Hardening PHP on Ubuntu with Suhosin patches

Posted by digo on July 30, 2011 Leave a comment (3) Go to comments

This post documents how to enable the Suhosin protection system for PHP on Ubuntu installations. It has been tested on Ubuntu 11.04 but might work on earlier or latter issues with few modifications.

Apparently, Ubuntu repositories already contain the patches as an additional package. They are installed by the following line:

aptitude install php5-suhosin

After that, the patches are available but not yet configured. The central config file for the protection system is located at /etc/php5/conf.d/suhosin.ini. For a basic configuration uncomment the following lines:

[suhosin]
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_emodifier = on
suhosin.mail.protect = 2

; Filtering Options   
suhosin.cookie.max_vars = 2048
suhosin.get.max_array_index_length = 256
suhosin.post.max_array_index_length = 256
suhosin.post.max_totalname_length = 8192
suhosin.post.max_vars = 2048
suhosin.request.max_totalname_length = 8192
suhosin.request.max_varname_length = 256

Defining the latter options keeps phpMyAdmin working. After editing the file, the changes are activated by restarting the Apache daemon:

service apache2 restart

Now you may play around with the other config options in order to harden your webserver even more.

Linux, Security

← Full restore from Time Capsule with account-authentication

Enabling ModSecurity protection in Apache2 on Ubuntu →

3 Comments.

cyrious October 8, 2011 at 21:25

perfect thx!

Reply
Sebastian Koch May 23, 2013 at 15:01

Hey Dirk,
habe diese Seite gerade bei Google gefunden.
Hoffe, es geht dir gut.
Viele Grüße, Sebastian

Reply

Trackbacks and Pingbacks:

Howto – Ubuntu server | Mattijs Jager - Pingback on 2013/05/03/ 11:08

Dirk große Osterhues

Public log, selected documentation and brain dump