What is Suhosin?
Suhosin is a protection system for PHP programs. It is designed to protect servers and users against known or unknown flaws in PHP programs and PHP cores.
The Suhosin has two separate parts that can be used separately or in combination with each other.
The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string;
The second part is a powerful PHP extension that contains all the other protections.
Download Installation Patches
##高版本不需要,折中选择是否打补丁wget http://download.suhosin.org/suhosin-patch-5.3.3-0.9.10.patch.gzgunzip suhosin-patch-5.3.3-0.9.10.patch.gzcd php-5.3.3/patch -p 1 -i ../suhosin-patch-5.3.3-0.9.10.patch./configure --with-php-config=/usr/local/bin/php-configmakemake install
Install extensions
wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gztar zxvf suhosin-0.9.37.1.tar.gzcd suhosin-0.9.37.1/phpize./configure --with-php-config=/usr/local/bin/php-configmakemake install
Add suhosin.so under the php.ini
extension=suhosin.so
Extend the App encryption feature
Session encryption
The data in the session is usually stored in clear text on the server. This is done by adding decryption to the server $_SESSION
. This will not be easily compromised when the handle of the session is stored in the Memcache or database, and many times our session data will hold some sensitive fields.
This feature is enabled by default and can be modified by php.ini:
suhosin.session.encrypt = Onsuhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjosuhosin.session.cryptua = Onsuhosin.session.cryptdocroot = On;; IPv4 onlysuhosin.session.cryptraddr = 0suhosin.session.checkraddr = 0
Cookie Encryption
The HTTP header that the cookie transmits in the client browser is also plaintext. By encrypting cookies, you can protect your application against a multitude of attacks, such as
- Cookie tampering: An attacker may try to guess other reasonable cookie values to attack the program.
- Use cookies across applications: Improperly configured applications may have the same session store, as all sessions are stored by default in the/tmp directory, and one application cookie may never be reused for another application, as long as the encryption key is different.
The configuration of the cookie encryption in php.ini:
suhosin.cookie.encrypt = On;; the cryptkey should be generated, e.g. with ‘apg -m 32‘suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1suhosin.cookie.cryptua = Onsuhosin.cookie.cryptdocroot = On;; whitelist/blacklist (use only one);suhosin.cookie.cryptlist = WALLET,IDEASsuhosin.cookie.plainlist = LANGUAGE;; IPv4 onlysuhosin.cookie.cryptraddr = 0suhosin.cookie.checkraddr = 0Blocking Functions
Test
##默认PHP的Session保存在tmp路径下ll -rt /tmp | grep sess##扩展未开启时查看某条sesson的数据cat sess_ururh83qvkkhv0n51lg17r4aj6//记录是明文的##扩展开启后查看某条sesson 的数据cat sess_ukkiiiheedupem8k4hheo0b0v4//记录是密文的
Visibility of the importance of encryption for security
Blocking function
White List
##显式指定指定白名单列表suhosin.executor.func.whitelist = htmlentities,htmlspecialchars,base64_encodesuhosin.executor.eval.whitelist = htmlentities,htmlspecialchars,base64_encode<?phpecho htmlentities(‘<test>‘);eval(‘echo htmlentities("<test>");‘);
Blacklist
##显式指定指定黑名单列表suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srandsuhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
Log to see the black and white list of illegal calls
suhosin.simulation = 1suhosin.log.file = 511suhosin.log.file.name = /tmp/suhosin-alert.log
Additional Configuration Items
suhosin.executor.include.max_traversal 扩目录的最大深度,可以屏蔽切换到非法路径suhosin.executor.include.whitelist 允许包含的URL,用逗号分隔suhosin.executor.include.blacklist 禁止包含的URL,用逗号分隔suhosin.executor.disable_eval = On 禁用eval函数suhosin.upload.max_uploadssuhosin.upload.disallow_elfsuhosin.upload.disallow_binarysuhosin.upload.remove_binarysuhosin.upload.verification_script 上传文件检查脚本,可以来检测上传的内容是否包含webshell特征
Reference Address: http://suhosin.org/
From for notes (Wiz)
PHP extension--suhosin protect PHP application System