Step of installation for Suhosin: 1. Download suhosin and install it #cd /usr/local/ #wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz #tar -zxvf suhosin-0.9.18.tgz #cd suhosin-0.9.18 #phpize #./configure #make && make install 2. Adding a load directive to php.ini extension=suhosin.so [suhosin] suhosin.get.max_value_length = 5120 3. Restart apache service #/etc/init.d/httpd restart
Configuration
Logging Configuration suhosin.log.syslog suhosin.log.syslog.facility suhosin.log.syslog.priority suhosin.log.sapi suhosin.log.script suhosin.log.phpscript suhosin.log.script.name suhosin.log.phpscript.name suhosin.log.use-x-forwarded-for Executor Options suhosin.executor.max_depth suhosin.executor.include.max_traversal suhosin.executor.include.whitelist suhosin.executor.include.blacklist suhosin.executor.func.whitelist suhosin.executor.func.blacklist suhosin.executor.eval.whitelist suhosin.executor.eval.blacklist suhosin.executor.disable_eval suhosin.executor.disable_emodifier suhosin.executor.allow_symlink Misc Options suhosin.simulation suhosin.apc_bug_workaround suhosin.sql.bailout_on_error suhosin.sql.user_prefix suhosin.sql.user_postfix suhosin.multiheader suhosin.mail.protect suhosin.memory_limit Transparent Encryption Options suhosin.session.encrypt suhosin.session.cryptkey suhosin.session.cryptua suhosin.session.cryptdocroot suhosin.session.cryptraddr suhosin.session.checkraddr suhosin.cookie.encrypt suhosin.cookie.cryptkey suhosin.cookie.cryptua suhosin.cookie.cryptdocroot suhosin.cookie.cryptraddr suhosin.cookie.checkraddr suhosin.cookie.cryptlist suhosin.cookie.plainlist Filtering Options suhosin.filter.action suhosin.cookie.max_array_depth suhosin.cookie.max_array_index_length suhosin.cookie.max_name_length suhosin.cookie.max_totalname_length suhosin.cookie.max_value_length suhosin.cookie.max_vars suhosin.cookie.disallow_nul suhosin.get.max_array_depth suhosin.get.max_array_index_length suhosin.get.max_name_length suhosin.get.max_totalname_length suhosin.get.max_value_length suhosin.get.max_vars suhosin.get.disallow_nul suhosin.post.max_array_depth suhosin.post.max_array_index_length suhosin.post.max_name_length suhosin.post.max_totalname_length suhosin.post.max_value_length suhosin.post.max_vars suhosin.post.disallow_nul suhosin.request.max_array_depth suhosin.request.max_array_index_length suhosin.request.max_totalname_length suhosin.request.max_value_length suhosin.request.max_vars suhosin.request.max_varname_length suhosin.request.disallow_nul suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_script suhosin.session.max_id_length
suhosin有三个选项控制eval
suhosin.executor.eval.whitelist 白名单 suhosin.executor.eval.blacklist 黑名单 suhosin.executor.disable_eval 禁用eval 很多程序需要eval,所以我们不能禁用,使用黑名单禁止一些危险的函数 编辑php.ini [Suhosin] suhosin.executor.eval.blacklist=phpinfo,fputs,fopen,fwrite 根据实际情况自行设定
包含漏洞
suhosin.executor.include.max_traversal 包含的最大目录深度,在包含的文件名中有多少个../就禁止,例如值为2时,../../etc/passwd会禁止,值为3则允许,对于大多数程序,这个值设为4或5比较合适 suhosin.executor.include.whitelist 允许包含的URL,用逗号分隔 suhosin.executor.include.blacklist 禁止包含的URL,用逗号分隔
上传漏洞
suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_script 上传文件检查脚本 可以自己写一个脚本检查上传文件是否有webshell特征,然后suhosin.upload.verification_script 的值是这个脚本的绝对路径
其他更深入的防护措施,还有待研究,参考suhosin选项 http://www.hardened-php.net/suhosin/configuration.html
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
