Install Suhosin PHP5 Security Protection on Debian Squeeze

Valic —  January 3, 2012 — 6 Comments

What is Suhosin?

Suhosin is an advanced protection  for PHP5 installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in independent parts, that can be used separately or in combination.

Suhosin is a great and simple way of increasing your security protection without having a immense impact on overall performance.

In this tutorial I will cover the installation and configuration of Suhosin on Debian Squeeze. I will also assume that you already have apache2 and php2 setup using this tutorial:How to install apache2, mysql5 and php5 on debian squeeze

1. Install Suhosin on Debian Squeeze:

Installation of suhosin on Debian Squeeze is simple.

apt-get update && apt-get install php5-suhosin

2. Configuring Suhosin:

The configuration file on Debian Squeeze is located in /etc/php5/conf.d/suhosin.ini.

This is a config that I use with explanation:

# Enable Suhosin.
extension=suhosin.so

# How many directory traversals are permitted? “../dir” is OK
# “../../../../../dir” is not (5 times > 4).
suhosin.executor.include.max_traversal=4

# Disable /e in preg_replace which is usually used insecurely.
suhosin.executor.disable_emodifier=Off

# Protect mail forms against spammer attacks.
suhosin.mail.protect=2

# When safe_mode is disabled, users can use ini_set to
# change their memory limit, with Suhosin up to this amount.
suhosin.memory_limit=256M

# Maximum limits for variables coming from COOKIE, POST and GET.
suhosin.request.max_array_depth=4096
suhosin.request.max_array_index_length=2048
suhosin.request.max_name_length=2048
suhosin.request.max_value_length=650000
suhosin.request.max_vars=4096
suhosin.post.max_array_depth=8048
suhosin.post.max_array_index_length=1024
suhosin.post.max_name_length=2048
suhosin.post.max_totalname_length=8048
suhosin.post.max_vars=4096

# Maximum file uploads in a script.
# This can be usefull on this tutorial: Create Your Own Cloud Server on Debian Squeeze
suhosin.upload.max_uploads=100

# Disable any include,curl,fpassthru,base64_encode,mail
# and others in eval().
# Most of the current scripts use obfuscated code decoded from
# base64 and then eval()’ed.
suhosin.executor.eval.blacklist=include,include_once,require,require_once,
curl_init,fpassthru,file,base64_encode,base64_decode,mail,exec,system,proc_open,
leak,syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,
proc_nice,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept,
socket_bind, socket_connect, socket_create, socket_create_listen,
socket_create_pair,link,register_shutdown_function,register_tick_function

# Disables eval() at all.
suhosin.executor.disable_eval=Off

# Log all  into Syslog.
suhosin.log.syslog = S_ALL & ~S_SQL

 

Enjoy.

 

 

 

 

Valic

Posts Twitter Facebook

Editor in Chief at Debian-Tutorials, Linux enthusiast.

6 responses to Install Suhosin PHP5 Security Protection on Debian Squeeze

  1. hi
    i like your work and website,can you post some tutorials about create virtual web hosting for some users.

    note:i have install debian 6,php,mysql,apache,webmin.

  2. Looks like it is enabled by default in Squeeze. Maybe I forgot that i installed it before. :P But thanks (esp. for the .ini)

  3. it is enabled on squeeze but it has the default configuration.

  4. i want create web server in my office,and i want all users can have virtual hosting for work with php and mysql like real web hosting
    i want all user have some address like this http://user1.example.com and all user can use ftp or have access to his folder in server.
    i want can create this folder and link for other user in my office

Leave a Reply