How To Harden PHP5 With Suhosin On CentOS 5.0

Version 1.0
Author: Falko Timme
Last edited 07/20/2007

This tutorial shows how to harden PHP5 with Suhosin on a CentOS 5.0 server. From the Suhosin project page: "Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested this on a CentOS 5.0 server with the IP address 192.168.0.100.

I will install both Suhosin parts in this tutorial, the Suhosin patch (for which we need to recompile PHP5) and the Suhosin PHP extension. To see what Suhosin can do, please refer to http://www.hardened-php.net/suhosin/a_feature_list.html. The features of the Suhosin patch are listed under Engine Protection (only with patch); all the other features come with the Suhosin extension.

 

2 Installing Apache2 And PHP5 (Optional)

(This chapter is optional if you already have Apache2 and PHP5 installed - please skip to the next chapter.)

If you don't have Apache2 and PHP5 installed on your server, install it now:

yum install httpd php php-devel

Then create the system startup links for Apache2 and start Apache2:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

You now have a PHP5 with basic functionality on your server; if you need special PHP5 modules, you can search for them like this:

yum search php

From the output, pick the modules you need, install them like this and restart Apache2:

yum install php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc

/etc/init.d/httpd restart

 

3 Getting Details About Your PHP5 Installation

Unless you have already created virtual hosts in your Apache installation, the document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory (if you have created virtual hosts, place it in any of the virtual hosts that has PHP enabled) and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.

vi /var/www/html/info.php

<?php
phpinfo();
?>

Now we call that file in a browser (e.g. http://192.168.0.100/info.php):

As you see, our PHP version is 5.1.6, and Suhosin is not mentioned anywhere on that page which means it is not installed.

Share this page:

3 Comment(s)

Add comment

Comments

From: unreal4u at: 2009-04-09 04:46:57

If you have installed PHP 5.2.6 from the test repo

/etc/yum.repos.d/centos-test.repo: 
[c5-testing] 
name=CentOS-5 Testing 
baseurl=http://dev.centos.org/centos/5/testing/$basearch/ 
enabled=1 
gpgcheck=1 
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing 
instead of the default 5.1.6, some aditional changes have to be made in order to compile properly.

In php.spec:
Original:
Patch0: php-5.2.6-suhosin.patch 
Patch1: php-5.2.4-gnusrc.patch
 ..... 
%patch0 -p1 -b .suhosin 
%patch1 -p1 -b .gnusrc 
Replace with:
Patch0: php-5.2.6-suhosin.patch 
#Patch1: php-5.2.4-gnusrc.patch
 ..... 
%patch0 -p1 -b .suhosin 
#%patch1 -p1 -b .gnusrc 
I had to comment out the php-5.2.4-gnusrc.patch because of a tip found here.

After that, libiconv wasn't found; so i changed in "php.spec" line 398:
--with-iconv \

to:

--with-iconv=/usr/local/lib/libiconv.so \

And than it compiled correctly:
Free Image Hosting at www.ImageShack.us

QuickPost

@falko: Thanks for your GREAT guides! It really helps a lot :D

From: Justin at: 2009-02-20 14:12:37

Hello,

   I've repeated the steps above several times on a CentOS 5.2 VM and I keep getting the following error:

 

[root@localhost SPECS]# rpmbuild -ba php.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.22702
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd /usr/src/redhat/BUILD
+ rm -rf php-5.1.6
+ /bin/gzip -dc /usr/src/redhat/SOURCES/php-5.1.6.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd php-5.1.6
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ echo 'Patch #0 (php-5.1.6-suhosin.patch):'
Patch #0 (php-5.1.6-suhosin.patch):
+ patch -p0 -b --suffix .suhosin -s
The text leading up to this was:
--------------------------
|diff -Nura php-5.1.6/configure suhosin-patch-5.1.6-0.9.6/configure
|--- php-5.1.6/configure        2006-08-23 14:55:02.000000000 +0200
|+++ suhosin-patch-5.1.6-0.9.6/configure        2006-10-27 12:24:35.000000000 +0200
--------------------------
File to patch:

 

I've double checked that all my versions of Suhosin and PHP are correct and dependencies are resolved and still can't figure out why this error is occurring.  Thanks for any help.

From: Justin at: 2009-02-20 14:17:41

Hello,

   I *was* getting the following error:

 

[root@localhost SPECS]# rpmbuild -ba php.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.22702
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd /usr/src/redhat/BUILD
+ rm -rf php-5.1.6
+ /bin/gzip -dc /usr/src/redhat/SOURCES/php-5.1.6.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd php-5.1.6
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ echo 'Patch #0 (php-5.1.6-suhosin.patch):'
Patch #0 (php-5.1.6-suhosin.patch):
+ patch -p0 -b --suffix .suhosin -s
The text leading up to this was:
--------------------------
|diff -Nura php-5.1.6/configure suhosin-patch-5.1.6-0.9.6/configure
|--- php-5.1.6/configure        2006-08-23 14:55:02.000000000 +0200
|+++ suhosin-patch-5.1.6-0.9.6/configure        2006-10-27 12:24:35.000000000 +0200
--------------------------
File to patch:

 

and finally figured out why!  I had accidentally copied the following into my php.spec file:

 %patch0 -p0 -b .suhosin

 Instead of the correct (with -p1, rather than -p0)

%patch0 -p1 -b .suhosin

 Hopefully this comment will help others who went astray.  Thanks!