IT_Architect
Verified User
- Joined
- Feb 27, 2006
- Messages
- 1,080
Version 0.1 Last Modified: Sept 27, 2009:
This HOW TO was documented for FreeBSD. If anyone wants to run through this with Linux, PM me the differences and I'll incorporate them. If you have a convincing way to make this HOW TO better or more efficient, I will incorporate them.
Configuration:
FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:14:35 UTC 2009 (FTP install)
Apache/2.2.13 (Unix) Standard DirectAdmin Services install
PHP Version 5.2.11 Standard DirectAdmin Services install
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with eAccelerator v0.9.5.3, Copyright (c) 2004-2006 eAccelerator, by eAccelerator (From ports)
with the ionCube PHP Loader v3.1.33, Copyright (c) 2002-2007, by ionCube Ltd. (Downloaded from site)
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH (Downloaded from site)
with Zend Optimizer v3.3.0, Copyright (c) 1998-2007, by Zend Technologies (From ports)
open_basedir /home/mydomain/:/tmp:/var/tmp:/usr/local/lib/php/ (Added /var/tmp to standard DirectAdmin Install)
Introduction:
Suhosin is comprised of two parts, a patch, and a php extension. You can install either or both. They each provide different types of protection:
Hardening Patch for PHP - The Suhosin Hardening-Patch for PHP provides low-level protections that cannot be implemented with an extension such as Zend-created vulnerabilities and PHP core vulnerabilities such as buffer overflows and format string vulnerabilities. Consequently, the patch is PHP version-specific.
Suhosin Extension - The Suhosin Extension contains the bulk of suhosin's protection features. It's focus is to protect from code-level vulnerabilities and hacker tricks. It is not PHP version-specific.
History:
The Suhosin Hardening Patch and Extension are written and maintained by a security company and former PHP core developer. Working with the PHP core team he realized that maintaining any complex code base brings with it risks of injecting unforeseen vulnerabilities, and the code and the team weren't structured to deal effectively with the security aspects of an open source product. Security problems were pointed out by customers and he felt they created security holes sometimes when they fixed others. PHP, as any language, presents a large attack surface. He is also no longer part of the core development team as it seems he made a bit of a nuisance out of himself by pointing out the security flaws, and security is what he does for a living. The Suhosin Hardening Patch and Extension were his answer to PHP's security issues. The obvious question is, since it's been around since at least 2006, why hasn't it been incorporated it into PHP? The author believes that will not happen because there is a performance cost. For the most part, Suhosin functions as a PHP firewall rather than making the code secure. That has an advantage in that new vulnerabilities in the code are not necessarily exploitable if Suhosin is employed. As with operating systems, wrapping complex software in a security-driven layer may be the best way to achieve effective security.
Thoughts & Experiences:
After analyzing the vulnerabilities of Apache + PHP, I thought it a wonder more sites don't get hacked. According to the feature list, Suhosin would greatly improve the security of servers running PHP, both as CLI or CGI. The vulnerabilities they claim the Suhosin Hardening Patch and Extension protect against addresses nearly every vulnerability I can think of, and the remainder are in beta. http://www.hardened-php.net/suhosin/a_feature_list.html The published performance cost of the protection appears to be quite modest http://www.hardened-php.net/suhosin/benchmark.html. They claim they are also very compatible now with other PHP software. Several distros install the Suhosin along with the PHP install by default. These factors should add up to making the Suhosin Hardening Patch and Extension a no-brainer for most sites.
What I didn't know is how often these attacks actually occur, how effective suhosin would be at protecting against them, and if it would alert me when they did. I rolled them out on a very low traffic server but it didn't take long for my questions to get answered.
The moment I started it, I received alerts about a cross-site script and showed me the include it was in, and the line in the include. Within a few hours, my alert screen started showing alerts from this IP address. Here is one of the alerts:
September 25 06:43:23 server suhosin[22658]: ALERT - tried to register forbidden variable '_SERVERDOCUMENT_ROOT}' through GET variables (attacker '208.187.91.50', file '/home/xxxxxxx/domains/xxxxxxxxxxx.com/public_html/index.php')
Domain Name: HIALBUQ1.COM (Nice domain name
)
Advanced Internet Marketing
2902 Lake East Dr. #E
Las Vegas, NV 89117
US
I also torture tested the compatibility claims to determine if it could be suitable for a default install with DirectAdmin by running kern_securelevel="YES", zend optimizer set to 1023, ionCube, eAccellerator, the Suhosin Hardening Patch and Extension at the same time, on a complex ioCube encrypted script accessing a MySQL db, and it ran perfectly. If it hadn't alerted me about the cross-site script and hacker, I wouldn't have believed it was doing anything. Since I didn't have any compatibility issues with FreeBSD 7.2 64, it's unlikely there will be with Linux.
