PHP Suhosin: Hardening Your PHP5 On Ubuntu

PHP Suhosin is an open source patch for PHP5 to hardened the servers security. From the PHP Suhosin official:”Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections”

PHP Suhosin: Pre-requisite

As PHP Suhosin will hardened the security of the apache web server then you need to install and use Apache2 and PHP5, because that’s what it is for. So if you haven’t installed it yet follow my previous article to configure your Ubuntu as web server.

Then we need to install tools to recompile PHP5 binary later:

apt-get install dpkg-dev build-essential

Install PHP Suhosin

To install PHP Suhosin patch, we need to recompile our PHP5 binary to include PHP Suhosin. Before we begin to recompile our PHP5 binary, we need to install PHP5 Suhosin extension:

apt-get install php5-suhosin

Now we download the PHP5 source:

cd /usr/src
apt-get source php5
tar -xzf php5_5.3.3.orig.tar.gz

Import PHP Suhosin signature key from Hardened PHP-Project:

wget http://www.hardened-php.net/hardened-php-signature-key.asc
gpg --import < hardened-php-signature-key.asc

Download PHP Suhosin source from their download page. You need to choose the PHP Suhosin patch for your PHP5. I’m using PHP 5.3.3 so i will download PHP Suhosin Patch for PHP 5.3.3:

cd /usr/src/
wget http://download.suhosin.org/suhosin-patch-5.3.3-0.9.10.patch.gz
gunzip suhosin-patch-5.3.3-0.9.10.patch.gz
cd php5-5.3.3
patch -p 1 -i ../suhosin-patch-5.3.3-0.9.10.patch

Then we recompile the PHP5 from the source:

dpkg-buildpackage

There might be some errors when compiling process, most of the time it is because the dependency or missing package. Fix it by installing it all. Then rerun dpkg-buildpackage command.

For example i’m missing this packages:

root@ivan-ubuntu:/usr/src/php5-5.3.3# dpkg-buildpackage
dpkg-buildpackage: export CFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export CPPFLAGS from dpkg-buildflags (origin: vendor):
dpkg-buildpackage: export CXXFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export FFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export LDFLAGS from dpkg-buildflags (origin: vendor): -Wl,-Bsymbolic-functions
dpkg-buildpackage: source package php5
dpkg-buildpackage: source version 5.3.3-1ubuntu9.5
dpkg-buildpackage: source changed by Steve Beattie
dpkg-buildpackage: host architecture i386
dpkg-source --before-build php5-5.3.3
dpkg-checkbuilddeps: Unmet build dependencies: apache2-prefork-dev autoconf (>= 2.63) automake (>= 1.11) | automake1.11 bison chrpath debhelper (>= 5) flex freetds-dev hardening-wrapper libapr1-dev (>= 1.2.7-8) libbz2-dev libdb-dev (>= 4.7) | libdb4.8-dev | libdb4.6-dev libenchant-dev libevent-dev (>= 1.4.11) libexpat1-dev (>= 1.95.2-2.1) libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libglib2.0-dev libgmp3-dev libicu-dev libjpeg-dev | libjpeg62-dev libmhash-dev (>= 0.8.8) libmysqlclient-dev libpam0g-dev libpcre3-dev (>= 6.6) libpng12-dev libpq-dev libpspell-dev librecode-dev libsasl2-dev libsnmp-dev libsqlite0-dev libsqlite3-dev libt1-dev libtidy-dev libtool (>= 2.2) libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev (>= 1.0.18) quilt re2c unixodbc-dev libedit-dev
dpkg-buildpackage: warning: Build dependencies/conflicts unsatisfied; aborting.
dpkg-buildpackage: warning: (Use -d flag to override.)

To solve that i installed:

apt-get install apache2-prefork-dev automake1.11 bison chrpath debhelper flex freetds-dev hardening-wrapper libapr1-dev libbz2-dev libdb4.8-dev libenchant-dev libevent-dev  libexpat1-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libglib2.0-dev libgmp3-dev libicu-dev libjpeg-dev libjpeg62-dev libmhash-dev libmysqlclient-dev libpam0g-dev libpcre3-dev libpng12-dev libpq-dev libpspell-dev librecode-dev libsasl2-dev libsnmp-dev libsqlite0-dev libsqlite3-dev libt1-dev libtidy-dev libtool libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev quilt re2c unixodbc-dev libedit-dev

Now there are many .deb packages are build. We need to install them all:

dpkg -i *.deb

Note: that command will install all the packages as default (may break your current php5 installation). If you know what need to be installed for your PHP5 then you can choose it wisely

Now you can check your PHP5 info to see if PHP Suhosin is installed or not with this script:

phpinfo();

Now you should see Suhosin logo at the bottom. For more detail about PHP Suhosin configuration you can visit their official page.

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.