Home | Mirror | Search |
Step of installation for Suhosin: 1. Download suhosin and install it #cd /usr/local/ #wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz #tar -zxvf suhosin-0.9.18.tgz #cd suhosin-0.9.18 #phpize #./configure #make && make install 2. Adding a load directive to php.ini extension=suhosin.so [suhosin] suhosin.get.max_value_length = 5120 3. Restart apache service #/etc/init.d/httpd restart
Configuration
Logging Configuration suhosin.log.syslog suhosin.log.syslog.facility suhosin.log.syslog.priority suhosin.log.sapi suhosin.log.script suhosin.log.phpscript suhosin.log.script.name suhosin.log.phpscript.name suhosin.log.use-x-forwarded-for Executor Options suhosin.executor.max_depth suhosin.executor.include.max_traversal suhosin.executor.include.whitelist suhosin.executor.include.blacklist suhosin.executor.func.whitelist suhosin.executor.func.blacklist suhosin.executor.eval.whitelist suhosin.executor.eval.blacklist suhosin.executor.disable_eval suhosin.executor.disable_emodifier suhosin.executor.allow_symlink Misc Options suhosin.simulation suhosin.apc_bug_workaround suhosin.sql.bailout_on_error suhosin.sql.user_prefix suhosin.sql.user_postfix suhosin.multiheader suhosin.mail.protect suhosin.memory_limit Transparent Encryption Options suhosin.session.encrypt suhosin.session.cryptkey suhosin.session.cryptua suhosin.session.cryptdocroot suhosin.session.cryptraddr suhosin.session.checkraddr suhosin.cookie.encrypt suhosin.cookie.cryptkey suhosin.cookie.cryptua suhosin.cookie.cryptdocroot suhosin.cookie.cryptraddr suhosin.cookie.checkraddr suhosin.cookie.cryptlist suhosin.cookie.plainlist Filtering Options suhosin.filter.action suhosin.cookie.max_array_depth suhosin.cookie.max_array_index_length suhosin.cookie.max_name_length suhosin.cookie.max_totalname_length suhosin.cookie.max_value_length suhosin.cookie.max_vars suhosin.cookie.disallow_nul suhosin.get.max_array_depth suhosin.get.max_array_index_length suhosin.get.max_name_length suhosin.get.max_totalname_length suhosin.get.max_value_length suhosin.get.max_vars suhosin.get.disallow_nul suhosin.post.max_array_depth suhosin.post.max_array_index_length suhosin.post.max_name_length suhosin.post.max_totalname_length suhosin.post.max_value_length suhosin.post.max_vars suhosin.post.disallow_nul suhosin.request.max_array_depth suhosin.request.max_array_index_length suhosin.request.max_totalname_length suhosin.request.max_value_length suhosin.request.max_vars suhosin.request.max_varname_length suhosin.request.disallow_nul suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_script suhosin.session.max_id_length
suhosin有三個選項控制eval
suhosin.executor.eval.whitelist 白名單 suhosin.executor.eval.blacklist 黑名單 suhosin.executor.disable_eval 禁用eval 很多程序需要eval,所以我們不能禁用,使用黑名單禁止一些危險的函數 編輯php.ini [Suhosin] suhosin.executor.eval.blacklist=phpinfo,fputs,fopen,fwrite 根據實際情況自行設定
包含漏洞
suhosin.executor.include.max_traversal 包含的最大目錄深度,在包含的檔案名中有多少個../就禁止,例如值為2時,../../etc/passwd會禁止,值為3則允許,對於大多數程序,這個值設為4或5比較合適 suhosin.executor.include.whitelist 允許包含的URL,用逗號分隔 suhosin.executor.include.blacklist 禁止包含的URL,用逗號分隔
上傳漏洞
suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_script 上傳檔案檢查腳本 可以自己寫一個腳本檢查上傳檔案是否有webshell特徵,然後suhosin.upload.verification_script 的值是這個腳本的絶對路徑
其他更深入的防護措施,還有待研究,參考suhosin選項 http://www.hardened-php.net/suhosin/configuration.html