************************************************************************
The following instructions detail how to implement the Suhosin Patch & Extension.
************************************************************************
Snip of load lines from php.ini of various extensions:
Preliminary Checklist:
1. Now would be a good time to update DirectAdmin and DirectAdmin services because as we stated earlier, the patch is PHP version-specific. If you are still running PHP 4, make sure it's up to date.
2. Make up a phpinfo.php file on your web server with the contents of <?php phpinfo();?>
3. Run this phpinfo.php file and search for enable-versioning. If you find it, you will need to recompile PHP without it.
4. If you are running the Zend optimizer, ensure you have version 3.2.1a or later. Check phpinfo or ssh in and type php -v
5. Go to http://www.hardened-php.net/suhosin/download.html and copy off the file names of the latest extension and patch for your version of PHP.
Comment: The installation is presented in this order because if the extension is active while you are installing the patch, it will protect PHP and block the proper installation of the patch. Been there, done that. If you already have the extension installed, comment it out temporarily in the main php.ini until you finish installing the patch, and restart Apache.
I. Hardening Patch for PHP:
Comment: Adjust the following dirextory and file names to the version you found in the Preliminary Checklist
- ssh into the server
# mkdir -p /usr/src/suhosin/suhosin-patch-5.2.11-0.9.7
# cd /usr/src/suhosin/suhosin-patch-5.2.11-0.9.7
# wget http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.11-0.9.7.patch.gz
Comment: The following should have worked but gave me an error so I uncompressed it in Windows and uploaded it.
# gunzip suhosin-patch-5.2.11-0.9.7.patch.gz
# cd /usr/local/directadmin/custombuild
- Edit options.conf
- Under CustomBuild options set clean=no so you don't lose your patched source every time you compile. Then exit and save.
- If there is a php-5.2.11 directory, remove it so you start out with unmodified code to patch.
# tar -zxvf php-5.2.11.tar.gz
# cd php-5.2.11
# patch -p1 -i/usr/src/suhosin/suhosin-patch-5.2.11-0.9.7/suhosin-patch-5.2.11-0.9.7.patch
# cd ..
- Edit /etc/rc.conf
- Add the following two lines, save, and exit.
accf_http_load="YES"
accf_data_load="YES"
# ./build all d
Comment: Watch the results of the following command that it starts without errors
# /usr/local/etc/rc.d/httpd restart
II. suhosin Extension:
Comment: Adjust the following dirextory and file names to the version you found in the Preliminary Checklist
Comment: Skip the next step if you installed the patch above
# mkdir -p /usr/src/suhosin
# cd /usr/src/suhosin
# wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.29.tgz
Comment: The following should have worked but gave me an error so I uncompressed it in Windows and uploaded it.
# tar -zxvf suhosin-0.9.18.tgz
# cd suhosin-0.9.29
# phpize
# ./configure
# make
# make install
- After it finishes, note the location of the newly made suhosin.so and copy the path off
- Edit /usr/local/lib/php.ini
- Search for extension_dir, put the location in the buffer and exit
- Move the suhosin.so to the extension directory
- Remove the directory that make install made for suhosin.so
- Edit /usr/local/lib/php.ini
- Search for Dynamic Extensions
- Add this just underneath: extension=suhosin.so Then, save & exit
- Scroll to the end of the file and paste the following default settings code to provide a framework for tweaking.
Comment: For most users the Suhosin will work out of the box without any change to the default configuration. I've added an example of how to whitelist foreign includes, something I needed.
# /usr/local/etc/rc.d/httpd restart
# php -v
- You should see suhosin
- Insure all of your apps work properly
- Suhosin should now have it's own section in phpinfo.php
- How can you test if it's working? Add the following line to the bottom of your php.ini file and restart Apache.
suhosin.executor.func.blacklist="phpinfo"
Try to run phpinfo.php. You should get a white screen from the page loading and the phpinfo function being blocked from executing.
- Remove phpinfo.php file so you don't give away information about your system or make it otherwise not publicly accessible.
That's it!
This HOW TO was documented for FreeBSD. If anyone wants to run through this with Linux, PM me the differences and I'll incorporate them. If you have a convincing way to make this HOW TO better or more efficient, I will incorporate them.
