Senin, 11 Juli 2011

02.29

PHP Suhosin

Diposting oleh monyonk
Label:
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Installing Suhosin

Things to do before getting started and questions you probably have.
1) First off you need to create a phpinfo page on your web server, this is so you can see if Suhosin is installed and working or not.
example: http://monyonk.com/phpinfo.php
<?
phpinfo();
?>

That’s all it should contain. You should bring it up to make sure it works.

2) Check to make sure that PHP is NOT compiled with --enable-versioning

You will see this in the Configure Command section at the top, make sure you do not see
--enable-versioning

If it is, the extension will not work. Versioning breaks extensions. You will need to recompile PHP and make sure versioning is turned OFF.

3) This only applies if you are using Zend Optimizer. Make sure you are using at least version 3.2.1 or above of Zend Optimizer. If you are using anything below that there is a known bug in Zend Optimizer that gets caught up in Suhosin while reading zend encoded pages. So be sure to upgrade Optimizer to a more recent release before you install Suhosin to avoid issues.
You can check your version while in shell by doing:
php –v

If you have it installed you’ll see something like:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.10, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v3.0.1, Copyright (c) 1998-2006, by Zend Technologies
Suhosin works fine on cPanel/WHM servers, DirectAdmin, Plesk and any others. As long as the above mentioned items are met then you should be fine.

Installing Suhosin Extension
Download the source file for the Suhosin extension

cd /usr/local/
wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz

tar -zxvf suhosin-0.9.18.tgz

cd suhosin-0.9.18

phpize

OUTPUT will be something like this:
# phpize
Configuring for:
PHP Api Version:         20020918
Zend Module Api No:      20020429
Zend Extension Api No:   20050606

./configure

make

OUTPUT will be something like this:
Libraries have been installed in:
   /usr/local/suhosin-0.9.18/modules

make install


OUTPUT will be something like this:
Installing shared extensions:     /usr/local/lib/php/extensions/no-debug-non-zts-20020429/
Make a note of the directory location and confirm it exists and has suhosin.so in it:

ls –lah /usr/local/lib/php/extensions/no-debug-non-zts-20020429/
-rwxr-xr-x    1 root     root         334K Mar 19 09:17 suhosin.so*

Now copy suhosin.so to /usr/lib/php/extensions since our php.ini points to that directory and not the one the make install used

cp /usr/local/lib/php/extensions/no-debug-non-zts-20020429/
suhosin.so /usr/lib/php/extensions/no-debug-non-zts-20020429

Checking PHP
Now we need to check PHP to ensure suhosin will be added in.

Find where your current PHP.ini is:
php -i |grep php.ini
Configuration File (php.ini) Path => /usr/local/Zend/etc/php.ini

Edit the php.ini
vi /usr/local/Zend/etc/php.ini

Step 1) Ensure the include path/extension is set properly.
Search for: extension_dir

You should see something like this:

include_path = ".:/usr/lib/php:/usr/local/lib/php:/usr/lib/php/extensions:/usr/lib/php/extensions/no-debug-non-zts-20020429:"   ;
extension_dir = /usr/lib/php/extensions/no-debug-non-zts-20020429/  ; directory in which the loadable extensions (modules) reside

Note the exact path is the same as what we wrote down when we did “make install”
If not, you will need to add it or COPY the file to the new location as mentioned above.

Step 2) Add the suhosin.so extension to php.ini
While still in php.ini search for Dynamic Extensions

Add this below:

extension=suhosin.so



Note to 64 bit OS users:



Check to make sure php.ini is using the proper extension_dir setting:


extension_dir = /usr/lib64/php4

Then copy the suhosin.so to that directory after you do "make install"

cp -v /usr/local/lib/php/extensions/no-debug-non-zts-20020429/*.so /usr/lib64/php4/

End 64 Bit OS note:

Now save php.ini and check PHP from shell:

php -v

PHP 4.4.6 (cli) (built: Mar 19 2007 09:54:33)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.2.0, Copyright (c) 2003-2006, by Zend Technologies
    with Suhosin v0.9.18, Copyright (c) 2002-2006, by Hardened-PHP Project
    with Zend Optimizer v3.2.2, Copyright (c) 1998-2006, by Zend Technologies

example suhosin configuration

[suhosin]
; Logging Configuration
suhosin.log.syslog.facility = 9
suhosin.log.use-x-forwarded-for = Off

; Executor Options
suhosin.executor.max_depth = 0
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_emodifier = Off
suhosin.executor.allow_symlink = Off

; Misc Options
suhosin.simulation = Off

;
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = Off
suhosin.multiheader = Off
suhosin.mail.protect = 1
suhosin.memory_limit = 20

; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 0
suhosin.cookie.encrypt = On
suhosin.cookie.cryptua = On
suhosin.cookie.cryptraddr = 0

; Filtering Options
suhosin.filter.action = 406
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 65000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128






0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)