Category Archives: Suhosin

Suhosin

Suhosin, the Korean word for “Guardian Angel”, was designed to provide hardening security solutions for PHP, a web technology and programming language used by more than 80% of the worlds websites today.

Taking a dual pronged approach to security by providing both a patch as well as a PHP extension, with both parts working independently as well as in combination with one another, the Suhosin PHP hardening solution was written by a German organization called Sektion Eins.

Originally unveiled in October 2006 and continuously updated ever since, this PHP security extension provides individual website owners, web application developers, programmers, and server administrators the opportunity to dramatically overhaul the security of their PHP installation without having to handle a lot of the heavy lifting of writing code themselves.

Impressively, the Suhosin platform has also been designed to dramatically reduce the overall attachable region of PHP as soon as it has been installed. A variety of web server solutions, including white lists, resource limits, transparent sessions, encryption of cookies, content filters, security logging, and more all help to provide extra layers of protection and barriers against cyber attack that do not exist in the “vanilla” form of PHP.

Multi-Pronged Approach to PHP Security

As highlighted above, the dual security approaches taken by the developers of Suhosin – the patch as well as the extension itself – give websites and web application owners as well as server administrators a lot more control over how they go about hardening their PHP platform.

Both components can be installed quickly by modifying the PHP.ini or other configuration files already live on a PHP server, with administrators having the opportunity to install one or the other of these security features as well as both of them at the same time.

Most choose to install both even if they plan on only implementing one part of the Suhosin platform to begin with, if only to streamline things significantly and to allow the implementation of the other patch or extension with as little extra work as possible later down the line.

It should be noted that individuals choosing to install only the Suhosin patch will find that logging features are the only aspect that will go live immediately. On the flipside, those that choose to only install the Suhosin extension won’t be able to use already predefined constants and configuration data – having to instead go inside of the extension and configuring all of the settings on their own.

Choosing to use one aspect of Suhosin or the other will somewhat limit the features that you can leverage, which inevitably reduces the overall amount of security and hardening improvements you would have seen if you implemented both of these components at the same time.

When using the Suhosin extension individually the ability for fine tuning of the logging feature is turned off, tuning system log facilities are reduced, and additional protections available to mail () function headers are significantly reduced.

You’ll also find that the ability to tune Suhosin responses to individual security violations to be somewhat limited when you’re using only the extension as opposed to the patch and the extension in conjunction with one another.

Leveraging the Suhosin Patch and Extension

Many people thinking about moving forward with the Suhosin patch and extension are nervous about whether or not their online platform or web application will break because of the restrictions placed on PHP through the hardening process.

The good news is that you have nothing to worry about in this department!

Specifically designed to dramatically overhaul security performance and hardening, you’ll also find that the Suhosin patch and extension are very forward thinking in their application. Suhosin includes (right out of the box, so to speak) special configuration options described as Suhosin.Simulation.

When this particular setting has been triggered the Suhosin extension is going to continue logging all individual security violations and provide you with full reporting, but blocking of those actions will not be made across the board unless you deem them to be necessary – allowing for full functionality and usability of your PHP environment while still giving you information about potential security threats or vulnerabilities that need to be addressed.

A lot of people curious about using Suhosin will wonder if it is backwards compatible with older versions of PHP. While more than 80% of the internet is run on the back of PHP platforms not all of them have been updated to the latest version of this programming language.

You’ll be happy to know that Suhosin works perfectly well (both the patch and the extension) on PHP versions as early as 5.0. This gives you a lot of backwards compatibility to harden and secure older websites using legacy PHP versions, at least until you’re able to upgrade them and use later versions of the Suhosin patch and extension modules.

Moving Forward

Those seriously interested in protecting their web platform (especially with however connected our modern world is today, and with how important cybersecurity is now more than ever before) would be wise to look into leveraging all that the Suhosin extension and patch combination have to offer.

Digital thieves and cyber criminals are always going to be looking for ways to exploit the “lowest hanging fruit”, specifically targeting PHP flaws and vulnerabilities that have yet to be patched by website owners and server administrators that have not gone through a security audit or a hardening process.

Suhosin allows you to significantly stiffen your PHP security almost immediately without having to do any of the coding yourself. The patch and the extension working in conjunction with one another significantly improves your overall capabilities to push back against modern cyber attacks, eliminating a lot of the easy roads to access your server that used to be available while at the same time protecting your web server and your website or application against more sophisticated assaults as well.

Best of all, the Suhosin platform is 100% open sourced and freely available to take advantage of. This guarantees a level of transparency and access you just won’t have with more traditional PHP hardening or security solutions.

Configuration

Each year, hundreds of new security vulnerabilities are discovered in the PHP programming language that need to be patched, protected against, secured, and hardened – and that’s exactly what the Suhosin patch and extension are designed to do.

Providing a high level of security and hardening to PHP installations, Suhosin dramatically increases the overall usability and safety of PHP (the world’s most popular programming language and a backbone element responsible for supporting more than 80% of the worlds websites today).

