Each year, hundreds of new security vulnerabilities are discovered in the PHP programming language that need to be patched, protected against, secured, and hardened – and that’s exactly what the Suhosin patch and extension are designed to do.
Providing a high level of security and hardening to PHP installations, Suhosin dramatically increases the overall usability and safety of PHP (the world’s most popular programming language and a backbone element responsible for supporting more than 80% of the worlds websites today).
While Suhosin works well enough on its own right after installation there are individual configurations and customizations you can do to increase the security of your particular set up for your particular needs.
Best of all, almost all of these configurations can be handled directly through the PHP.ini configuration file existing on your server already. This really streamlines the customization of this hardening solution compared to some of the other options available today.
Before we jump right into individual customizations and configuration options you may be interested in it’s important to highlight the value in using both the Suhosin patch as well as the Suhosin extension.
Using just one or the other of these two independent modules may significantly compromise the utility of the Suhosin system. With only the Suhosin patch just logging features are available, and with just the Suhosin extension there’s no opportunity to use predefined constants that set up your configuration.
Make sure that both aspects of Suhosin have been installed on your server and you’ll be ready to dive right in
Logging Configurations
The logging features of Suhosin provide you with an almost instant overview of the health of your PHP environment as it exists at anyone particular point in time as well as a record of the potential attacks or vulnerabilities that need to be addressed to improve your security set up.
More than a dozen different logging configurations can be modified or adjusted, including elements that cover what types of security alerts are actually logged, what the security system does after an alert has been logged, how frequently you are notified about individual classes of threats, how timestamp information is disseminated, and so much more.
According to The Blog Starter just some of the blogging configuration options you’ll be able to customize include, but are not limited to:
• suhosin.log.syslog
• suhosin.log.syslog.facility
• suhosin.log.syslog.priority
• suhosin.log.sapi
• suhosin.log.stdout
• suhosin.log.file
• suhosin.log.file.name
• suhosin.log.file.time
• suhosin.log.script
Executor Configurations
Executor options are going to handle the heavy lifting when it comes to taking active security measures against threats that have been identified by the Suhosin installation.
Some of the options you’ll be able to configure include defining the maximum depth of stacks allowed before executors stop scripts from running, how to identify and then contain attacks so that they can be stopped, white listing of URL schemes as well as blacklisting of URL schemes, allowing for code execution against remote code execution exploits, and more.
These are some of the executor configuration options you’ll be able to customize to your hearts content when you dive into the Suhosin settings:
• suhosin.executor.max_depth
• suhosin.executor.include.max_traversal
• suhosin.executor.include.whitelist
• suhosin.executor.include.blacklist
• suhosin.executor.include.allow_writable_files
• suhosin.executor.func.whitelist
• suhosin.executor.func.blacklist
Miscellaneous Options
On top of all the other options you’ll be able to adjust, modify, and configure that we have highlighted above – and the myriad more available when you do a deep dive into the Suhosin configuration settings – there’s also going to be a host of miscellaneous options that you can move through that may not belong to any other particular group.
The Suhosin.Simulation option in particular is an important one that knew users are going to want to focus on. This option should be turned on when server administrators, website owners, and web application developers want to make sure that any of the security or hardening features of the Suhosin installation will not break any of the existing PHP code that has already been established on the server.
With this setting flipped on every individual violation detected will still be logged accurately but the instant blocking or removing of these security requests will not kick in while Simulation mode is currently active.
There are other miscellaneous options that exist under this configuration setting that power users will want to look into.
SQL Injection Protections
The security features and Suhosin configuration options available in this part of the Suhosin set up remain somewhat experimental and still under the “in development” heading.
This means that they do not have the same kind of reliability that some of the other more established configuration options have, but should be able to provide security increases all the same.
Obviously, these configuration options deal specifically with SQL Injection attacks – some of the most common forms of PHP assaults out there today. Explore these options when looking to configure your overall Suhosin installation but understand that because they are still experimental they may or may not work as consistently as you expect or hope.
Transparent Encryption Options
Encryption is a big piece of the security puzzle no matter what you are doing online, and Suhosin allows a variety of configuration options for transparent encryption that can be triggered on or off.
The default setting for transparent encryption is set to “ON”, though you have the opportunity to turn that off. You can also choose to toggle on or off other transparent encryption options like the ones that we highlight below.
• suhosin.session.cryptdocroot
• suhosin.session.cryptraddr
• suhosin.session.checkraddr
• suhosin.cookie.encrypt
• suhosin.cookie.cryptkey
• suhosin.cookie.cryptua
• suhosin.cookie.cryptdocroot
Filtering Options
The filtering options section of the Suhosin configuration environment includes the most individual options that can be adjusted, providing users with ample opportunity to customize what gets filtered through the Suhosin installation as well as what does not.
These options can dramatically change how the overall Suhosin patch and extension work to secure your PHP environment, however, which is why you’ll need to be sure that you understand exactly what types of adjustments you are making and how these adjustments impact other filtering options that you may or may not have adjusted already.
Default settings in this section have been designed to provide a high level of protection individually. Those that want to have a more granular level of control over the Suhosin environment will find modifying some or all of the settings to be useful.