Home | Mirror | Search

15. Suhosin

		
Step of installation for Suhosin:
1. Download suhosin and install it
#cd /usr/local/
#wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz
#tar -zxvf suhosin-0.9.18.tgz
#cd suhosin-0.9.18
#phpize
#./configure
#make && make install
2. Adding a load directive to php.ini
extension=suhosin.so
[suhosin]
suhosin.get.max_value_length = 5120
3. Restart apache service
#/etc/init.d/httpd restart
		
		

Configuration

Logging Configuration
suhosin.log.syslog
suhosin.log.syslog.facility
suhosin.log.syslog.priority
suhosin.log.sapi
suhosin.log.script
suhosin.log.phpscript
suhosin.log.script.name
suhosin.log.phpscript.name
suhosin.log.use-x-forwarded-for
Executor Options
suhosin.executor.max_depth
suhosin.executor.include.max_traversal
suhosin.executor.include.whitelist
suhosin.executor.include.blacklist
suhosin.executor.func.whitelist
suhosin.executor.func.blacklist
suhosin.executor.eval.whitelist
suhosin.executor.eval.blacklist
suhosin.executor.disable_eval
suhosin.executor.disable_emodifier
suhosin.executor.allow_symlink
Misc Options
suhosin.simulation
suhosin.apc_bug_workaround
suhosin.sql.bailout_on_error
suhosin.sql.user_prefix
suhosin.sql.user_postfix
suhosin.multiheader
suhosin.mail.protect
suhosin.memory_limit
Transparent Encryption Options
suhosin.session.encrypt
suhosin.session.cryptkey
suhosin.session.cryptua
suhosin.session.cryptdocroot
suhosin.session.cryptraddr
suhosin.session.checkraddr
suhosin.cookie.encrypt
suhosin.cookie.cryptkey
suhosin.cookie.cryptua
suhosin.cookie.cryptdocroot
suhosin.cookie.cryptraddr
suhosin.cookie.checkraddr
suhosin.cookie.cryptlist
suhosin.cookie.plainlist
Filtering Options
suhosin.filter.action
suhosin.cookie.max_array_depth
suhosin.cookie.max_array_index_length
suhosin.cookie.max_name_length
suhosin.cookie.max_totalname_length
suhosin.cookie.max_value_length
suhosin.cookie.max_vars
suhosin.cookie.disallow_nul
suhosin.get.max_array_depth
suhosin.get.max_array_index_length
suhosin.get.max_name_length
suhosin.get.max_totalname_length
suhosin.get.max_value_length
suhosin.get.max_vars
suhosin.get.disallow_nul
suhosin.post.max_array_depth
suhosin.post.max_array_index_length
suhosin.post.max_name_length
suhosin.post.max_totalname_length
suhosin.post.max_value_length
suhosin.post.max_vars
suhosin.post.disallow_nul
suhosin.request.max_array_depth
suhosin.request.max_array_index_length
suhosin.request.max_totalname_length
suhosin.request.max_value_length
suhosin.request.max_vars
suhosin.request.max_varname_length
suhosin.request.disallow_nul
suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script
suhosin.session.max_id_length
		

suhosin有三個選項控制eval

suhosin.executor.eval.whitelist        白名單
suhosin.executor.eval.blacklist        黑名單
suhosin.executor.disable_eval        禁用eval
很多程序需要eval,所以我們不能禁用,使用黑名單禁止一些危險的函數
編輯php.ini
[Suhosin]
suhosin.executor.eval.blacklist=phpinfo,fputs,fopen,fwrite
根據實際情況自行設定
		

包含漏洞

suhosin.executor.include.max_traversal        包含的最大目錄深度,在包含的檔案名中有多少個../就禁止,例如值為2時,../../etc/passwd會禁止,值為3則允許,對於大多數程序,這個值設為4或5比較合適
suhosin.executor.include.whitelist        允許包含的URL,用逗號分隔
suhosin.executor.include.blacklist        禁止包含的URL,用逗號分隔
		

上傳漏洞

suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script        上傳檔案檢查腳本
可以自己寫一個腳本檢查上傳檔案是否有webshell特徵,然後suhosin.upload.verification_script 的值是這個腳本的絶對路徑
		

其他更深入的防護措施,還有待研究,參考suhosin選項 http://www.hardened-php.net/suhosin/configuration.html

comments powered by Disqus