PHP extension--suhosin protect PHP application System

What is Suhosin?

Suhosin is a protection system for PHP programs. It is designed to protect servers and users against known or unknown flaws in PHP programs and PHP cores.
The Suhosin has two separate parts that can be used separately or in combination with each other.
The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string;
The second part is a powerful PHP extension that contains all the other protections.

Download Installation Patches

##高版本不需要，折中选择是否打补丁wget http://download.suhosin.org/suhosin-patch-5.3.3-0.9.10.patch.gzgunzip suhosin-patch-5.3.3-0.9.10.patch.gzcd php-5.3.3/patch -p 1 -i ../suhosin-patch-5.3.3-0.9.10.patch./configure  --with-php-config=/usr/local/bin/php-configmakemake install

Install extensions

wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gztar zxvf suhosin-0.9.37.1.tar.gzcd suhosin-0.9.37.1/phpize./configure  --with-php-config=/usr/local/bin/php-configmakemake install

Add suhosin.so under the php.ini

extension=suhosin.so

Extend the App encryption feature

Session encryption

The data in the session is usually stored in clear text on the server. This is done by adding decryption to the server $_SESSION . This will not be easily compromised when the handle of the session is stored in the Memcache or database, and many times our session data will hold some sensitive fields.

This feature is enabled by default and can be modified by php.ini:

suhosin.session.encrypt = Onsuhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjosuhosin.session.cryptua = Onsuhosin.session.cryptdocroot = On;; IPv4 onlysuhosin.session.cryptraddr = 0suhosin.session.checkraddr = 0

Cookie Encryption

The HTTP header that the cookie transmits in the client browser is also plaintext. By encrypting cookies, you can protect your application against a multitude of attacks, such as

• Cookie tampering: An attacker may try to guess other reasonable cookie values to attack the program.
• Use cookies across applications: Improperly configured applications may have the same session store, as all sessions are stored by default in the/tmp directory, and one application cookie may never be reused for another application, as long as the encryption key is different.

The configuration of the cookie encryption in php.ini:

suhosin.cookie.encrypt = On;; the cryptkey should be generated, e.g. with ‘apg -m 32‘suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1suhosin.cookie.cryptua = Onsuhosin.cookie.cryptdocroot = On;; whitelist/blacklist (use only one);suhosin.cookie.cryptlist = WALLET,IDEASsuhosin.cookie.plainlist = LANGUAGE;; IPv4 onlysuhosin.cookie.cryptraddr = 0suhosin.cookie.checkraddr = 0Blocking Functions

Test

##默认PHP的Session保存在tmp路径下ll  -rt /tmp | grep sess##扩展未开启时查看某条sesson的数据cat  sess_ururh83qvkkhv0n51lg17r4aj6//记录是明文的##扩展开启后查看某条sesson 的数据cat  sess_ukkiiiheedupem8k4hheo0b0v4//记录是密文的

Visibility of the importance of encryption for security

Blocking function

White List

##显式指定指定白名单列表suhosin.executor.func.whitelist = htmlentities,htmlspecialchars,base64_encodesuhosin.executor.eval.whitelist = htmlentities,htmlspecialchars,base64_encode<?phpecho htmlentities(‘<test>‘);eval(‘echo htmlentities("<test>");‘);

Blacklist

##显式指定指定黑名单列表suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srandsuhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand

Log to see the black and white list of illegal calls

suhosin.simulation = 1suhosin.log.file = 511suhosin.log.file.name = /tmp/suhosin-alert.log

Additional Configuration Items

suhosin.executor.include.max_traversal    扩目录的最大深度，可以屏蔽切换到非法路径suhosin.executor.include.whitelist        允许包含的URL，用逗号分隔suhosin.executor.include.blacklist        禁止包含的URL，用逗号分隔suhosin.executor.disable_eval = On        禁用eval函数suhosin.upload.max_uploadssuhosin.upload.disallow_elfsuhosin.upload.disallow_binarysuhosin.upload.remove_binarysuhosin.upload.verification_script        上传文件检查脚本，可以来检测上传的内容是否包含webshell特征

Reference Address: http://suhosin.org/

From for notes (Wiz)

PHP extension--suhosin protect PHP application System