October 20th, 2008

Introduction

Suhosin is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial.

Contents

  1. Debian etch installation
  2. CentOS 5 installation
  3. Configuration

    Debian etch installation

    The installation of suhosin on debian etch is really pretty simple. It took me all of 5 minutes or so to have a basic working installation.

    First we start by finding the suhosin package for our php version

    apt-cache search suhosin
    php4-suhosin - advanced protection module for php4
    php5-suhosin - advanced protection module for php5

    Now install suhosin

    apt-get install php5-suhosin

    The suhosin.ini should be located in /etc/php5/conf.d .

    I assume that this process would also work for Ubuntu. Now we move onto the configuration

    CentOS 5 installation

    The CentOS installation is not as simple as it is with Debian. The suhosin package is currently only available in the testing repo.

    First we have to add the testing repo:

    cd /etc/yum.repos.d

    Configuration

    The basic configuration that ships with suhosin will work out-of-the-box but I have added a few tweaks.

    In the suhosin.ini we add the following:

    Enable suhosin

    extension=suhosin.so

    Disable session encryption (required for most login scripts)

    suhosin.session.encrypt = Off

    Log all errors

    suhosin.log.syslog=511

    Max traversal depth ie ‘../../’

    suhosin.executor.include.max_traversal=4

    Disable eval

    suhosin.executor.disable_eval=On

    Disable /e modifier

    suhosin.executor.disable_emodifier=On

    Disallow newlines in Subject:, To: headers and double newlines in additional headers

    suhosin.mail.protect=2

    Recommend Settings

    Silently fail all failed sql queries

    suhosin.sql.bailout_on_error=On

    That is it. That was easy, right? For more configuration options see the Suhosin Configuration Documentation.

    wget http://dev.centos.org/centos/5/CentOS-Testing.repo

    Now we actually install the php_suhosin package

    yum --enablerepo=c5-testing install php-suhosin

    The suhosin.ini should be located in /etc/php.d.

    Not as simple as it was with debian but still pretty easy. I assume that this same process would work with other versions of CentOS. Now we move onto the configuration

There are no comments yet, add one below.

Leave a Comment


You must be logged in to post a comment.