signaturekey:
Then we go to http://www.hardened-php.net/suhosin/download.html and select the Suhosin patch that suits our PHP version. In this tutorial my PHP version is 5.2.0-8+etch1, so I download the patch for PHP 5.2.0:
Now we unpack that patch and apply it to our PHP sources:
After the patch has been applied without errors, we build our new PHP5 .deb packages:
Depending on what PHP5 modules you have installed, dpkg-buildpackage will most likely complain about missing packages that it needs to build new packages for the various PHP5 modules:
If you see an error like this, install the missing packages (a | symbol means OR, e.g. package1 | package2 means that you can install either package1 or package2), e.g. like this:
apt-get install apache-dev apache2-prefork-dev bison chrpath debhelper firebird2-dev flex freetds-dev libapr1-dev libbz2-dev libc-client-dev libcurl3-dev libdb4.4-dev libexpat1-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libjpeg62-dev libkrb5-dev libldap2-dev libmcrypt-dev libmhash-dev libmysqlclient15-dev libncurses5-dev libpam0g-dev libpcre3-dev libpng12-dev libpq-dev libpspell-dev librecode-dev libsnmp9-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev re2c unixodbc-dev
Afterwards, run dpkg-buildpackage again:
This should now compile PHP5 and all installed PHP5 modules again and create new .deb packages in the /usr/src directory. This can take some time, so please be patient. It's possible that you get some warnings about signatures at the end - you can ignore them.
Afterwards, we go to the /usr/src directory and see what we got:
The output could look like this:
server1:/usr/src# ls -l
Now we install all the new PHP5 .deb packages (compare the creation times to see which packages are new) except a few - for example, we don't need php5-cgi and php5-cli because we use mod_php. php-pear and libapache-mod-php5 aren't needed either. libapache-mod-php5 is for Apache 1.3, but we have Apache 2.2 installed, therefore we need libapache2-mod-php5.
dpkg -i libapache2-mod-php5_5.2.0-8+etch1_i386.deb php5_5.2.0-8+etch1_all.deb php5-common_5.2.0-8+etch1_i386.deb php5-curl_5.2.0-8+etch1_i386.deb php5-dev_5.2.0-8+etch1_i386.deb php5-gd_5.2.0-8+etch1_i386.deb php5-imap_5.2.0-8+etch1_i386.deb php5-interbase_5.2.0-8+etch1_i386.deb php5-ldap_5.2.0-8+etch1_i386.deb php5-mcrypt_5.2.0-8+etch1_i386.deb php5-mhash_5.2.0-8+etch1_i386.deb php5-mysql_5.2.0-8+etch1_i386.deb php5-odbc_5.2.0-8+etch1_i386.deb php5-pgsql_5.2.0-8+etch1_i386.deb php5-pspell_5.2.0-8+etch1_i386.deb php5-recode_5.2.0-8+etch1_i386.deb php5-snmp_5.2.0-8+etch1_i386.deb php5-sqlite_5.2.0-8+etch1_i386.deb php5-sybase_5.2.0-8+etch1_i386.deb php5-tidy_5.2.0-8+etch1_i386.deb php5-xmlrpc_5.2.0-8+etch1_i386.deb php5-xsl_5.2.0-8+etch1_i386.deb
The last command willl automatically make Apache restart, so we don't have to. Now let's call our info.php page again in a browser (e.g. http://192.168.0.100/info.php). If everything went ok, you should now see Suhosin mentioned in two places on the page:
That's it. If you like you can configure Suhosin (see http://www.hardened-php.net/suhosin/configuration.html), although Suhosin will work out of the box with its default configuration, so be sure that you know what you're doing.