Hardening PHP with Suhosin

This post was published 9 years, 3 months ago. Due to the rapidly evolving world of technology, some concepts may no longer be applicable.

Suhosin is a package designed to harden PHP, in the sense that it addresses potential vulnerabilities that might be introduced through user scripts. It comes as both a patch which can be applied directly to the PHP source code and as an extension that can be built for PHP.

This article looks at how to add the Suhosin extension to PHP running on Amazon’s Linux distribution.

Change to superuser so as to not have to prefix every command with sudo:

sudo -i

Download and verify Suhosin source:

cd /usr/local/src
wget http://www.hardened-php.net/hardened-php-signature-key.asc
gpg --import < hardened-php-signature-key.asc
wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz
md5sum suhosin-0.9.32.1.tar.gz
wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz.sig
gpg suhosin-0.9.32.1.tar.gz.sig

Extract Suhosin and compile extension:

tar -xzvf suhosin-0.9.32.1.tar.gz
cd suhosin-0.9.32.1
phpize
./configure
make
make install

Add extension to PHP, restart apache, and return to non-elevated user:

echo "extension=suhosin.so" | tee /etc/php.d/suhosin.ini
service httpd restart
exit

A fairly straightforward installation, with no real snags along the way. Successful installation can be confirmed by viewing the output of phpinfo(); which should have a new section for Suhosin as well as display the following:

...with Suhosin v0.9.32.1...

One quick point of mention is that some scripts (e.g. RoundCube) do not work well with the encrypted sessions setting. To disable, simply the following to your php.ini (or suhosin.ini):

suhosin.session.encrypt=Off

Leave a Reply

Your email address will not be published. Required fields are marked *