Configuration:
FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:14:35 UTC 2009 (FTP install)
Apache/2.2.13 (Unix) Standard DirectAdmin Services install
PHP Version 5.2.11 Standard DirectAdmin Services install
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with eAccelerator v0.9.5.3, Copyright (c) 2004-2006 eAccelerator, by eAccelerator (From ports)
with the ionCube PHP Loader v3.1.33, Copyright (c) 2002-2007, by ionCube Ltd. (Downloaded from site)
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH (Downloaded from site)
with Zend Optimizer v3.3.0, Copyright (c) 1998-2007, by Zend Technologies (From ports)
open_basedir /home/mydomain/:/tmp:/var/tmp:/usr/local/lib/php/ (Added /var/tmp to standard DirectAdmin Install)
Introduction:
Suhosin is comprised of two parts, a patch, and a php extension. You can install either or both. They each provide different types of protection:
Hardening Patch for PHP - The Suhosin Hardening-Patch for PHP provides low-level protections that cannot be implemented with an extension such as Zend-created vulnerabilities and PHP core vulnerabilities such as buffer overflows and format string vulnerabilities. Consequently, the patch is PHP version-specific.
Suhosin Extension - The Suhosin Extension contains the bulk of suhosin's protection features. It's focus is to protect from code-level vulnerabilities and hacker tricks. It is not PHP version-specific.
History:
The Suhosin Hardening Patch and Extension are written and maintained by a security company and former PHP core developer. Working with the PHP core team he realized that maintaining any complex code base brings with it risks of injecting unforeseen vulnerabilities, and the code and the team weren't structured to deal effectively with the security aspects of an open source product. Security problems were pointed out by customers and he felt they created security holes sometimes when they fixed others. PHP, as any language, presents a large attack surface. He is also no longer part of the core development team as it seems he made a bit of a nuisance out of himself by pointing out the security flaws, and security is what he does for a living. The Suhosin Hardening Patch and Extension were his answer to PHP's security issues. The obvious question is, since it's been around since at least 2006, why hasn't it been incorporated it into PHP? The author believes that will not happen because there is a performance cost. For the most part, Suhosin functions as a PHP firewall rather than making the code secure. That has an advantage in that new vulnerabilities in the code are not necessarily exploitable if Suhosin is employed. As with operating systems, wrapping complex software in a security-driven layer may be the best way to achieve effective security.
Thoughts & Experiences:
After analyzing the vulnerabilities of Apache + PHP, I thought it a wonder more sites don't get hacked. According to the feature list, Suhosin would greatly improve the security of servers running PHP, both as CLI or CGI. The vulnerabilities they claim the Suhosin Hardening Patch and Extension protect against addresses nearly every vulnerability I can think of, and the remainder are in beta. http://www.hardened-php.net/suhosin/a_feature_list.html The published performance cost of the protection appears to be quite modest http://www.hardened-php.net/suhosin/benchmark.html. They claim they are also very compatible now with other PHP software. Several distros install the Suhosin along with the PHP install by default. These factors should add up to making the Suhosin Hardening Patch and Extension a no-brainer for most sites.
What I didn't know is how often these attacks actually occur, how effective suhosin would be at protecting against them, and if it would alert me when they did. I rolled them out on a very low traffic server but it didn't take long for my questions to get answered.
The moment I started it, I received alerts about a cross-site script and showed me the include it was in, and the line in the include. Within a few hours, my alert screen started showing alerts from this IP address. Here is one of the alerts: September 25 06:43:23 server suhosin[22658]: ALERT - tried to register forbidden variable '_SERVERDOCUMENT_ROOT}' through GET variables (attacker '208.187.91.50', file '/home/xxxxxxx/domains/xxxxxxxxxxx.com/public_html/index.php')
Domain Name: HIALBUQ1.COM (Nice domain name
)Advanced Internet Marketing
2902 Lake East Dr. #E
Las Vegas, NV 89117
US
I also torture tested the compatibility claims to determine if it could be suitable for a default install with DirectAdmin by running kern_securelevel="YES", zend optimizer set to 1023, ionCube, eAccellerator, the Suhosin Hardening Patch and Extension at the same time, on a complex ioCube encrypted script accessing a MySQL db, and it ran perfectly. If it hadn't alerted me about the cross-site script and hacker, I wouldn't have believed it was doing anything. Since I didn't have any compatibility issues with FreeBSD 7.2 64, it's unlikely there will be with Linux.
************************************************************************
The following instructions detail how to implement the Suhosin Patch & Extension.
************************************************************************
Snip of load lines from php.ini of various extensions:
Code:
; Directory in which the loadable extensions (modules) reside.
extension_dir = "/usr/local/lib/php/20060613/"
...
;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
extension=suhosin.so
...
;************************************************************************
; PHP Cache and Decoders
;************************************************************************
extension="eaccelerator.so"
[Zend]
; *** ionCube Loader
zend_extension=/usr/local/ioncube/ioncube_loader_fre_5.2.so
; *** Zend Optimizer
zend_optimizer.optimization_level=1023
zend_extension_manager.optimizer="/usr/local/lib/php/20060613/Optimizer"
zend_extension="/usr/local/lib/php/20060613/ZendExtensionManager.so"1. Now would be a good time to update DirectAdmin and DirectAdmin services because as we stated earlier, the patch is PHP version-specific. If you are still running PHP 4, make sure it's up to date.