While Suhosin works well enough on its own right after installation there are individual configurations and customizations you can do to increase the security of your particular set up for your particular needs.

Best of all, almost all of these configurations can be handled directly through the PHP.ini configuration file existing on your server already. This really streamlines the customization of this hardening solution compared to some of the other options available today.

Before we jump right into individual customizations and configuration options you may be interested in it’s important to highlight the value in using both the Suhosin patch as well as the Suhosin extension.

Using just one or the other of these two independent modules may significantly compromise the utility of the Suhosin system. With only the Suhosin patch just logging features are available, and with just the Suhosin extension there’s no opportunity to use predefined constants that set up your configuration.

Make sure that both aspects of Suhosin have been installed on your server and you’ll be ready to dive right in

Logging Configurations

The logging features of Suhosin provide you with an almost instant overview of the health of your PHP environment as it exists at anyone particular point in time as well as a record of the potential attacks or vulnerabilities that need to be addressed to improve your security set up.

More than a dozen different logging configurations can be modified or adjusted, including elements that cover what types of security alerts are actually logged, what the security system does after an alert has been logged, how frequently you are notified about individual classes of threats, how timestamp information is disseminated, and so much more.

According to The Blog Starter just some of the blogging configuration options you’ll be able to customize include, but are not limited to:

•           suhosin.log.syslog

•           suhosin.log.syslog.facility

•           suhosin.log.syslog.priority

•           suhosin.log.sapi

•           suhosin.log.stdout

•           suhosin.log.file

•           suhosin.log.file.name

•           suhosin.log.file.time

•           suhosin.log.script

Executor Configurations

Executor options are going to handle the heavy lifting when it comes to taking active security measures against threats that have been identified by the Suhosin installation.

Some of the options you’ll be able to configure include defining the maximum depth of stacks allowed before executors stop scripts from running, how to identify and then contain attacks so that they can be stopped, white listing of URL schemes as well as blacklisting of URL schemes, allowing for code execution against remote code execution exploits, and more.

These are some of the executor configuration options you’ll be able to customize to your hearts content when you dive into the Suhosin settings:

•           suhosin.executor.max_depth

•           suhosin.executor.include.max_traversal

•           suhosin.executor.include.whitelist

•           suhosin.executor.include.blacklist

•           suhosin.executor.include.allow_writable_files

•           suhosin.executor.func.whitelist

•           suhosin.executor.func.blacklist

Miscellaneous Options

On top of all the other options you’ll be able to adjust, modify, and configure that we have highlighted above – and the myriad more available when you do a deep dive into the Suhosin configuration settings – there’s also going to be a host of miscellaneous options that you can move through that may not belong to any other particular group.

The Suhosin.Simulation option in particular is an important one that knew users are going to want to focus on. This option should be turned on when server administrators, website owners, and web application developers want to make sure that any of the security or hardening features of the Suhosin installation will not break any of the existing PHP code that has already been established on the server.

With this setting flipped on every individual violation detected will still be logged accurately but the instant blocking or removing of these security requests will not kick in while Simulation mode is currently active.

There are other miscellaneous options that exist under this configuration setting that power users will want to look into.

SQL Injection Protections

The security features and Suhosin configuration options available in this part of the Suhosin set up remain somewhat experimental and still under the “in development” heading.

This means that they do not have the same kind of reliability that some of the other more established configuration options have, but should be able to provide security increases all the same.

Obviously, these configuration options deal specifically with SQL Injection attacks – some of the most common forms of PHP assaults out there today. Explore these options when looking to configure your overall Suhosin installation but understand that because they are still experimental they may or may not work as consistently as you expect or hope.

Transparent Encryption Options

Encryption is a big piece of the security puzzle no matter what you are doing online, and Suhosin allows a variety of configuration options for transparent encryption that can be triggered on or off.

The default setting for transparent encryption is set to “ON”, though you have the opportunity to turn that off. You can also choose to toggle on or off other transparent encryption options like the ones that we highlight below.

•           suhosin.session.cryptdocroot

•           suhosin.session.cryptraddr

•           suhosin.session.checkraddr

•           suhosin.cookie.encrypt

•           suhosin.cookie.cryptkey

•           suhosin.cookie.cryptua

•           suhosin.cookie.cryptdocroot

Filtering Options

The filtering options section of the Suhosin configuration environment includes the most individual options that can be adjusted, providing users with ample opportunity to customize what gets filtered through the Suhosin installation as well as what does not.

These options can dramatically change how the overall Suhosin patch and extension work to secure your PHP environment, however, which is why you’ll need to be sure that you understand exactly what types of adjustments you are making and how these adjustments impact other filtering options that you may or may not have adjusted already.

Default settings in this section have been designed to provide a high level of protection individually. Those that want to have a more granular level of control over the Suhosin environment will find modifying some or all of the settings to be useful.