2. Make up a phpinfo.php file on your web server with the contents of <?php phpinfo();?>
3. Run this phpinfo.php file and search for enable-versioning. If you find it, you will need to recompile PHP without it.
4. If you are running the Zend optimizer, ensure you have version 3.2.1a or later. Check phpinfo or ssh in and type php -v
5. Go to http://www.hardened-php.net/suhosin/download.html and copy off the file names of the latest extension and patch for your version of PHP.
Comment: The installation is presented in this order because if the extension is active while you are installing the patch, it will protect PHP and block the proper installation of the patch. Been there, done that.
If you already have the extension installed, comment it out temporarily in the main php.ini until you finish installing the patch, and restart Apache.I. Hardening Patch for PHP:
Comment: Adjust the following dirextory and file names to the version you found in the Preliminary Checklist
- ssh into the server
# mkdir -p /usr/src/suhosin/suhosin-patch-5.2.11-0.9.7
# cd /usr/src/suhosin/suhosin-patch-5.2.11-0.9.7
# wget http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.11-0.9.7.patch.gz
Comment: The following should have worked but gave me an error so I uncompressed it in Windows and uploaded it.
# gunzip suhosin-patch-5.2.11-0.9.7.patch.gz
# cd /usr/local/directadmin/custombuild
- Edit options.conf
- Under CustomBuild options set clean=no so you don't lose your patched source every time you compile. Then exit and save.
- If there is a php-5.2.11 directory, remove it so you start out with unmodified code to patch.
# tar -zxvf php-5.2.11.tar.gz
# cd php-5.2.11
# patch -p1 -i/usr/src/suhosin/suhosin-patch-5.2.11-0.9.7/suhosin-patch-5.2.11-0.9.7.patch
# cd ..
- Edit /etc/rc.conf
- Add the following two lines, save, and exit.
accf_http_load="YES"
accf_data_load="YES"
# ./build all d
Comment: Watch the results of the following command that it starts without errors
# /usr/local/etc/rc.d/httpd restart
II. suhosin Extension:
Comment: Adjust the following dirextory and file names to the version you found in the Preliminary Checklist
Comment: Skip the next step if you installed the patch above
# mkdir -p /usr/src/suhosin
# cd /usr/src/suhosin
# wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.29.tgz
Comment: The following should have worked but gave me an error so I uncompressed it in Windows and uploaded it.
# tar -zxvf suhosin-0.9.18.tgz
# cd suhosin-0.9.29
# phpize
# ./configure
# make
# make install
- After it finishes, note the location of the newly made suhosin.so and copy the path off
- Edit /usr/local/lib/php.ini
- Search for extension_dir, put the location in the buffer and exit
- Move the suhosin.so to the extension directory
- Remove the directory that make install made for suhosin.so
- Edit /usr/local/lib/php.ini
- Search for Dynamic Extensions
- Add this just underneath: extension=suhosin.so Then, save & exit
- Scroll to the end of the file and paste the following default settings code to provide a framework for tweaking.
Comment: For most users the Suhosin will work out of the box without any change to the default configuration. I've added an example of how to whitelist foreign includes, something I needed.
Code:
;************************************************************************
; suhosin Parameters
; For a full list of parameters and their documentation go to:
; (http://www.hardened-php.net/suhosin/configuration.html)
;************************************************************************
[suhosin]
; Logging Configuration
suhosin.log.syslog.facility = 9
suhosin.log.use-x-forwarded-for = Off
; Executor Options
suhosin.executor.max_depth = 0
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_emodifier = Off
suhosin.executor.allow_symlink = Off
;Example: include.whitelist allows includes from foreign sites,. (comma separated)
;suhosin.executor.include.whitelist = http://externalsite1.tld/, externalsite2.tld/
; Misc Options
suhosin.simulation = Off
;
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = Off
suhosin.multiheader = Off
suhosin.mail.protect = 1
suhosin.memory_limit = 20
; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 0
suhosin.cookie.encrypt = On
suhosin.cookie.cryptua = On
suhosin.cookie.cryptraddr = 0
; Filtering Options
suhosin.filter.action = 406
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 65000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128
;************************************************************************
; End suhosin Parameters
;************************************************************************# php -v
- You should see suhosin
- Insure all of your apps work properly
- Suhosin should now have it's own section in phpinfo.php
- How can you test if it's working? Add the following line to the bottom of your php.ini file and restart Apache.
suhosin.executor.func.blacklist="phpinfo"
Try to run phpinfo.php. You should get a white screen from the page loading and the phpinfo function being blocked from executing.
- Remove phpinfo.php file so you don't give away information about your system or make it otherwise not publicly accessible.
That's it!
Last edited:
